Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Analysis ID:	1542454
MD5:	a57dad8c1dae1fa551709713fa74bbee
SHA1:	42bc8573f4eb0a5e1ee83b7bce5dcc952526cb88
SHA256:	3744aed5783f8ffd6dff8d8beb8bfccf8abd1320bc86f58d281f29bc58695ec0
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe (PID: 6192 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5: A57DAD8C1DAE1FA551709713FA74BBEE)

conhost.exe (PID: 792 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4536 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

certutil.exe (PID: 3800 cmdline: certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 MD5: F17616EC0522FC5633151F7CAA278CAA)

find.exe (PID: 3848 cmdline: find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

find.exe (PID: 3160 cmdline: find /i /v "certutil" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 352 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 4620 cmdline: cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 6676 cmdline: timeout /t 5 MD5: 100065E21CFBBDE57CBA2838921F84D6)

WerFault.exe (PID: 5064 cmdline: C:\Windows\system32\WerFault.exe -u -p 6192 -s 676 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.3% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000000.1459676362.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_53610d80-f

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.8:49708 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\ied_sec_client_proj\trunk\tessafe\Bin\amd64\TesSafe64.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source:	Binary string: d:\sandbox\154167\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source:	Binary string: C:\Users\gg\Desktop\projects\KernelVault\keyauth-cpp-library-main clix\DriverLoader2\DriverLoader2\x64\Release\DriverLoader2.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Source: Joe Sandbox View

IP Address: 104.26.0.5 104.26.0.5

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1545967792.0000005685F2D000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1546111011.000001ED1FF9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1546111011.000001ED1FF9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/ace
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1546111011.000001ED1FF9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/m

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.8:49708 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF63FB06680

0_2_00007FF63FB06680

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6192 -s 676

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000000.1459676362.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000000.1459676362.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTesSafe64.sys vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTesSafe64.sys vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Binary or memory string: OriginalFilenameTesSafe64.sys vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Binary string: TesSafe\Device\TesSafe\DosDevices\TesSafe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Binary string: \Device\Nal

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1546111011.000001ED1FF9C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ndows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBP%P

Source: classification engine

Classification label: mal56.winEXE@18/5@1/2

Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6192
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:792:120:WilError_03

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\8afd3bbb-ed85-46ab-b059-5cde31b96de3

Jump to behavior

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

ReversingLabs: Detection: 23%

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6192 -s 676
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static file information: File size 3873408 > 1048576

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2e6a00

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\ied_sec_client_proj\trunk\tessafe\Bin\amd64\TesSafe64.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source:	Binary string: d:\sandbox\154167\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source:	Binary string: C:\Users\gg\Desktop\projects\KernelVault\keyauth-cpp-library-main clix\DriverLoader2\DriverLoader2\x64\Release\DriverLoader2.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

API coverage: 0.7 %

Source: C:\Windows\System32\timeout.exe TID: 2844

Thread sleep count: 39 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1546111011.000001ED1FF9C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF63FCD1A58 __vcrt_InitializeCriticalSectionEx,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF63FCD1A58

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF63FCD1A58 __vcrt_InitializeCriticalSectionEx,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF63FCD1A58

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF63FB2EE60 GetProcessHeap,

0_2_00007FF63FB2EE60

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF63FCD212C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF63FCD212C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00007FF63FCD1278

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF63FCD2BA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF63FCD2BA0

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	24%	ReversingLabs
SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
https://curl.haxx.se/docs/http-cookies.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.0.5	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://keyauth.win/api/1.2/ace	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1546111011.000001ED1FF9C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.13.dr	false	URL Reputation: safe	unknown
https://keyauth.win/api/1.2/m	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1546111011.000001ED1FF9C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://curl.haxx.se/docs/http-cookies.html	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	false	URL Reputation: safe	unknown
https://keyauth.win/api/1.2/	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1545967792.0000005685F2D000.00000004.00000010.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.1546111011.000001ED1FF9C000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.0.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542454
Start date and time:	2024-10-25 23:42:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Detection:	MAL
Classification:	mal56.winEXE@18/5@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Simulations

Behavior and APIs

Time	Type	Description
17:43:25	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.0.5	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse
	4aOgNkVU5z.exe	Get hash	malicious	Unknown	Browse
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse
	dGuXzI4UlT.exe	Get hash	malicious	Unknown	Browse
	vjlICWbvGT.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.27133.15456.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	4aOgNkVU5z.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	dGuXzI4UlT.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	vjlICWbvGT.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	Zl5QaBwsTJ.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	https://louisianalaw.us/awI1AlsoTxn2APQ3EspQ3E4RAI1AoTxnz01coTxm&c=E,1,vvMSQz5CSzvUF_pnZgRSmb_4_6IhFVsFaIdJFKN2k78xDXcVLKO_NH-275AIvCQYfKD3jL3qc4bCIgEC2N6Rr4xli-ez6GBrwxbUrVz5hy4g&typo=1	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://certify.us.com/D5QkoQ3Eniw4G2APQ3ED5QpQ3E4RAionz01coq01	Get hash	malicious	Unknown	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	sgM0Akbldk.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://deborahmeagher.com.de/kfOoB/	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	VAIIBIHmtT.exe	Get hash	malicious	Stealc	Browse	104.21.56.70

