Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll
Analysis ID:	1458489
MD5:	156301b141411e5cfc6c06d34b6dca9d
SHA1:	3802929d012253b84f6825e4a4bdc3729366df5b
SHA256:	7e96bbce4a287218078120ec71b4964b6ed6b2727a052bbe2dc038c8be2baffd
Tags:	dll
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

loaddll32.exe (PID: 3180 cmdline: loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll" MD5: 51E6071F9CBA48E79F10C84515AAE618)

conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2656 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

rundll32.exe (PID: 3748 cmdline: rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1 MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3712 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 3568 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__vswprintf_l MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2616 cmdline: rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,_fprintf_l MD5: 889B99C52A60DD49227C5E485A016679)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

ReversingLabs: Detection: 37%

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: D:\perfecthook\ArcticTech\Release\ArcticTech.pdb source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	String found in binary or memory: http://scripts.sil.org/OFLMulishMediumWeightItalicRoman
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	String found in binary or memory: https://github.com/googlefonts/mulish)Mulish

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Binary or memory string: ...Slnt
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Binary or memory string: ...Slntcaught (...) exception

Source: classification engine

Classification label: mal48.winDLL@12/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_03

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\System32\loaddll32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\loaddll32.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

ReversingLabs: Detection: 37%

Source: unknown	Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll"
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__vswprintf_l
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,_fprintf_l
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__vswprintf_l	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,_fprintf_l	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1	Jump to behavior

Source: C:\Windows\System32\loaddll32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: d3dx9_43.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\System32\loaddll32.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK
Source: C:\Windows\SysWOW64\rundll32.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Static PE information: More than 176 > 100 exports found

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Static file information: File size 6404096 > 1048576

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4e3c00

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: D:\perfecthook\ArcticTech\Release\ArcticTech.pdb source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\System32\loaddll32.exe

Process queried: DebugPort

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Rundll32	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	38%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://github.com/googlefonts/mulish)Mulish	0%	Avira URL Cloud	safe
http://scripts.sil.org/OFLMulishMediumWeightItalicRoman	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/googlefonts/mulish)Mulish	SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	false	Avira URL Cloud: safe	unknown
http://scripts.sil.org/OFLMulishMediumWeightItalicRoman	SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1458489
Start date and time:	2024-06-17 18:22:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll
Detection:	MAL
Classification:	mal48.winDLL@12/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .dll Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.68.123.157
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target loaddll32.exe, PID 3180 because there are no executed function
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	file.exe	Get hash	malicious	Xmrig	Browse	199.232.210.172
	https://www.sitesofconscience.org/	Get hash	malicious	Unknown	Browse	199.232.214.172
	DHL Package Documents clearance.exe	Get hash	malicious	AgentTesla	Browse	199.232.214.172
	https://agrtq.qc.ca/	Get hash	malicious	Unknown	Browse	199.232.210.172
	http://careertech.org	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.wiley-epic.com/	Get hash	malicious	Unknown	Browse	199.232.210.172
	LIHTCPUB_BIN.ACCDB	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://mattressashamed.com	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://olivine-geode-arrow.glitch.me	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	Vidar	Browse	199.232.210.172
fp2e7a.wpc.phicdn.net	http://js.opttracker.online	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://js.opttracker.online	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://shayleenterprise.uk/gc.PDF	Get hash	malicious	Phisher	Browse	192.229.221.95
	https://agrtq.qc.ca/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://netflix-ayudas.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://careertech.org	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.wiley-epic.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://www.wiley-epic.com/default.aspx?ac=2T5R8M7L3D	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://visit.keznews.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://rchstudios-my.sharepoint.com/:o:/g/personal/christine_rios_com/Esq925g1UP9CnNs3s12TUdYB6NSSHs2PEUmu5JrUgjQM3A?e=5%3a7dlpi5&at=9&xsdata=MDV8MDJ8amF5LnJvYmVzb25AemJldGEuY29tfGY4ODM4M2MxODZjMTQ0ZGVkNjk2MDhkYzhlZDRhODhifGVlYjJiZmMzYWJjMzRiZjc4MTE2YmY3ZWJjMTk5Nzc2fDB8MHw2Mzg1NDIyOTEyNzk2NTU2NjN8VW5rbm93bnxUV0ZwYkdac2IzZDhleUpXSWpvaU1DNHdMakF3TURBaUxDSlFJam9pVjJsdU16SWlMQ0pCVGlJNklrMWhhV3dpTENKWFZDSTZNbjA9fDYwMDAwfHx8&sdata=WGVqdFJkRS9ycTJVWGVnVmprM0pOT1FmYUM3alpFcFJPNHl6c1ptT01oWT0%3d	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95

