Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Analysis ID:	1539813
MD5:	b352a969814c63eb03f8771d0b61c763
SHA1:	fcd849e29f057f46766738c8cd4ce91a4c7e537e
SHA256:	1c4f4363a89bb180c36067da145fbc4086217bb5c55312dfa8605b127b3ac35a
Tags:	exe

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Potentially malicious time measurement code found

Contains functionality for execution timing, often used to detect debuggers

Detected potential crypto function

PE file contains sections with non-standard names

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe (PID: 3136 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe" MD5: B352A969814C63EB03F8771D0B61C763)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Virustotal: Detection: 12%

Perma Link

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe, 00000000.00000002.2085346990.00007FF6C2F69000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_4c651ae1-8

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: crypto\encode_decode\decoder_meth.cossl_decoder_newossl_decoder_from_algorithminner_ossl_decoder_fetch<null>%s, Name (%s : %d), Properties (%s)OSSL_DECODER_get0_providerOSSL_DECODER_get0_propertiesossl_decoder_parsed_propertiesOSSL_DECODER_CTX_newOSSL_DECODER_from_biocrypto\encode_decode\decoder_lib.cNo decoders were found. For standard decoders you need at least one of the default or base providers available. Did you forget to load them?Input type: Input structure: No supported data to decode. %s%s%s%s%s%sOSSL_DECODER_from_dataOSSL_DECODER_CTX_set_selectionOSSL_DECODER_CTX_set_input_typeOSSL_DECODER_CTX_set_input_structureossl_decoder_instance_newthere are no property definitions with decoder %sinputthe mandatory 'input' property is missing for decoder %s (properties: %s)structureossl_decoder_ctx_add_decoder_instOSSL_DECODER_CTX_add_extraOSSL_DECODER_CTX_set_constructOSSL_DECODER_CTX_set_construct_dataOSSL_DECODER_CTX_set_cleanupdata-typedata-structuredecoder_processcrypto\encode_decode\decoder_pkey.creference1.2.840.10045.2.1ossl_decoder_ctx_setup_for_pkeyOSSL_DECODER_CTX_new_for_pkeycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificE:\NGULibraries\openssl-3.0.11\build\sslE:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\ossl-modules.dllCPUINFO: crypto\bio\bio_sock.cBIO_sock_initcalling wsastartup()BIO_socket_ioctlcalling ioctlsocket()@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source:	Binary string: crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed May 15 23:28:32 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "E:\NGULibraries\openssl-3.0.11\build\ssl"ENGINESDIR: "E:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\engines-3"MODULESDIR: "E:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_putsBIO_getsBIO_ctrlBIO_callback_ctrlBIO_find_type source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source:	Binary string: E:\X\x64\Release\ActiveState.pdb source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe, 00000000.00000002.2085008638.0000019EDF9AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://154.53.160.19/ActiveState/
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Code function: 0_2_00007FF6C2CB1500		0_2_00007FF6C2CB1500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Code function: 0_2_00007FF6C2CCAF40		0_2_00007FF6C2CCAF40

Source: classification engine

Classification label: mal52.evad.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

File created: C:\Users\user\Desktop\log.bin

Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Virustotal: Detection: 12%

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	String found in binary or memory: id-cmc-addExtensions
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	String found in binary or memory: set-addPolicy

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Static file information: File size 3981312 > 1048576