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.FileRepMalware.12632.12594.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.FileRepMalware.8628.17723.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Iyto7FYCJO.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.Evo-gen.20301.32747.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.32411.29244.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Frozen_Slotted.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.TrojanX-gen.12317.30120.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	fox vanguard bypass.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_3614ad19c0cf73c93992fea3fa40529655361d0_1eb0641c_22ceb5d7-5df2-476a-9f30-497bd522f034\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9201974073766187
Encrypted:	false
SSDEEP:	96:q1TFUMr8dsChqtY7q4BSFQXIDcQlc6WcE8cw3d/5+HbHg/8BRTf3o8Fa9KUNsPQz:wj8dqV+07SmJGjHOzuiFdZ24lO8J
MD5:	487B852A45AFE8D913BF35E390DE3936
SHA1:	26C5DE02DA39B2DE0D9ACD489BB43B1B106A1E6E
SHA-256:	12DF46916CD84173183A7C972953FC779B39DC9E1EA9BA095BB99EEED9545E81
SHA-512:	56F9683ED75E9E191838E070E6BA17E0328C83059D149796F7CB03D782D13BAF32EB7941D2E7D5EA54B675FAB3C073AE503686BF0B2BCAFC846918D4B03CE8B6
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.6.6.1.9.9.9.6.4.6.7.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.6.6.2.0.0.4.6.4.6.7.3.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.c.e.b.5.d.7.-.5.d.f.2.-.4.7.6.a.-.9.f.3.0.-.4.9.7.b.d.5.2.2.f.0.3.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.7.8.c.2.a.5.-.f.f.3.b.-.4.6.a.6.-.8.9.b.6.-.3.7.6.4.7.4.9.9.5.5.b.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...V.a.r.i.a.n.t...T.e.d.y...6.2.7.9.1.5...5.9.9...8.7.4.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.3.0.-.0.0.0.1.-.0.0.1.4.-.2.d.d.0.-.e.4.e.6.2.6.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.d.8.5.3.c.7.1.5.f.1.2.d.1.e.9.e.d.0.a.8.8.3.a.d.f.0.8.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.4.2.b.c.8.5.7.3.f.4.e.b.0.a.5.e.1.e.e.8.3.b.7.b.c.e.5.d.c.c.9.5.2.5.2.6.c.b.8.8.!.S.e.c.u.r.i.t.e.I.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7652.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Oct 25 21:43:20 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	161222
Entropy (8bit):	1.6008980779582418
Encrypted:	false
SSDEEP:	384:xNIvegXClRvDDo6oz+jUYmWKidORRKqT6wGL1l:AvPXClRvAYWm1l
MD5:	1CB622D032CD3294A41CC7EE4CA43BA7
SHA1:	D899DFB17361D76ABE591B56886D7315C1283ED4
SHA-256:	79943384A0CBCD812B51F81F6C9BD1DE1F20B8D06D1E2F98DB259C3D8C74528F
SHA-512:	9DF118635C135A83717EAF44345F3B59A1A259599DF1DFFE002DB297EAAD28CB8B2A890D4D58A39DC487EDE9D589405BAEAE24F21881DF02071BF8A0F98EFE73
Malicious:	false
Preview:	MDMP..a..... ..........g....................................4....7..........T.......8...........T...............&[......................................................................................................eJ......\.......Lw......................T.......0......g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER775C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9022
Entropy (8bit):	3.702078980260712
Encrypted:	false
SSDEEP:	192:R6l7wVeJqZP6v6YS5xgmfp0npDO89bufj8fiam:R6lXJsP6v6Ycxgmfp0lufYf2
MD5:	2A228AF2BE49DB6E8EA0D716326B8A47
SHA1:	96381587733970EAD73C7A09DC965075FA700BD6
SHA-256:	56D72A3C72ACD290490DAE62CE7B7E1F649B3391508FA48DDF3A1E8BCC8A88C5
SHA-512:	61B5DFA67190E8BFC5D24A81EBFAD33783A78A6E31CB56DE68E053667E6B0ABF1AA4DA18C66E0B733529ACBE9A58FEECB7FBCD466220979F693D1634DC12E653
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.9.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER778C.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5001
Entropy (8bit):	4.546833758774734
Encrypted:	false
SSDEEP:	96:uIjfNI7987VMJ/IA2MmWQA2MCpY+oo+fd:uIxY987e/IA2MGA2MCpY+T+1
MD5:	791335EAB9667F94AC8B44CBFE11C9FA
SHA1:	EAFC5603D5191B35B7506BF4D43E2F10F8179B82
SHA-256:	E9DBFC4D41B3C6D3597E72733DD3D4EBEE0C70CE07C12EA1F387062CAE55FEFC
SHA-512:	F2328F6B4CF5054F21B7E46FD7AD07835925177421BBEE62A1A96A6A5A5254BB7C99E2201C8EF682ABF5C0285AC2706D6C8E9B63418E7448A8BCB21615421831
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559486" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.372418593231094
Encrypted:	false
SSDEEP:	6144:iFVfpi6ceLP/9skLmb0YyWWSPtaJG8nAge35OlMMhA2AX4WABlguNciL:qV1myWWI/glMM6kF76q
MD5:	FD882D37872CB00481E2605184212A99
SHA1:	B9EDD96D1FF7BD23D9045F09BB8B76CCFCCEA5FD
SHA-256:	504BF5E09AFB5CEDBEAC0A7DAA9DF17507FA020C1EC529CBB0D046E240E9CC5C
SHA-512:	C056463B80F59378A2BDEE361418A27A4FD322FB366DCD99B2525B3903AD010445BAD02E6932284BED6D83B94FB1706536199F3E8BFB3D8A30C8A0E17E950A6D
Malicious:	false
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmNKf.&'...............................................................................................................................................................................................................................................................................................................................................6q.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.317056142370199
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
File size:	3'873'408 bytes
MD5:	a57dad8c1dae1fa551709713fa74bbee
SHA1:	42bc8573f4eb0a5e1ee83b7bce5dcc952526cb88
SHA256:	3744aed5783f8ffd6dff8d8beb8bfccf8abd1320bc86f58d281f29bc58695ec0
SHA512:	49dfa57823633adcb1d4ff878136bc5dfbe357f526c4d5aa8f4e4f464ee6d34349a4df5e68aa4ed0de32d64c42f44488404bb0967e408df00ea39dfa6f1fc1b7
SSDEEP:	49152:cCC5fA3V7/6Qqj2jsJRyhQ8jl4SAc6Li:c/VA/d5QSaL
TLSH:	14066B065BEED0D8C070407821863217E6327C480A2ADBF71FD08B9667E776966BFF56
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2S..v2..v2..v2...J..`2....x.~2......r2......\|2......S2......p2...B...2..=J..k2..v2...3..e...q2..e...t2..e.z.w2..e...w2..Richv2.