File type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.517447576125027
TrID:	Win32 Dynamic Link Library (generic) (1002004/3) 99.60% Generic Win/DOS Executable (2004/3) 0.20% DOS Executable Generic (2002/1) 0.20% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll
File size:	6'404'096 bytes
MD5:	156301b141411e5cfc6c06d34b6dca9d
SHA1:	3802929d012253b84f6825e4a4bdc3729366df5b
SHA256:	7e96bbce4a287218078120ec71b4964b6ed6b2727a052bbe2dc038c8be2baffd
SHA512:	117182f320ef5aea0b9aa194ad52f66c025620a05677d69671ace6e844d1fd21bccaded0113fe2de962f20286fe0ed8ead99bbf9cd8f182143f952a249b13554
SSDEEP:	49152:YtFyIy6iRUVlfL3iNF/yYfyxwFhxLlgAFEp20W/2AGH8TIKQsA8+uNrteelX7tlT:q9NLVVyeFWn8t3pzo4WrhQQ75z4o
TLSH:	B1564C10E6129529F9EB00FAD7BC896EDCAC9E70134924F392C4B89A52F78D7353171B
File Content Preview:	MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$........@.4.!dg.!dg.!dg.Y.g.!dgX.`f.!dgX.gf.!dg.!dg.!dg.O`f.!dgHs.g.!dgX.af.!dgX.ef.!dg..yg.!dg.Yef.!dg.!eg. dgu.af.!dgj.af.!dgj.df.!d

File Icon


Icon Hash:	7ae282899bbab082

Static PE Info

General

Entrypoint:	0x104b67c2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x10000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x65D8D281 [Fri Feb 23 17:14:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	708e271b473e160a6cc6c5839c0a1455

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
cmp dword ptr [ebp+0Ch], 01h
jne 00007F4870D77C67h
call 00007F4870D77F03h
push dword ptr [ebp+10h]
push dword ptr [ebp+0Ch]
push dword ptr [ebp+08h]
call 00007F4870D77B13h
add esp, 0Ch
pop ebp
retn 000Ch
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
retn 0000h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
cmp cl, 00000040h
jnc 00007F4870D77C78h
cmp cl, 00000020h
jnc 00007F4870D77C68h
shrd eax, edx, cl
sar edx, cl
ret
mov eax, edx
sar edx, 1Fh
and cl, 0000001Fh
sar eax, cl
ret
sar edx, 1Fh
mov eax, edx
ret
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 1055F4D8h
mov dword ptr [ecx], 1050F488h
ret
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F4870D77C3Fh
push 105B2DECh
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F4870D77FAAh
int3
push ebp
mov ebp, esp
sub esp, 0Ch
lea ecx, dword ptr [ebp-0Ch]
call 00007F4870BBEC11h
push 105AC6A8h
lea eax, dword ptr [ebp-0Ch]
push eax
call 00007F4870D77F8Dh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push 104B68C5h
push dword ptr fs:[00000000h]

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5b2e10	0xf24	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5b3d34	0x190	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5f4000	0xf8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f5000	0x32d4c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x55f5a8	0x54	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x55f600	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x55f4e8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4e5000	0x5b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4e3a69	0x4e3c00	d8fde47a98eda024226d35856857f520	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x4e5000	0xd1b00	0xd1c00	9f951fc0ec0af97c5ff8559af913029d	False	0.24533252011323003	data	5.823457107673033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x5b7000	0x3ca14	0x32c00	c531929b07d934c4d4632dea36e9361c	False	0.45545335591133007	OpenPGP Public Key	6.661832207052584	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5f4000	0xf8	0x200	2da6e0e638e2c40915b862554e86e405	False	0.3359375	data	2.5312981004807127	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x5f5000	0x32d4c	0x32e00	34e1ec0c585819ff62ff86e88a1b2df3	False	0.4272496928746929	data	6.6947004347421055	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x5f4060	0x91	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.8689655172413793