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2b8000

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: crypto\encode_decode\decoder_meth.cossl_decoder_newossl_decoder_from_algorithminner_ossl_decoder_fetch<null>%s, Name (%s : %d), Properties (%s)OSSL_DECODER_get0_providerOSSL_DECODER_get0_propertiesossl_decoder_parsed_propertiesOSSL_DECODER_CTX_newOSSL_DECODER_from_biocrypto\encode_decode\decoder_lib.cNo decoders were found. For standard decoders you need at least one of the default or base providers available. Did you forget to load them?Input type: Input structure: No supported data to decode. %s%s%s%s%s%sOSSL_DECODER_from_dataOSSL_DECODER_CTX_set_selectionOSSL_DECODER_CTX_set_input_typeOSSL_DECODER_CTX_set_input_structureossl_decoder_instance_newthere are no property definitions with decoder %sinputthe mandatory 'input' property is missing for decoder %s (properties: %s)structureossl_decoder_ctx_add_decoder_instOSSL_DECODER_CTX_add_extraOSSL_DECODER_CTX_set_constructOSSL_DECODER_CTX_set_construct_dataOSSL_DECODER_CTX_set_cleanupdata-typedata-structuredecoder_processcrypto\encode_decode\decoder_pkey.creference1.2.840.10045.2.1ossl_decoder_ctx_setup_for_pkeyOSSL_DECODER_CTX_new_for_pkeycompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC;CPUINFO: OPENSSL_ia32cap=0x%llx:0x%llxOPENSSL_ia32cap env:%sos-specificE:\NGULibraries\openssl-3.0.11\build\sslE:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\ossl-modules.dllCPUINFO: crypto\bio\bio_sock.cBIO_sock_initcalling wsastartup()BIO_socket_ioctlcalling ioctlsocket()@@@@@@@@@hHHHH@@@@@@@@@@@@@@@@@@( source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source:	Binary string: crypto\stack\stack.cOPENSSL_sk_dupOPENSSL_sk_deep_copysk_reserveOPENSSL_sk_new_reserveOPENSSL_sk_reserveOPENSSL_sk_insertOPENSSL_sk_seti=%dcompiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PICOpenSSL 3.0.11 19 Sep 20233.0.11built on: Wed May 15 23:28:32 2024 UTCplatform: VC-WIN64AOPENSSLDIR: "E:\NGULibraries\openssl-3.0.11\build\ssl"ENGINESDIR: "E:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\engines-3"MODULESDIR: "E:\NGULibraries\openssl-3.0.11\build\static_lib\x64\Release\lib\ossl-modules"CPUINFO: N/Anot availablecrypto\bio\bio_lib.cBIO_new_exbio_read_internbio_write_internBIO_putsBIO_getsBIO_ctrlBIO_callback_ctrlBIO_find_type source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source:	Binary string: E:\X\x64\Release\ActiveState.pdb source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Source:	Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Static PE information: section name: .msvcjmc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Code function: 0_2_00007FF6C2CB1020 rdtsc

0_2_00007FF6C2CB1020

Source: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe, 00000000.00000003.2084368550.0000019EDF9D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe, 00000000.00000003.2084459984.0000019EDF9DC000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllK

Anti Debugging

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Code function: 0_2_00007FF6C2CB13B0		0_2_00007FF6C2CB13B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	Code function: 0_2_00007FF6C2CB1350		0_2_00007FF6C2CB1350

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Code function: 0_2_00007FF6C2CB1020 rdtsc

0_2_00007FF6C2CB1020

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Code function: 0_2_00007FF6C2DEA854 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6C2DEA854

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	12%	Virustotal		Browse

Source	Detection	Scanner	Link
https://curl.se/docs/hsts.html	0%	Virustotal	Browse
http://154.53.160.19/ActiveState/	0%	Virustotal	Browse
https://curl.se/docs/alt-svc.html	0%	Virustotal	Browse
https://curl.se/docs/http-cookies.html	0%	Virustotal	Browse

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	false	0%, Virustotal, Browse	unknown
http://154.53.160.19/ActiveState/	SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe, 00000000.00000002.2085008638.0000019EDF9AC000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse	unknown
https://curl.se/docs/alt-svc.html	SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	false	0%, Virustotal, Browse	unknown
https://curl.se/docs/http-cookies.html	SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe	false	0%, Virustotal, Browse	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1539813
Start date and time:	2024-10-23 07:22:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 2m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Detection:	MAL
Classification:	mal52.evad.winEXE@1/1@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe, PID 3136 because there are no executed function

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	4.9460400385293575
Encrypted:	false
SSDEEP:	3:Hcb2ME80LRgeXdTVcL4AQWgUjXUvmC4DrS90bXqyEAQe4fcvMLIq:HcczLRgIzcLNQkEvmROiJE1NcvMLIq
MD5:	3ABC5CBBD723C848997AEAA1AEA345EF
SHA1:	7F6C6C898AA8D221E359D3F35010F598126D89C5
SHA-256:	5FF0C0A20F6FAEF8F2A93D7B2E073FCCEC0D91BF93FCF2279FFD6C08CBB5A9AC
SHA-512:	90B73CD67CBF13911F906D5044EFF86AF4887F78B0367269073FAF53400A39068ED4C1FD8DA75E3E3D3306414030A455B52598D4E36993C9E19EF2500CB75E5D
Malicious:	false
Reputation:	low
Preview:	SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe Release x641.0.0Started!..Couldn't get computer name and/or username!..Couldn't get current software hash!..Exiting.....