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1402e262c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C54A5D [Wed Aug 21 02:01:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5315b8464aa682f0e3d3b00df735a946

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FD220F61C00h
dec eax
add esp, 28h
jmp 00007FD220F61507h
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx
mov eax, 00000001h
cpuid
inc ebp
or edx, eax
mov dword ptr [ebp-10h], eax
inc ecx
xor ecx, 756E6547h
mov dword ptr [ebp-0Ch], ebx
inc ebp
or edx, ecx
mov dword ptr [ebp-08h], ecx
mov edi, ecx
mov dword ptr [ebp-04h], edx
jne 00007FD220F616EDh
dec eax
or dword ptr [000B7A85h], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [000B7A6Dh], 00008000h
cmp eax, 000106C0h
je 00007FD220F616BAh
cmp eax, 00020660h
je 00007FD220F616B3h
cmp eax, 00020670h
je 00007FD220F616ACh
add eax, FFFCF9B0h
cmp eax, 20h
jnbe 00007FD220F616B6h
dec eax
mov ecx, 00010001h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
bt ecx, eax
jnc 00007FD220F616A6h
inc esp
mov eax, dword ptr [000B8D5Bh]
inc ecx
or eax, 01h
inc esp
mov dword ptr [000B8D50h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x396140	0x21c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a6000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x39c000	0x9abc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a7000	0x600	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x32d2a0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32d380	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x32d160	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e8000	0xd78	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e6890	0x2e6a00	249b1edcc5d16a058e72c3d76adff375	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2e8000	0xb1e9e	0xb2000	2243bfab32c6ece4826bbca0b59165af	False	0.4939239159058989	data	6.847170492622551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x39a000	0x1488	0xa00	fc2b7bf89c934172bbfecdd94ba069e5	False	0.217578125	data	4.052491232704579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x39c000	0x9abc	0x9c00	5929590dd1d4dbba8e1518d3f590e613	False	0.4462139423076923	data	5.977831928262313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3a6000	0x1e0	0x200	6b3b1701e7ba0fd5f2721ec922bfab3f	False	0.52734375	data	4.70672250389512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a7000	0x600	0x600	04e47fa203d86d5e6d8e4bbe9c50c4d6	False	0.5904947916666666	data	5.362807738496344	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x3a6060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameW, GetModuleFileNameA, InitializeSListHead, GetSystemTimeAsFileTime, IsProcessorFeaturePresent, TerminateProcess, UnhandledExceptionFilter, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, IsDebuggerPresent, GetFileInformationByHandleEx, AreFileApisANSI, DeviceIoControl, GetFileAttributesExW, FindFirstFileW, FindClose, CreateDirectoryW, GetCurrentDirectoryW, GetLocaleInfoEx, GetFileSizeEx, CreateFileA, WaitForMultipleObjects, PeekNamedPipe, ReadFile, GetFileType, GetStdHandle, GetEnvironmentVariableA, MultiByteToWideChar, WaitForSingleObjectEx, MoveFileExA, GetTickCount, QueryPerformanceCounter, VerifyVersionInfoA, LoadLibraryA, FreeLibrary, QueryPerformanceFrequency, SleepEx, LeaveCriticalSection, EnterCriticalSection, FormatMessageA, SetLastError, WideCharToMultiByte, GetCurrentProcessId, GetCurrentThreadId, VirtualAlloc, VirtualFree, GetProcAddress, GetSystemDirectoryA, GetTempPathW, CreateFileW, SetUnhandledExceptionFilter, GetCurrentProcess, Sleep, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, HeapDestroy, GetLastError, CloseHandle, OutputDebugStringW
USER32.dll	MessageBoxA
ADVAPI32.dll	CryptEncrypt, GetUserNameA, IsValidSid, GetTokenInformation, GetLengthSid, CopySid, OpenProcessToken, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey, RegCloseKey, RegCreateKeyW, RegOpenKeyW, RegSetKeyValueW, RegDeleteTreeW, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptGenRandom, CloseServiceHandle, StartServiceA, OpenServiceA, OpenSCManagerA, DeleteService, CreateServiceA, ConvertSidToStringSidW
SHELL32.dll	ShellExecuteA
MSVCP140.dll	?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ, ?fill@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WXZ, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?widen@?$ctype@_W@std@@QEBA_WD@Z, ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?id@?$ctype@_W@std@@2V0locale@2@A, ?_Xinvalid_argument@std@@YAXPEBD@Z, ?is@?$ctype@D@std@@QEBA_NFD@Z, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?rdstate@ios_base@std@@QEBAHXZ, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z, ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ??7ios_base@std@@QEBA_NXZ, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Xbad_function_call@std@@YAXXZ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?width@ios_base@std@@QEAA_J_J@Z, ?width@ios_base@std@@QEBA_JXZ, ?setf@ios_base@std@@QEAAHHH@Z, ?flags@ios_base@std@@QEBAHXZ, ?good@ios_base@std@@QEBA_NXZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ??Bid@locale@std@@QEAA_KXZ, ?tie@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_ostream@_WU?$char_traits@_W@std@@@2@XZ, ?_Winerror_map@std@@YAHH@Z, ?_Syserror_map@std@@YAPEBDH@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?uncaught_exceptions@std@@YAHXZ, ?_Xout_of_range@std@@YAXPEBD@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?_Xlength_error@std@@YAXPEBD@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z
Normaliz.dll	IdnToAscii
WLDAP32.dll
CRYPT32.dll	CertFreeCertificateChain, CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertOpenStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertAddCertificateContextToStore
WS2_32.dll	WSAGetLastError, getpeername, recv, closesocket, bind, connect, getsockname, getsockopt, htons, ntohs, ntohl, socket, WSASetLastError, WSAIoctl, WSAStartup, select, WSACleanup, accept, gethostname, listen, ioctlsocket, __WSAFDIsSet, freeaddrinfo, getaddrinfo, recvfrom, send, sendto, setsockopt, htonl
SHLWAPI.dll	PathFindFileNameW
RPCRT4.dll	RpcStringFreeA, UuidToStringA, UuidCreate
USERENV.dll	UnloadUserProfile
ntdll.dll	RtlCaptureContext, VerSetConditionMask, RtlInitUnicodeString, NtQuerySystemInformation, RtlLookupFunctionEntry, RtlVirtualUnwind
VCRUNTIME140.dll	__C_specific_handler, strrchr, __current_exception_context, memset, memcpy, strstr, __current_exception, _purecall, wcsstr, memmove, memcmp, memchr, __std_exception_copy, _CxxThrowException, strchr, __std_exception_destroy
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, __p___argv, __p___argc, terminate, _set_app_type, _seh_filter_exe, system, _resetstkoflw, _configure_narrow_argv, _invalid_parameter_noinfo, _beginthreadex, _invalid_parameter_noinfo_noreturn, _exit, _cexit, _crt_atexit, exit, _initterm_e, _register_thread_local_exe_atexit_callback, abort, _initterm, _initialize_narrow_environment, strerror, _getpid, _register_onexit_function, __sys_nerr, _get_initial_narrow_environment, _errno, _initialize_onexit_table
api-ms-win-crt-heap-l1-1-0.dll	free, calloc, _recalloc, _callnewh, realloc, malloc, _set_new_mode
api-ms-win-crt-convert-l1-1-0.dll	atoi, strtod, strtol, strtoul, strtoll, strtoull
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsscanf, __acrt_iob_func, fseek, _lseeki64, ftell, feof, fgets, _open, _close, _write, _get_stream_buffer_pointers, _read, __p__commode, fclose, fflush, fgetc, fgetpos, _set_fmode, __stdio_common_vsprintf, fopen, fputs, ungetc, setvbuf, _popen, _pclose, fwrite, _fseeki64, fsetpos, fread, fputc
api-ms-win-crt-filesystem-l1-1-0.dll	_wremove, _stat64, remove, _lock_file, _fstat64, _access, _unlink, _unlock_file
api-ms-win-crt-time-l1-1-0.dll	_localtime64, _gmtime64, strftime, _time64
api-ms-win-crt-locale-l1-1-0.dll	localeconv, ___lc_codepage_func, _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _dsign, _dclass
api-ms-win-crt-string-l1-1-0.dll	strpbrk, strcmp, strcspn, _stricmp, strspn, isupper, strncpy, strncmp, tolower, _strdup
api-ms-win-crt-utility-l1-1-0.dll	rand, qsort, srand