Imports

DLL	Import
KERNEL32.dll	LoadLibraryA, GlobalAlloc, GlobalUnlock, GlobalLock, GlobalFree, MultiByteToWideChar, WideCharToMultiByte, AddVectoredExceptionHandler, GetCurrentProcess, ExitProcess, CreateThread, VirtualQuery, WriteProcessMemory, GetLastError, GetCurrentProcessId, VirtualProtect, Sleep, K32GetModuleInformation, GetSystemTimeAsFileTime, GetCurrentThreadId, IsDebuggerPresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsProcessorFeaturePresent, SleepConditionVariableSRW, WakeAllConditionVariable, VirtualFree, VirtualAlloc, GetModuleHandleExA, GetModuleFileNameA, GetModuleHandleA, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetFileInformationByHandleEx, AreFileApisANSI, FreeLibrary, QueryPerformanceFrequency, QueryPerformanceCounter, CloseHandle, GetFileAttributesExW, FindNextFileW, FindFirstFileExW, FindFirstFileW, FindClose, CreateFileW, CreateDirectoryW, GetCurrentDirectoryW, GetLocaleInfoEx, FormatMessageA, LocalFree, FlushInstructionCache, SetLastError, InitializeSListHead, GetProcAddress, WriteFile, CreateFileA, GetLocalTime
USER32.dll	GetAsyncKeyState, GetForegroundWindow, GetCursorPos, ScreenToClient, GetKeyState, GetCapture, GetClientRect, SetCursorPos, SetCursor, ClientToScreen, LoadCursorA, OpenClipboard, CloseClipboard, SetClipboardData, GetClipboardData, EmptyClipboard, MessageBoxA, CallWindowProcA, SetWindowLongA, FindWindowA, SetCapture, ReleaseCapture
GDI32.dll	AddFontMemResourceEx
MSVCP140.dll	?rdstate@ios_base@std@@QBEHXZ, ?setf@ios_base@std@@QAEHH@Z, ?setf@ios_base@std@@QAEHHH@Z, ?width@ios_base@std@@QBE_JXZ, ?width@ios_base@std@@QAE_J_J@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ, ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ, ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ, ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ, ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ, ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXH@Z, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD0@Z, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEPADXZ, ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBE_JXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAPAD0PAH001@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEDD@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@_N@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@PBD_J@Z, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Xbad_function_call@std@@YAXXZ, ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z, ?_Incref@facet@locale@std@@UAEXXZ, ?_Decref@facet@locale@std@@UAEPAV_Facet_base@3@XZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?id@?$numpunct@D@std@@2V0locale@2@A, _Thrd_hardware_concurrency, _Mtx_init_in_situ, _Mtx_destroy_in_situ, _Mtx_lock, _Mtx_unlock, _Cnd_init_in_situ, _Cnd_destroy_in_situ, _Cnd_wait, _Cnd_broadcast, _Cnd_signal, ?_Throw_Cpp_error@std@@YAXH@Z, _Query_perf_counter, _Query_perf_frequency, ??4?$_Yarn@D@std@@QAEAAV01@PBD@Z, ?_New_Locimp@_Locimp@locale@std@@CAPAV123@ABV123@@Z, ?_Addfac@_Locimp@locale@std@@AAEXPAVfacet@23@I@Z, ?out@?$codecvt@_WDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PB_W1AAPB_WPAD3AAPAD@Z, ??0?$codecvt@_WDU_Mbstatet@@@std@@QAE@I@Z, ??1?$codecvt@_WDU_Mbstatet@@@std@@MAE@XZ, ?id@?$codecvt@_WDU_Mbstatet@@@std@@2V0locale@2@A, ??0facet@locale@std@@IAE@I@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ??Bid@locale@std@@QAEIXZ, ?c_str@?$_Yarn@D@std@@QBEPBDXZ, ?_Gettrue@_Locinfo@std@@QBEPBDXZ, ?_Getfalse@_Locinfo@std@@QBEPBDXZ, ?_Getlconv@_Locinfo@std@@QBEPBUlconv@@XZ, ??1_Locinfo@std@@QAE@XZ, ??0_Locinfo@std@@QAE@PBD@Z, ?_Winerror_map@std@@YAHH@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?always_noconv@codecvt_base@std@@QBE_NXZ, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ?_Syserror_map@std@@YAPBDH@Z, ?_Xout_of_range@std@@YAXPBD@Z, ?_Xlength_error@std@@YAXPBD@Z, ??1_Lockit@std@@QAE@XZ, ??0_Lockit@std@@QAE@H@Z, ?_Getcvt@_Locinfo@std@@QBE?AU_Cvtvec@@XZ, ?_Xbad_alloc@std@@YAXXZ, ?_Init@locale@std@@CAPAV_Locimp@12@_N@Z, ??1facet@locale@std@@MAE@XZ
d3dx9_43.dll	D3DXCreateFontA, D3DXCreateTextureFromFileInMemoryEx, D3DXCreateSprite
IMM32.dll	ImmSetCandidateWindow, ImmSetCompositionWindow, ImmGetContext, ImmReleaseContext
dbghelp.dll	SymFromAddr
VCRUNTIME140.dll	memmove, memcmp, memset, __CxxFrameHandler3, memcpy, _purecall, __std_exception_copy, __std_exception_destroy, _CxxThrowException, strchr, __std_type_info_destroy_list, _except_handler4_common, __current_exception_context, __current_exception, memchr, __std_type_info_compare, strstr, strrchr
api-ms-win-crt-string-l1-1-0.dll	wcslen, isblank, strpbrk, strncpy, toupper, strcpy, strncmp, strcpy_s, strlen, strcmp
api-ms-win-crt-heap-l1-1-0.dll	_callnewh, calloc, malloc, free
api-ms-win-crt-math-l1-1-0.dll	llround, sin, log, ceil, acos, _fdtest, _ldtest, cos, atan2, _dtest, _fdsign, cosh, asin, _ldsign, _dsign, ldexp, pow, sqrt, fmod, sinh, exp, tanh, _CIcosh, tan, _CItanh, fabs, floor, atan, _CIsinh
api-ms-win-crt-runtime-l1-1-0.dll	strerror, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _crt_atexit, terminate, _cexit, strerror_s, _initterm, _initterm_e, _seh_filter_dll, exit, abort, _errno, _invalid_parameter_noinfo_noreturn, _execute_onexit_table, system
api-ms-win-crt-convert-l1-1-0.dll	strtoul, strtod, atof, strtoll, strtoull
api-ms-win-crt-stdio-l1-1-0.dll	_wfopen, fseek, ftell, __p__fmode, __stdio_common_vfprintf, __stdio_common_vsscanf, __stdio_common_vsnprintf_s, tmpfile, _popen, _pclose, _ftelli64, fgets, clearerr, __stdio_common_vfwprintf, putchar, fputs, __stdio_common_vsprintf_p, __stdio_common_vsprintf_s, __stdio_common_vfscanf, __stdio_common_vfprintf_p, __stdio_common_vfprintf_s, fopen, __acrt_iob_func, __stdio_common_vswscanf, __stdio_common_vswprintf_p, tmpnam, __stdio_common_vsnwprintf_s, _get_stream_buffer_pointers, __stdio_common_vswprintf_s, freopen_s, __stdio_common_vswprintf, fclose, __stdio_common_vfwscanf, __stdio_common_vfwprintf_p, __stdio_common_vfwprintf_s, ungetc, setvbuf, getc, fwrite, _fseeki64, fsetpos, _fsopen, fread, fputc, fgetpos, fgetc, fflush, ferror, feof, __stdio_common_vsprintf
api-ms-win-crt-filesystem-l1-1-0.dll	_unlock_file, _lock_file, rename, remove
api-ms-win-crt-time-l1-1-0.dll	_mktime64, strftime, clock, _localtime64, _gmtime64, _difftime64, _time64
api-ms-win-crt-locale-l1-1-0.dll	localeconv, setlocale, ___lc_codepage_func
api-ms-win-crt-utility-l1-1-0.dll	qsort, rand, abs
api-ms-win-crt-environment-l1-1-0.dll	getenv