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.562038049411947
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
File size:	3'981'312 bytes
MD5:	b352a969814c63eb03f8771d0b61c763
SHA1:	fcd849e29f057f46766738c8cd4ce91a4c7e537e
SHA256:	1c4f4363a89bb180c36067da145fbc4086217bb5c55312dfa8605b127b3ac35a
SHA512:	9088be263ccc1523392fb862f4261a399a7e02a428ac1df0ee538b1aa9739dd59f442148f9a2939f0cf1f94cf8d67e56e86d402455ca20537c37497f3686800b
SSDEEP:	49152:MGtlqZnIU6i1VwASOXajGuSm3RT1NYz9wp2m0y7xLkWKO10CB1pDAsLmYMqI51qD:n+FGJhww/gWnjh3wzk
TLSH:	F4068C6AB7A800ECD4B6C138C5464223D7B1F86617B097EB16A0D6BA1F73AD55F3E700
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$..........!...r...r...r..*r...r..Dr...r...s...r...s...r...s...r...s...r...s...r...s...r...s...r...r+..r...s...ro..sZ..r...r...r...s...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140139fb4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x671857AE [Wed Oct 23 01:55:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	d39e10ae211b8efcd3ba9dc362e6a9e7

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FCC5C6470BCh
dec eax
add esp, 28h
jmp 00007FCC5C64669Fh
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push edi
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc ebp
xor ebx, ebx
inc esp
mov edx, edx
inc ecx
xor eax, 6C65746Eh
inc ecx
xor edx, 49656E69h
inc esp
mov ecx, ebx
mov esi, eax
xor ecx, ecx
inc ecx
lea eax, dword ptr [ebx+01h]
inc ebp
or edx, eax
cpuid
inc ecx
xor ecx, 756E6547h
mov dword ptr [esp], eax
inc ebp
or edx, ecx
mov dword ptr [esp+04h], ebx
mov edi, ecx
mov dword ptr [esp+08h], ecx
mov dword ptr [esp+0Ch], edx
jne 00007FCC5C64687Dh
dec eax
or dword ptr [0026418Fh], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [00264177h], 00008000h
cmp eax, 000106C0h
je 00007FCC5C64684Ah
cmp eax, 00020660h
je 00007FCC5C646843h
cmp eax, 00020670h
je 00007FCC5C64683Ch
add eax, FFFCF9B0h
cmp eax, 20h
jnbe 00007FCC5C646846h
dec eax
mov ecx, 00010001h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
bt ecx, eax
jnc 00007FCC5C646836h
inc esp
mov eax, dword ptr [00D77A41h]
inc ecx
or eax, 01h
inc esp
mov dword ptr [00D77A36h], eax
jmp 00007FCC5C646829h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x395e60	0x8cc	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x39672c	0x1e0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xed7000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0xeb4000	0x21a98	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xed8000	0x9d40	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x376670	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x376700	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x376530	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b9000	0xc28	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2b7eb3	0x2b8000	e4ef72ee848f7ef5314dd762763263ce	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2b9000	0xe0606	0xe0800	dd5c8fb0d4286b441532f303709e2fd6	False	0.3292277108853007	data	5.239422717213847	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x39a000	0xb19f14	0x7400	9f2d57ff60e75a668ebd68a046a9b983	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0xeb4000	0x21a98	0x21c00	033c127d5fc6c7c3aadac9bd85ffecec	False	0.4734302662037037	data	6.261992574655434	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.msvcjmc	0xed6000	0x328	0x400	750ab9d9a21bc77d81a741153c156ca1	False	0.01953125	Targa image data - Map (257-257) 257 x 257 x 1 +257 +257 - 1-bit alpha "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001"	0.7432709194035553	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xed7000	0x1e0	0x200	6f1c1702db248598e403068006bc6ba2	False	0.53125	data	4.7176788329467545	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xed8000	0x9d40	0x9e00	ac512fd1e9d1d60042d0318ea59485f4	False	0.2881971914556962	data	5.442406663752315	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0xed7060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
CRYPT32.dll	CertGetCertificateContextProperty, CertFindCertificateInStore, CertOpenSystemStoreA, CertCloseStore, CertGetIntendedKeyUsage, CertGetEnhancedKeyUsage, CertFreeCertificateContext, CertEnumCertificatesInStore, CertDuplicateCertificateContext, CertOpenStore
WLDAP32.dll
WS2_32.dll	send, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, getsockopt, WSASetEvent, WSAWaitForMultipleEvents, gethostbyaddr, closesocket, WSAGetLastError, WSAResetEvent, WSASetLastError, inet_ntop, inet_ntoa, gethostbyname, WSACleanup, inet_pton, htons, socket, setsockopt, WSAIoctl, __WSAFDIsSet, getservbyport, getservbyname, select, accept, bind, connect, getsockname, htonl, listen, recv, getaddrinfo, freeaddrinfo, recvfrom, sendto, getpeername, ioctlsocket, gethostname, shutdown, inet_addr, ntohs, WSAStartup