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 23:43:18.328866959 CEST	49708	443	192.168.2.8	104.26.0.5
Oct 25, 2024 23:43:18.328880072 CEST	443	49708	104.26.0.5	192.168.2.8
Oct 25, 2024 23:43:18.328963041 CEST	49708	443	192.168.2.8	104.26.0.5
Oct 25, 2024 23:43:18.341336012 CEST	49708	443	192.168.2.8	104.26.0.5
Oct 25, 2024 23:43:18.341347933 CEST	443	49708	104.26.0.5	192.168.2.8
Oct 25, 2024 23:43:18.981379032 CEST	443	49708	104.26.0.5	192.168.2.8
Oct 25, 2024 23:43:18.981463909 CEST	49708	443	192.168.2.8	104.26.0.5
Oct 25, 2024 23:43:19.915277958 CEST	49708	443	192.168.2.8	104.26.0.5
Oct 25, 2024 23:43:19.915294886 CEST	443	49708	104.26.0.5	192.168.2.8
Oct 25, 2024 23:43:19.915409088 CEST	49708	443	192.168.2.8	104.26.0.5
Oct 25, 2024 23:43:19.915798903 CEST	443	49708	104.26.0.5	192.168.2.8
Oct 25, 2024 23:43:19.915957928 CEST	49708	443	192.168.2.8	104.26.0.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 23:43:18.312115908 CEST	54252	53	192.168.2.8	1.1.1.1
Oct 25, 2024 23:43:18.322671890 CEST	53	54252	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 23:43:18.312115908 CEST	192.168.2.8	1.1.1.1	0xde49	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 23:43:18.322671890 CEST	1.1.1.1	192.168.2.8	0xde49	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Oct 25, 2024 23:43:18.322671890 CEST	1.1.1.1	192.168.2.8	0xde49	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Oct 25, 2024 23:43:18.322671890 CEST	1.1.1.1	192.168.2.8	0xde49	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	17:43:17
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe"
Imagebase:	0x7ff63f9f0000
File size:	3'873'408 bytes
MD5 hash:	A57DAD8C1DAE1FA551709713FA74BBEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:43:17
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:43:17
Start date:	25/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Imagebase:	0x7ff6086e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:43:17
Start date:	25/10/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5
Imagebase:	0x7ff72f6b0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:43:17
Start date:	25/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i /v "md5"
Imagebase:	0x7ff7be990000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:43:17
Start date:	25/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i /v "certutil"
Imagebase:	0x7ff7be990000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:43:19
Start date:	25/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x7ff6086e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:43:19
Start date:	25/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x7ff6086e0000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:43:19
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:43:19
Start date:	25/10/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /t 5
Imagebase:	0x7ff6bb7e0000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:43:19
Start date:	25/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6192 -s 676
Imagebase:	0x7ff7dce40000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	77
Total number of Limit Nodes:	4

Executed Functions

Function 00007FF63FCD1B34 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF63FB2FD43,?,?,?,?,?,?,?,?,?,00007FF63FB34340), ref: 00007FF63FCD1B4E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF63FCD1B64

Part of subcall function 00007FF63FCD2930: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF63FCD2939
Part of subcall function 00007FF63FCD2930: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF63FCD1B69,?,?,?,00007FF63FB2FD43), ref: 00007FF63FCD294A

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrowmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 514126270-0
Opcode ID: f8a4103838cfa4670266cde32cbc1b6d3760155078776d00e363d5b4da3d2167
Instruction ID: ecde7bbd61b12b362fce67d96f70bbad71aa5805c9dc4e5925331f0e4c9befb0
Opcode Fuzzy Hash: f8a4103838cfa4670266cde32cbc1b6d3760155078776d00e363d5b4da3d2167
Instruction Fuzzy Hash: ABE0BD80EDA10B19FA2D2A6238160BE02600F58774E182B34F93D893C6BD1CA891A320

Function 00007FF63FB05AE0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB05B0C

Part of subcall function 00007FF63FB0C530: Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF63FB0C5A6
Part of subcall function 00007FF63FB0C530: Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF63FB0C5B5