Exports

Name	Ordinal	Address
__swprintf_l	1	0x1046c040
__vswprintf_l	2	0x1046c070
_fprintf_l	3	0x1046c0a0
_fprintf_p	4	0x1046c0d0
_fprintf_p_l	5	0x1046c100
_fprintf_s_l	6	0x1046c130
_fscanf_l	7	0x1046c160
_fscanf_s_l	8	0x1046c190
_fwprintf_l	9	0x1046c1c0
_fwprintf_p	10	0x1046c1f0
_fwprintf_p_l	11	0x1046c220
_fwprintf_s_l	12	0x1046c250
_fwscanf_l	13	0x1046c280
_fwscanf_s_l	14	0x1046c2b0
_printf_l	15	0x1046c2e0
_printf_p	16	0x1046c310
_printf_p_l	17	0x1046c340
_printf_s_l	18	0x1046c370
_scanf_l	19	0x1046c3a0
_scanf_s_l	20	0x1046c3d0
_scprintf	21	0x1046c410
_scprintf_l	22	0x1046c440
_scprintf_p	23	0x1046c470
_scprintf_p_l	24	0x1046c4a0
_scwprintf	25	0x1046c4d0
_scwprintf_l	26	0x1046c500
_scwprintf_p	27	0x1046c530
_scwprintf_p_l	28	0x1046c560
_snprintf	29	0x1046c590
_snprintf_c	30	0x1046c5d0
_snprintf_c_l	31	0x1046c600
_snprintf_l	32	0x1046c630
_snprintf_s	33	0x1046c670
_snprintf_s_l	34	0x1046c6b0
_snscanf	35	0x1046c6f0
_snscanf_l	36	0x1046c720
_snscanf_s	37	0x1046c750
_snscanf_s_l	38	0x1046c780
_snwprintf	39	0x1046c7b0
_snwprintf_l	40	0x1046c7f0
_snwprintf_s	41	0x1046c830
_snwprintf_s_l	42	0x1046c870
_snwscanf	43	0x1046c8b0
_snwscanf_l	44	0x1046c8e0
_snwscanf_s	45	0x1046c910
_snwscanf_s_l	46	0x1046c940
_sprintf_l	47	0x1046c970
_sprintf_p	48	0x1046c9b0
_sprintf_p_l	49	0x1046c9e0
_sprintf_s_l	50	0x1046ca10
_sscanf_l	51	0x1046ca40
_sscanf_s_l	52	0x1046ca70
_swprintf	53	0x1046caa0
_swprintf_c	54	0x1046cad0
_swprintf_c_l	55	0x1046cb00
_swprintf_l	56	0x1046cb00
_swprintf_p	57	0x1046cb30
_swprintf_p_l	58	0x1046cb60
_swprintf_s_l	59	0x1046cb90
_swscanf_l	60	0x1046cbc0
_swscanf_s_l	61	0x1046cbf0
_vfprintf_l	62	0x103fd4e0
_vfprintf_p	63	0x1046cc20
_vfprintf_p_l	64	0x1046cc50
_vfprintf_s_l	65	0x1046cc80
_vfscanf_l	66	0x1046ccb0
_vfscanf_s_l	67	0x1046cce0
_vfwprintf_l	68	0x1046cd10
_vfwprintf_p	69	0x1046cd40
_vfwprintf_p_l	70	0x1046cd70
_vfwprintf_s_l	71	0x1046cda0
_vfwscanf_l	72	0x1046cdd0
_vfwscanf_s_l	73	0x1046ce00
_vprintf_l	74	0x1046ce30
_vprintf_p	75	0x1046ce60
_vprintf_p_l	76	0x1046ce90
_vprintf_s_l	77	0x1046cec0
_vscanf_l	78	0x1046cef0
_vscanf_s_l	79	0x1046cf20
_vscprintf	80	0x1046cf50
_vscprintf_l	81	0x1046cf80
_vscprintf_p	82	0x1046cfb0
_vscprintf_p_l	83	0x1046cfe0
_vscwprintf	84	0x1046d010
_vscwprintf_l	85	0x1046d040
_vscwprintf_p	86	0x1046d070
_vscwprintf_p_l	87	0x1046d0a0