KERNEL32.dll	FindNextFileW, FindFirstFileW, FindClose, CreateFiberEx, DeleteFiber, SwitchToFiber, VirtualFree, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, AcquireSRWLockShared, ReleaseSRWLockShared, InitializeSRWLock, ReadConsoleW, ReadConsoleA, SetConsoleMode, GetConsoleMode, GetEnvironmentVariableW, VirtualQuery, GetProcessHeap, HeapFree, HeapAlloc, InitializeSListHead, GetModuleHandleW, GetStartupInfoW, RaiseException, IsDebuggerPresent, CreateDirectoryW, GetFileAttributesW, CloseHandle, GetLastError, GetModuleHandleExW, CopyFileW, GetComputerNameW, MultiByteToWideChar, WideCharToMultiByte, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, SetLastError, FormatMessageW, QueryPerformanceCounter, GetTickCount, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceFrequency, GetSystemDirectoryA, FreeLibrary, GetModuleHandleA, GetProcAddress, LoadLibraryA, Sleep, MoveFileExA, WaitForSingleObjectEx, CompareFileTime, GetSystemTimeAsFileTime, GetEnvironmentVariableA, GetCurrentProcessId, GetStdHandle, GetFileType, ReadFile, PeekNamedPipe, WaitForMultipleObjects, SleepEx, VerSetConditionMask, VerifyVersionInfoW, GetSystemTime, SystemTimeToFileTime, CreateProcessW, WriteFile, GetACP, ConvertFiberToThread, ConvertThreadToFiberEx, LoadLibraryW, GetCurrentThreadId, WakeAllConditionVariable, SleepConditionVariableSRW, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, FormatMessageA
ADVAPI32.dll	CryptHashData, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptDestroyHash, DeregisterEventSource, RegisterEventSourceW, CryptEnumProvidersW, CryptSignHashW, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, CryptAcquireContextW, ReportEventW, GetUserNameW
ole32.dll	CoInitialize, CoCreateInstance
MSVCP140.dll	?_Xinvalid_argument@std@@YAXPEBD@Z, ??0_Lockit@std@@QEAA@H@Z, _Query_perf_counter, _Query_perf_frequency, _Thrd_sleep, ??Bid@locale@std@@QEAA_KXZ, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?read@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEAD_J@Z, ?seekg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@V?$fpos@U_Mbstatet@@@2@@Z, ?tellg@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA?AV?$fpos@U_Mbstatet@@@2@XZ, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Xbad_function_call@std@@YAXXZ, ??1_Lockit@std@@QEAA@XZ, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ?_Xlength_error@std@@YAXPEBD@Z, ?_Xout_of_range@std@@YAXPEBD@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, _Xtime_get_ticks
bcrypt.dll	BCryptGenRandom
VCRUNTIME140.dll	strchr, strrchr, strstr, _purecall, __std_terminate, __current_exception, memcmp, _CxxThrowException, __C_specific_handler_noexcept, __vcrt_GetModuleFileNameW, __vcrt_LoadLibraryExW, memmove, memcpy, memchr, memset, __current_exception_context, __std_exception_copy, wcsstr, __C_specific_handler, __std_exception_destroy
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll	__sys_nerr, __sys_errlist, _seh_filter_exe, _register_thread_local_exe_atexit_callback, raise, _exit, _initterm_e, _initterm, strerror_s, _c_exit, signal, exit, _errno, _get_narrow_winmain_command_line, _beginthreadex, _crt_atexit, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, __p___argv, _set_app_type, _invalid_parameter_noinfo_noreturn, terminate, _cexit
api-ms-win-crt-stdio-l1-1-0.dll	fputc, _set_fmode, __stdio_common_vswprintf, _wfopen, __stdio_common_vsnprintf_s, __stdio_common_vfprintf, ferror, fread, fclose, fsetpos, fopen, __p__commode, _lseeki64, _fseeki64, fwrite, _pclose, _popen, fgets, setvbuf, _open, _setmode, ungetc, __stdio_common_vsscanf, __stdio_common_vsprintf_s, __stdio_common_vsprintf, ftell, fgetpos, fputs, fgetc, fflush, feof, _get_stream_buffer_pointers, _close, __acrt_iob_func, _fileno, _write, _read, fseek
api-ms-win-crt-heap-l1-1-0.dll	free, _set_new_mode, malloc, calloc, _callnewh, realloc
api-ms-win-crt-convert-l1-1-0.dll	atoi, strtoul, wcstombs, strtol, strtoll
api-ms-win-crt-filesystem-l1-1-0.dll	_lock_file, _stat64i32, _unlink, _fstat64, _stat64, _access, _unlock_file
api-ms-win-crt-string-l1-1-0.dll	strncmp, strcspn, isdigit, _strdup, strspn, strcmp, strcat_s, strcpy_s, strncpy_s, strpbrk, isalpha, isspace, tolower, strncpy
api-ms-win-crt-time-l1-1-0.dll	_gmtime64_s, _time64, _localtime64_s, strftime, _gmtime64
api-ms-win-crt-utility-l1-1-0.dll	qsort
api-ms-win-crt-multibyte-l1-1-0.dll	_mbspbrk
api-ms-win-crt-math-l1-1-0.dll	_fdopen, __setusermatherr
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale
USER32.dll	GetUserObjectInformationW, MessageBoxW, GetProcessWindowStation
api-ms-win-crt-environment-l1-1-0.dll	getenv