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_CriticalLock::_ReentrantScoped_lockScoped_lock::~_$Concurrency::details::EmptyQueue::StructuredWork
String ID:
API String ID: 2595383736-0
Opcode ID: 576b010e4d79c71d416d7fa9ea3cde484612d8b2d44409d99271f6b5ee5e5ba0
Instruction ID: 9c6a5d50ed2474cc635b49ffd7c688073a2d855f8c5c88c5b2becb59774e6f05
Opcode Fuzzy Hash: 576b010e4d79c71d416d7fa9ea3cde484612d8b2d44409d99271f6b5ee5e5ba0
Instruction Fuzzy Hash: 01211276618F8982DA10DB15F48026AB7A4FBCAB84F501126FACE83B69DF3CD051DB00

Function 00007FF63FB04A10 Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF63FB33510: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00007FF63FB33519
Part of subcall function 00007FF63FB33510: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF63FB04A38), ref: 00007FF63FB3352A

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00007FF63FB04772), ref: 00007FF63FB04A52

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionThrow_invalid_parameter_noinfo_noreturnstdext::threads::lock_error::lock_error
String ID:
API String ID: 2622805724-0
Opcode ID: 6374f793fb6f722ee5878ab83d7be588fd6d591f92a24dbc7afee8e052767654
Instruction ID: 881315bc1fd99f0223f27c037708d47094fb67c23c0f5036a83e304a8acaeec2
Opcode Fuzzy Hash: 6374f793fb6f722ee5878ab83d7be588fd6d591f92a24dbc7afee8e052767654
Instruction Fuzzy Hash: 470192A2A18F4281DA649B19E44071BA3A0FB897A8F101631F6DE83794EF7CC0109B05

Function 00007FF63FB2FEB0 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB2FEF3

Part of subcall function 00007FF63FB04790: allocator.LIBCONCRTD ref: 00007FF63FB047AB

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::EmptyQueue::StructuredWorkallocator
String ID:
API String ID: 1755220593-0
Opcode ID: b78befe849ce56f157e027da90f8e68232d6b693ab0334466e71ee11ad11378e
Instruction ID: 3a9a0917b70f8ab91a77983b72bec9ebf3c453bc8c577bc6f071dc0c337c7220
Opcode Fuzzy Hash: b78befe849ce56f157e027da90f8e68232d6b693ab0334466e71ee11ad11378e
Instruction Fuzzy Hash: E2016076619F8482CA60DB0AF89011EB7A4F7C9B94F504126FACE83B29DF3CD1608B00

Function 00007FF63FB04790 Relevance: 1.5, APIs: 1, Instructions: 9
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

allocator.LIBCONCRTD ref: 00007FF63FB047AB

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: c46cd13c757347ee5ae45a1ac98d4f5a8e92b1abd091d4f9b2d6aefa4f4cafc4
Instruction ID: 515e6974a6f2a974961eaf901cdecbec829d458b54a58c36d3b1a361faba049a
Opcode Fuzzy Hash: c46cd13c757347ee5ae45a1ac98d4f5a8e92b1abd091d4f9b2d6aefa4f4cafc4
Instruction Fuzzy Hash: 1EC0C9A6A29B84C1CA04EB12F88100A7360F7C8BC0F909421EA8E43729CF38C0548B00

Non-executed Functions

Function 00007FF63FCD1A58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

__vcrt_InitializeCriticalSectionEx.LIBVCRUNTIMED ref: 00007FF63FCD1AB0

Part of subcall function 00007FF63FB2FD60: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF63FB2FD80

GetLastError.KERNEL32 ref: 00007FF63FCD1AB9
IsDebuggerPresent.KERNEL32 ref: 00007FF63FCD1AD1
OutputDebugStringW.KERNEL32 ref: 00007FF63FCD1AE2

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF63FCD1ADB

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: CriticalInitializeSection$DebugDebuggerErrorLastOutputPresentString__vcrt_
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3055932891-631824599
Opcode ID: 783119a43e65aac90d12e51b1c615accf096e0dfaa7eb4c44b9032a0703a7d66
Instruction ID: c2ab02708994718866372e4ee9c9cb6f06ef415f3ce9197f671f7a76010ef17a
Opcode Fuzzy Hash: 783119a43e65aac90d12e51b1c615accf096e0dfaa7eb4c44b9032a0703a7d66
Instruction Fuzzy Hash: A9112832B54B82A6E7489B22E6543AA33A4FF44345F444135D65D82AA4EF3CE464D750

Function 00007FF63FCD2BA0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF63FCD2BCC
GetCurrentThreadId.KERNEL32 ref: 00007FF63FCD2BDA
GetCurrentProcessId.KERNEL32 ref: 00007FF63FCD2BE6
QueryPerformanceCounter.KERNEL32 ref: 00007FF63FCD2BF6

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4e2d1bd58a9d8448902597674e7da3e3367d4cfbcb8d42016aa474c77cdf1e72
Instruction ID: ae5c9fdbf776cb774ce558c6ccdb7806c5c0ca06fb34145a7a07a651d66a8b29
Opcode Fuzzy Hash: 4e2d1bd58a9d8448902597674e7da3e3367d4cfbcb8d42016aa474c77cdf1e72
Instruction Fuzzy Hash: C8112A26B94F068AEB00CF60E8542B933B4FB59758F441E31EA6D867A4DF7CD558D380

Function 00007FF63FCD1278 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,00007FF63FB1860A), ref: 00007FF63FCD129E
FormatMessageA.KERNEL32 ref: 00007FF63FCD12D1

Strings

!x-sys-default-locale, xrefs: 00007FF63FCD1291

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: ae7cb96a73b823519f046e9a82413b3af816002884d7848d87413d8fa98ec08b
Instruction ID: 63c86024d24c3c7a079b94a51e4075f826db81af29baa440fc81144030329e1c
Opcode Fuzzy Hash: ae7cb96a73b823519f046e9a82413b3af816002884d7848d87413d8fa98ec08b
Instruction Fuzzy Hash: 8901CC72B88B8282F7198B52B500BBFA7B1FB887C4F048135EA4986B98CF3CD500D740