_vsnprintf	88	0x103fd510
_vsnprintf_c	89	0x1046d0d0
_vsnprintf_c_l	90	0x1046d100
_vsnprintf_l	91	0x103fd530
_vsnprintf_s	92	0x10468ad0
_vsnprintf_s_l	93	0x10468b00
_vsnwprintf	94	0x1046d130
_vsnwprintf_l	95	0x1046d170
_vsnwprintf_s	96	0x1046d1b0
_vsnwprintf_s_l	97	0x1046d1f0
_vsnwscanf_l	98	0x1046d230
_vsnwscanf_s_l	99	0x1046d260
_vsprintf_l	100	0x104485f0
_vsprintf_p	101	0x1046d290
_vsprintf_p_l	102	0x1046d2c0
_vsprintf_s_l	103	0x1046d2f0
_vsscanf_l	104	0x103fd590
_vsscanf_s_l	105	0x1046d320
_vswprintf	106	0x1046d350
_vswprintf_c	107	0x1046d380
_vswprintf_c_l	108	0x1046d3b0
_vswprintf_l	109	0x1046d3b0
_vswprintf_p	110	0x1046d3e0
_vswprintf_p_l	111	0x1046d410
_vswprintf_s_l	112	0x1046d440
_vswscanf_l	113	0x1046d470
_vswscanf_s_l	114	0x1046d4a0
_vwprintf_l	115	0x1046d4d0
_vwprintf_p	116	0x1046d500
_vwprintf_p_l	117	0x1046d530
_vwprintf_s_l	118	0x1046d560
_vwscanf_l	119	0x1046d590
_vwscanf_s_l	120	0x1046d5c0
_wprintf_l	121	0x1046d5f0
_wprintf_p	122	0x1046d620
_wprintf_p_l	123	0x1046d650
_wprintf_s_l	124	0x1046d680
_wscanf_l	125	0x1046d6b0
_wscanf_s_l	126	0x1046d6e0
fprintf	127	0x1046d7d0
fprintf_s	128	0x1046d800
fscanf	129	0x1046d830
fscanf_s	130	0x1046d860
fwprintf	131	0x1046d890
fwprintf_s	132	0x1046d8c0
fwscanf	133	0x1046d8f0
fwscanf_s	134	0x1046d920
printf	135	0x103fd5c0
printf_s	136	0x1046df30
scanf	137	0x1046dfc0
scanf_s	138	0x1046dff0
snprintf	139	0x103978a0
sprintf	140	0x10448610
sprintf_s	141	0x1046e020
sscanf	142	0x103fd610
sscanf_s	143	0x1046e050
swprintf	144	0x1046cad0
swprintf_s	145	0x1046e080
swscanf	146	0x1046e0b0
swscanf_s	147	0x1046e0e0
vfprintf	148	0x1046e110
vfprintf_s	149	0x1046e140
vfscanf	150	0x1046e170
vfscanf_s	151	0x1046e1a0
vfwprintf	152	0x1046e1d0
vfwprintf_s	153	0x1046e200
vfwscanf	154	0x1046e230
vfwscanf_s	155	0x1046e260
vprintf	156	0x1046e290
vprintf_s	157	0x1046e2c0
vscanf	158	0x1046e2f0
vscanf_s	159	0x1046e320
vsnprintf	160	0x10397900
vsnprintf_s	161	0x1046e350
vsprintf	162	0x1046e390
vsprintf_s	163	0x1046e3c0
vsscanf	164	0x1046e3f0
vsscanf_s	165	0x1046e420
vswprintf	166	0x1046d380
vswprintf_s	167	0x1046e450
vswscanf	168	0x1046e480
vswscanf_s	169	0x1046e4b0
vwprintf	170	0x1046e4e0
vwprintf_s	171	0x1046e510
vwscanf	172	0x1046e540
vwscanf_s	173	0x1046e570
wprintf	174	0x1046e5a0
wprintf_s	175	0x1046e5d0
wscanf	176	0x1046e600
wscanf_s	177	0x1046e630