Exports

Name	Ordinal	Address
curl_easy_cleanup	1	0x140094920
curl_easy_duphandle	2	0x140094950
curl_easy_escape	3	0x1400dd3a0
curl_easy_getinfo	4	0x140094d40
curl_easy_header	5	0x1400de2f0
curl_easy_init	6	0x140094d70
curl_easy_nextheader	7	0x1400de4d0
curl_easy_pause	8	0x140094de0
curl_easy_perform	9	0x140095030
curl_easy_recv	10	0x1400951c0
curl_easy_reset	11	0x1400952b0
curl_easy_send	12	0x140095340
curl_easy_setopt	13	0x1400991a0
curl_easy_strerror	14	0x140095900
curl_easy_unescape	15	0x1400dd540
curl_easy_upkeep	16	0x140095440
curl_escape	17	0x1400dd670
curl_formadd	18	0x1400946d0
curl_formfree	19	0x140094700
curl_formget	20	0x140094770
curl_free	21	0x14009fcf0
curl_getdate	22	0x1400c0400
curl_getenv	23	0x1400c6c10
curl_global_cleanup	24	0x1400954e0
curl_global_init	25	0x140095540
curl_global_init_mem	26	0x140095580
curl_global_sslset	27	0x140095670
curl_global_trace	28	0x1400956d0
curl_maprintf	29	0x1400b1ea0
curl_mfprintf	30	0x1400b1ed0
curl_mime_addpart	31	0x14009a640
curl_mime_data	32	0x14009a700
curl_mime_data_cb	33	0x14009a7e0
curl_mime_encoder	34	0x14009a850
curl_mime_filedata	35	0x14009a8f0
curl_mime_filename	36	0x14009aac0
curl_mime_free	37	0x14009ab40
curl_mime_headers	38	0x14009aba0
curl_mime_init	39	0x14009ac20
curl_mime_name	40	0x14009acc0
curl_mime_subparts	41	0x14009ad40
curl_mime_type	42	0x14009adf0
curl_mprintf	43	0x1400b1f00
curl_msnprintf	44	0x1400b1f50
curl_msprintf	45	0x1400b1fc0
curl_multi_add_handle	46	0x14009c9e0
curl_multi_assign	47	0x14009cc20
curl_multi_cleanup	48	0x14009cc70
curl_multi_fdset	49	0x14009cdb0
curl_multi_info_read	50	0x14009cf20
curl_multi_init	51	0x14009cfb0
curl_multi_perform	52	0x14009d110
curl_multi_poll	53	0x14009d230
curl_multi_remove_handle	54	0x14009d260
curl_multi_setopt	55	0x14009d480
curl_multi_socket	56	0x14009d640
curl_multi_socket_action	57	0x14009d690
curl_multi_socket_all	58	0x14009d6e0
curl_multi_strerror	59	0x140095d70
curl_multi_timeout	60	0x14009d760
curl_multi_wait	61	0x14009d790
curl_multi_wakeup	62	0x14009d7c0
curl_mvaprintf	63	0x1400b2000
curl_mvfprintf	64	0x1400b20a0
curl_mvprintf	65	0x1400b20c0
curl_mvsnprintf	66	0x1400b2100
curl_mvsprintf	67	0x1400b2160
curl_share_cleanup	68	0x1400b3e00
curl_share_init	69	0x1400b3f40
curl_share_setopt	70	0x1400b3f90
curl_share_strerror	71	0x140095e50
curl_slist_append	72	0x14009bf00
curl_slist_free_all	73	0x14009bfa0
curl_strequal	74	0x1400b3670
curl_strnequal	75	0x1400b36e0
curl_unescape	76	0x1400dd680
curl_url	77	0x1400da6a0
curl_url_cleanup	78	0x1400da6b0
curl_url_dup	79	0x1400da6e0
curl_url_get	80	0x1400da840
curl_url_set	81	0x1400db050
curl_url_strerror	82	0x140095ec0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	01:23:02