Function 00007FF63FB2EE60 Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63FCD1E70: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF63FB2EF0E,?,?,?,?,00007FF63FB181DE,?,?,?,?,00007FF63F9F1050), ref: 00007FF63FCD1E80

GetProcessHeap.KERNEL32(?,?,?,?,00007FF63FB181DE,?,?,?,?,00007FF63F9F1050), ref: 00007FF63FB2EEAF

Part of subcall function 00007FF63FCD1E04: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF63FB2EF53,?,?,?,?,00007FF63FB181DE,?,?,?,?,00007FF63F9F1050), ref: 00007FF63FCD1E14
Part of subcall function 00007FF63FCD1E04: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF63FB2EF53,?,?,?,?,00007FF63FB181DE,?,?,?,?,00007FF63F9F1050), ref: 00007FF63FCD1E54

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: ExclusiveLock$Acquire$HeapProcessRelease
String ID:
API String ID: 3865638231-0
Opcode ID: 71a3de95a5db07dcad1cd2507a2d500c210894f8145dd710bfa4608815be444e
Instruction ID: 6e599e30e1bfd2b7651a56bf39757ef1a8ff5b2a9b26d1f661f9dcbe54cda19f
Opcode Fuzzy Hash: 71a3de95a5db07dcad1cd2507a2d500c210894f8145dd710bfa4608815be444e
Instruction Fuzzy Hash: BE21EC64A69943A5FA08EB14E9950B93375BF95740FC12332E40EC27E2DF2CEA55E341

Function 00007FF63FB06680 Relevance: .7, Instructions: 713COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741ea51273af6ced77d8204fa0c22d04b1cf6953300260873340e5f8a9195d54
Instruction ID: 0c3733f3933f510445dd104ecacc71e8ad0557854efb709bc08535f33ca73713
Opcode Fuzzy Hash: 741ea51273af6ced77d8204fa0c22d04b1cf6953300260873340e5f8a9195d54
Instruction Fuzzy Hash: 21829176219AC58AD775CB19E4907AEB7A1F3C9B94F144126EA8E83B68CF3CD544CF00

Function 00007FF63FB0A5D0 Relevance: 21.2, APIs: 14, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF63FB0A620
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF63FB0A64B
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF63FB0A686
?flags@ios_base@std@@QEBAHXZ.MSVCP140 ref: 00007FF63FB0A6F3
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140 ref: 00007FF63FB0A742
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140 ref: 00007FF63FB0A76D
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF63FB0A781
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140 ref: 00007FF63FB0A7E9
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z.MSVCP140 ref: 00007FF63FB0A809
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140 ref: 00007FF63FB0A86E
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140 ref: 00007FF63FB0A899
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF63FB0A8AD
?width@ios_base@std@@QEAA_J_J@Z.MSVCP140 ref: 00007FF63FB0A917
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF63FB0A94E

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@_$D@std@@@std@@U?$char_traits@$?width@ios_base@std@@W@std@@@std@@$?rdbuf@?$basic_ios@_V?$basic_streambuf@_W@std@@@2@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@_
String ID:
API String ID: 3628490770-0
Opcode ID: 9f70a5b17ca0f15cc1049185e283ac8fd5907c399e60a8d025d402138028276d
Instruction ID: 84f75ed986e1c18bd9f2c975ec51bdbb67a49003326dd801ec909f4416494e55
Opcode Fuzzy Hash: 9f70a5b17ca0f15cc1049185e283ac8fd5907c399e60a8d025d402138028276d
Instruction Fuzzy Hash: 63A1C766A0DB85C6DA64DB16F59036EB7A0FBC9B84F004436EA8E83769DF3CD4449B01

Function 00007FF63FB6B850 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF63FB16CD0: char_traits.LIBCPMTD ref: 00007FF63FB16CFD

type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB6B912
type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB6B943
type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB6BA7B
type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB6BBF0

Part of subcall function 00007FF63FB03D10: char_traits.LIBCPMTD ref: 00007FF63FB03D30
Part of subcall function 00007FF63FB03D10: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB03D84

type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB6BB48

Strings

syntax error , xrefs: 00007FF63FB6B873
while parsing , xrefs: 00007FF63FB6B8BA
; last read: ', xrefs: 00007FF63FB6B9CD
unexpected , xrefs: 00007FF63FB6BB0C
; expected , xrefs: 00007FF63FB6BBB4

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: type_info::_name_internal_method$char_traits$Concurrency::details::EmptyQueue::StructuredWork
String ID: ; expected $; last read: '$syntax error $unexpected $while parsing
API String ID: 3012117132-4239264347
Opcode ID: a5dc54af2d110ee15b9334c1b336f1c85abe22bcc17acc6ed72fc8297cf45f24
Instruction ID: 2ef3e658429e2d8b2320aa4bef5e6ea45efb8ab67036d12a49c2476adc6e6209
Opcode Fuzzy Hash: a5dc54af2d110ee15b9334c1b336f1c85abe22bcc17acc6ed72fc8297cf45f24
Instruction Fuzzy Hash: 7B91E67264DBC691DAB49B14E4843EEB3A4FBC5780F404136E68E83BAADF2CD445DB40

Function 00007FF63FB32910 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF63FB32964

Part of subcall function 00007FF63FCD1388: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF63FCD138C
Part of subcall function 00007FF63FCD1388: AreFileApisANSI.KERNEL32 ref: 00007FF63FCD139B

Part of subcall function 00007FF63FB1B1E0: std::_Fac_node::_Fac_node.LIBCPMTD ref: 00007FF63FB1B21D

Part of subcall function 00007FF63FB05FA0: List.LIBCMTD ref: 00007FF63FB05FEC
Part of subcall function 00007FF63FB05FA0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB06093

type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB32B04
type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB32B2F
type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB32B45
type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB32B84
type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB32B9A
Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 00007FF63FB32BAA