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jun 17, 2024 18:23:22.989686966 CEST	1.1.1.1	192.168.2.5	0x4580	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false
Jun 17, 2024 18:23:22.989686966 CEST	1.1.1.1	192.168.2.5	0x4580	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Jun 17, 2024 18:23:23.610440969 CEST	1.1.1.1	192.168.2.5	0x3d40	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Jun 17, 2024 18:23:23.610440969 CEST	1.1.1.1	192.168.2.5	0x3d40	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	12:23:04
Start date:	17/06/2024
Path:	C:\Windows\System32\loaddll32.exe
Wow64 process (32bit):	true
Commandline:	loaddll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll"
Imagebase:	0xee0000
File size:	126'464 bytes
MD5 hash:	51E6071F9CBA48E79F10C84515AAE618
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	12:23:04
Start date:	17/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	12:23:04
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /C rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1
Imagebase:	0x790000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	12:23:04
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__swprintf_l
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	12:23:04
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll",#1
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	12:23:07
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,__vswprintf_l
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	12:23:10
Start date:	17/06/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll,_fprintf_l
Imagebase:	0x970000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

DNS Answers

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: loaddll32.exePID: 3180, Parent PID: 1028

General

Chronological Activities

Analysis Process: conhost.exePID: 3220, Parent PID: 3180

General

Chronological Activities

Analysis Process: cmd.exePID: 2656, Parent PID: 3180

General

Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.476018.8153.3189.dll