Start date:	23/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe"
Imagebase:	0x7ff6c2cb0000
File size:	3'981'312 bytes
MD5 hash:	B352A969814C63EB03F8771D0B61C763
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00007FF6C2DEA854 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF6C2DEA880
GetCurrentThreadId.KERNEL32 ref: 00007FF6C2DEA88E
GetCurrentProcessId.KERNEL32 ref: 00007FF6C2DEA89A
QueryPerformanceCounter.KERNEL32 ref: 00007FF6C2DEA8AA

Memory Dump Source

Source File: 00000000.00000002.2085165869.00007FF6C2CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2CB0000, based on PE: true

Associated: 00000000.00000002.2085149502.00007FF6C2CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085346990.00007FF6C2F69000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085412476.00007FF6C304A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085431470.00007FF6C3050000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3051000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085730685.00007FF6C3B64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085755611.00007FF6C3B87000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c2cb0000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 544660ef1adda2d0d3465b46f70e1f5bad1ab980ae675daa52b1b844dfe20aed
Instruction ID: 928e7eeab497201c8e0c0f26e92772dcdf7d7ee48cb9434570022d1d9cc2d24f
Opcode Fuzzy Hash: 544660ef1adda2d0d3465b46f70e1f5bad1ab980ae675daa52b1b844dfe20aed
Instruction Fuzzy Hash: E5111832B54B058AEB00DF64E8952B833A4FB19B59F441E31DEAD877A4DF78D198C340

Function 00007FF6C2CB1500 Relevance: .6, Instructions: 643COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085165869.00007FF6C2CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2CB0000, based on PE: true

Associated: 00000000.00000002.2085149502.00007FF6C2CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085346990.00007FF6C2F69000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085412476.00007FF6C304A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085431470.00007FF6C3050000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3051000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085730685.00007FF6C3B64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085755611.00007FF6C3B87000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c2cb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9f9c2d38e9315b76ebff0ecb0babbfd6debcdf9fdbde13dbfd29e63910a9b1
Instruction ID: 6a9e3912bce0d61b31a29766b48d6367eafb8462161866da0784ea79eee18311
Opcode Fuzzy Hash: ce9f9c2d38e9315b76ebff0ecb0babbfd6debcdf9fdbde13dbfd29e63910a9b1
Instruction Fuzzy Hash: 0D324D730746404BD31F8F2EE99168AB291F748AA2749B238FE57C7B54F67CEE158600