Strings

", ", xrefs: 00007FF63FB32B65
: ", xrefs: 00007FF63FB32B10

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: type_info::_name_internal_method$ApisConcurrency::details::Concurrency::task_continuation_context::task_continuation_contextEmptyFac_nodeFac_node::_FileListQueue::StructuredWork___lc_codepage_func__std_fs_code_pagestd::_
String ID: ", "$: "
API String ID: 1700522703-747220369
Opcode ID: 7cfcadc2253ab10c95d59581eebc5d8042cdd7e241ff29f6e7fafbed051b3339
Instruction ID: 1db01740ed53cb064890a63e1f5f71daf4ae06d4f09953d3768d6c20d929126d
Opcode Fuzzy Hash: 7cfcadc2253ab10c95d59581eebc5d8042cdd7e241ff29f6e7fafbed051b3339
Instruction Fuzzy Hash: 1A612E7261CA8691DA35DB11E8513EFA360FBC9784F400532EA8EC3BAADE7CD505DB40

Function 00007FF63FB14130 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 497COMMON

Download Yara Rule

APIs

_Func_class.LIBCPMTD ref: 00007FF63FB14ED9

Strings

object, xrefs: 00007FF63FB15630
object key, xrefs: 00007FF63FB151B1
object separator, xrefs: 00007FF63FB153EB
array, xrefs: 00007FF63FB14FA3
value, xrefs: 00007FF63FB14CED

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Func_class
String ID: array$object$object key$object separator$value
API String ID: 1670654298-2448007618
Opcode ID: db5e975a570036553e7f94d44da9c56933bdf259cb22937827a301dce5654bd8
Instruction ID: 0720821650170ced6a711cca0298dedd8024f552b86e3edbf539be4f79b4056d
Opcode Fuzzy Hash: db5e975a570036553e7f94d44da9c56933bdf259cb22937827a301dce5654bd8
Instruction Fuzzy Hash: DB5217A660DBC195DAB49B15F4903EEB3A4EBC6784F400132E6CE87B6ADF2CD544DB01

Function 00007FF63FB129F0 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 497COMMON

Download Yara Rule

APIs

_Func_class.LIBCPMTD ref: 00007FF63FB13799

Strings

object, xrefs: 00007FF63FB13EF0
object key, xrefs: 00007FF63FB13A71
object separator, xrefs: 00007FF63FB13CAB
array, xrefs: 00007FF63FB13863
value, xrefs: 00007FF63FB135AD

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Func_class
String ID: array$object$object key$object separator$value
API String ID: 1670654298-2448007618
Opcode ID: 30ffda3624d6424a67e43499c31331b4d80e8fde3fb8fef4d10a9750cdbf09ca
Instruction ID: ac4f3790051996d3a85923899824ea36d8347d4dbd76806faf83d35213903b44
Opcode Fuzzy Hash: 30ffda3624d6424a67e43499c31331b4d80e8fde3fb8fef4d10a9750cdbf09ca
Instruction Fuzzy Hash: BD5217A660DBC195DAB49B15F4903EEB3A4EBC6784F400132E6CE87B6ADF2CD544DB01

Function 00007FF63FC00010 Relevance: 10.6, APIs: 7, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF63FC00060
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF63FC0006C

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: dd6bd2d32ed0a4552d503deda97d75ee8b407b9f55deb67a79f7f18f5301eac7
Instruction ID: 76143c851833cc15d94f0b1568c5abc1fa20ca8ed6d66af19e559452204dfdfa
Opcode Fuzzy Hash: dd6bd2d32ed0a4552d503deda97d75ee8b407b9f55deb67a79f7f18f5301eac7
Instruction Fuzzy Hash: 223108B588D646CAE7248F10F44436BB7B0FB84758F000135E689827A8CFBCD585EF15

Function 00007FF63FB338D0 Relevance: 10.6, APIs: 7, Instructions: 55COMMON

Download Yara Rule

APIs

?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF63FB19A72), ref: 00007FF63FB338FF
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF63FB19A72), ref: 00007FF63FB3390F
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF63FB19A72), ref: 00007FF63FB33921
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF63FB19A72), ref: 00007FF63FB33931
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF63FB19A72), ref: 00007FF63FB3394C
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP140(?,?,?,?,?,?,?,?,00007FF63FB19A72), ref: 00007FF63FB33981
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z.MSVCP140(?,?,?,?,?,?,?,?,00007FF63FB19A72), ref: 00007FF63FB33991

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?epptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@?setp@?$basic_streambuf@D00@
String ID:
API String ID: 2626452370-0
Opcode ID: 185698c16b04f3af74c471cbd5ae4026bdc4d43d4a3e66adb1fa6317d3853b89
Instruction ID: 0bd6f4898e1f0a3cd950043aa4fd8b733755d1f4b435b3b3e31eb6681006cb94
Opcode Fuzzy Hash: 185698c16b04f3af74c471cbd5ae4026bdc4d43d4a3e66adb1fa6317d3853b89
Instruction Fuzzy Hash: 1421BC76A59A8582EA14DB56F85122FB3A0FBC9B94F140135EA8E83B68DF7CD404DB04

Function 00007FF63FB67DA0 Relevance: 9.3, APIs: 6, Instructions: 260COMMON

Download Yara Rule

APIs

UnDecorator::getVbTableType.LIBCMTD ref: 00007FF63FB67E21

Part of subcall function 00007FF63FB33FD0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB33FE3

bool_.LIBCPMTD ref: 00007FF63FB67F44
shared_ptr.LIBCMTD ref: 00007FF63FB67F54
UnDecorator::getVbTableType.LIBCMTD ref: 00007FF63FB6800F
bool_.LIBCPMTD ref: 00007FF63FB6810C
shared_ptr.LIBCMTD ref: 00007FF63FB6811C

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Decorator::getTableTypebool_shared_ptr$Concurrency::details::EmptyQueue::StructuredWork
String ID:
API String ID: 2631667939-0
Opcode ID: 6a7545cfe1b610ce745b30f18c353a4de252b4bffb2beafc8b9a099a3b72e1a9
Instruction ID: e428c9300bffd2db1a6ed8d5bb6ece5497e7e28b2a1263a69cba3312dc53b88b
Opcode Fuzzy Hash: 6a7545cfe1b610ce745b30f18c353a4de252b4bffb2beafc8b9a099a3b72e1a9
Instruction Fuzzy Hash: 85D12F7260CAC690DA75DB15E4913EEA360FBDA780F404432E6CE87BAADF6CD544DB01

Function 00007FF63FB0FAA0 Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63FB19080: ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF63FB190BA