Function 00007FF6C2CCAF40 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085165869.00007FF6C2CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2CB0000, based on PE: true

Associated: 00000000.00000002.2085149502.00007FF6C2CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085346990.00007FF6C2F69000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085412476.00007FF6C304A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085431470.00007FF6C3050000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3051000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085730685.00007FF6C3B64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085755611.00007FF6C3B87000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c2cb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c4d506d6f5baa5ddf45db93394aa0249ac63765b51e1c6f4cbb588a991aae8
Instruction ID: d421682990757b21f96da440c686f297c44132811b3019abdbc8e79101ba4398
Opcode Fuzzy Hash: 64c4d506d6f5baa5ddf45db93394aa0249ac63765b51e1c6f4cbb588a991aae8
Instruction Fuzzy Hash: 8F3257F6B90A6596DB048F16E94178D7B64F319BC9F898526DF8C83B54EB38E472C300

Function 00007FF6C2CB13B0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085165869.00007FF6C2CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2CB0000, based on PE: true

Associated: 00000000.00000002.2085149502.00007FF6C2CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085346990.00007FF6C2F69000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085412476.00007FF6C304A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085431470.00007FF6C3050000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3051000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085730685.00007FF6C3B64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085755611.00007FF6C3B87000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c2cb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da4e0bef70938cbff3ddc027717a94aa642f7c83641c9a7372ad5beb682580e2
Instruction ID: 785a28f7c18957084dd2479ea630a1827c0365b4013d5e944545ea9c4204b593
Opcode Fuzzy Hash: da4e0bef70938cbff3ddc027717a94aa642f7c83641c9a7372ad5beb682580e2
Instruction Fuzzy Hash: 1CF0BE323683A045CB95CA3AA508F596EE19796BC9F22D030EA4CC3F14F92EC6118B00

Function 00007FF6C2CB1350 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085165869.00007FF6C2CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2CB0000, based on PE: true

Associated: 00000000.00000002.2085149502.00007FF6C2CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085346990.00007FF6C2F69000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085412476.00007FF6C304A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085431470.00007FF6C3050000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3051000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085730685.00007FF6C3B64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085755611.00007FF6C3B87000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c2cb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08034d843012e041d9826064999ec11cfe67fa1a964a6beaae8090bac19fbb3b
Instruction ID: bc357a5f053f667943e306a0d30d28b98f9f1f1203cb8868fc832bda2988fd1a
Opcode Fuzzy Hash: 08034d843012e041d9826064999ec11cfe67fa1a964a6beaae8090bac19fbb3b
Instruction Fuzzy Hash: E2E04F727193A445CB96CE3B2608EA96AE4A759BCAF43D030DE4DC3F55FD6EC6018B40

Function 00007FF6C2CB1020 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2085165869.00007FF6C2CB1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF6C2CB0000, based on PE: true

Associated: 00000000.00000002.2085149502.00007FF6C2CB0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085346990.00007FF6C2F69000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085412476.00007FF6C304A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085431470.00007FF6C3050000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3051000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085449632.00007FF6C3B61000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085730685.00007FF6C3B64000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2085755611.00007FF6C3B87000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff6c2cb0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0a9a5407497fd1e8d7d80731b49a5348b77e3e96a071c0c0590965096a0236e
Instruction ID: 24d7d5f9e2fdc4ea6cf4ec70f68949aa10aa42849ddc196fc5a09aa766b230b2
Opcode Fuzzy Hash: b0a9a5407497fd1e8d7d80731b49a5348b77e3e96a071c0c0590965096a0236e
Instruction Fuzzy Hash:

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\log.bin

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exePID: 3136, Parent PID: 1028

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exePID: 3136, Parent PID: 1028COMMON

Non-executed Functions

Function 00007FF6C2DEA854 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Function 00007FF6C2CB1500 Relevance: .6, Instructions: 643COMMON

Windows Analysis Report
SecuriteInfo.com.Variant.Lazy.606094.29765.28609.exe