?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140 ref: 00007FF63FB0FB3B
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF63FB0FB44
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140 ref: 00007FF63FB0FBF8
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF63FB0FC01
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF63FB0FCAC

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@U?$char_traits@_$?rdbuf@?$basic_ios@_V?$basic_streambuf@_W@std@@@2@W@std@@@std@@$?sbumpc@?$basic_streambuf@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 436491974-0
Opcode ID: c49e1b7a0487597d69a27c8c4d730118aa05dbd207d796b72402560918768041
Instruction ID: 32fc36a6714d0fe8209e2b8828ef5f7f0d209485fff700816b0b3c7f5f401302
Opcode Fuzzy Hash: c49e1b7a0487597d69a27c8c4d730118aa05dbd207d796b72402560918768041
Instruction Fuzzy Hash: 16512F72A0C68285DA74DB15F59126EB7A0FBC9B84F004135EACEC7B69DF7CE4059B01

Function 00007FF63FBFFED0 Relevance: 9.1, APIs: 6, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF63FBFFF22
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF63FBFFF2E

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 33e67c687726017ec922af3165dd94ef506de64be0c18755618cffadda7841a0
Instruction ID: 0451db777d33bf20e32fada713f5cbb5f48c561bcc3ea0220897eb2bfbb8a567
Opcode Fuzzy Hash: 33e67c687726017ec922af3165dd94ef506de64be0c18755618cffadda7841a0
Instruction Fuzzy Hash: C33118B694D74686E7648B14F44432BB7E0FB89758F100235F69A82BA8CF7CE485EF05

Function 00007FF63FB15C40 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF63FB15C5F
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF63FB15C79
std::locale::_Getfacet.LIBCPMTD ref: 00007FF63FB15C8E
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF63FB15CC5
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF63FB15D57

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Getcat@?$codecvt@GetfacetMbstatet@@@std@@V42@@Vfacet@locale@2@std::locale::_
String ID:
API String ID: 930135289-0
Opcode ID: 60e422734b0b0876130bd5e3988b4cc4bf4b6618fe5ac51d24d2c6d2df6d8229
Instruction ID: 1d647af1e3c45348a72435b6e887002a5670a16b52ea2fcdb11067557a8291a7
Opcode Fuzzy Hash: 60e422734b0b0876130bd5e3988b4cc4bf4b6618fe5ac51d24d2c6d2df6d8229
Instruction Fuzzy Hash: 04310A26A5DA4582DA149B15F88126FB370FBC9794F501232FA8E83BA9DF3CD541DB00

Function 00007FF63FB74FF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF63FB75049
HandleT.LIBCPMTD ref: 00007FF63FB75058
type_info::_name_internal_method.LIBCMTD ref: 00007FF63FB750F9

Strings

<U+%.4X>, xrefs: 00007FF63FB750CE

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_CriticalHandleLock::_ReentrantScoped_lockScoped_lock::~_type_info::_name_internal_method
String ID: <U+%.4X>
API String ID: 1503085150-1919636860
Opcode ID: d7689c8780e7e9517fd381439f4adfe240bb0a6583ab39670c4d4a601100ede1
Instruction ID: 3d62ed21d7f537f8cd87dcce5162e8f2c492bdd9388caced4eaa579a0a7093f3
Opcode Fuzzy Hash: d7689c8780e7e9517fd381439f4adfe240bb0a6583ab39670c4d4a601100ede1
Instruction Fuzzy Hash: 8831597261CA8186D664DB11F85126FB7A0FBC9780F504532FACEC7B6ADE2CD580DB40

Function 00007FF63FBCEB00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

Concurrency::cancellation_token::_FromImpl.LIBCPMTD ref: 00007FF63FBCEB2D
Concurrency::cancellation_token::_FromImpl.LIBCPMTD ref: 00007FF63FBCEB65

Strings

, column , xrefs: 00007FF63FBCEBA1
at line , xrefs: 00007FF63FBCEB7E

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancellation_token::_FromImpl
String ID: at line $, column
API String ID: 2278334151-191570568
Opcode ID: 0b0476e683444410c06c89faf219409f412737b45ccb73666e32d8119b3c7eb2
Instruction ID: 76f98726976b9cbcafbba68471dc082d2a8b367ab05104cefc292c7e39caa98a
Opcode Fuzzy Hash: 0b0476e683444410c06c89faf219409f412737b45ccb73666e32d8119b3c7eb2
Instruction Fuzzy Hash: 1931E372509B8582DA64DB59F88139BB7A4F7C9780F004126EACE83B69DF3CD545CB40

Function 00007FF63FB16D80 Relevance: 6.2, APIs: 4, Instructions: 214COMMON

Download Yara Rule

APIs

Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB16DC4
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB16F85
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB16F9A

Part of subcall function 00007FF63FBCCDD0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FBCCDED
Part of subcall function 00007FF63FBCCDD0: _Max_value.LIBCPMTD ref: 00007FF63FBCCE12
Part of subcall function 00007FF63FBCCDD0: _Min_value.LIBCPMTD ref: 00007FF63FBCCE40

Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB170DC

Part of subcall function 00007FF63FB34180: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF63FB050B5), ref: 00007FF63FB3418B

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::EmptyQueue::StructuredWork$Max_valueMin_valueXlength_error@std@@
String ID:
API String ID: 4007518583-0
Opcode ID: 0f077840f1ac01a53fb5d9f445c245d8c4bb494e84aab70f3904c119a19f714d
Instruction ID: 8762115fea90ba0f26d5459cc6c7b74a614ff12d04dbef062167225bcdfe6f02
Opcode Fuzzy Hash: 0f077840f1ac01a53fb5d9f445c245d8c4bb494e84aab70f3904c119a19f714d
Instruction Fuzzy Hash: FAB1F86661DBC585DA64DB16E8503ABB7A0FBC9BC0F004136EACE83B69DF6CD4409B41

Function 00007FF63FB2F110 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF63FB2F1EA
GetLastError.KERNEL32 ref: 00007FF63FB2F219
WideCharToMultiByte.KERNEL32 ref: 00007FF63FB2F261
WideCharToMultiByte.KERNEL32 ref: 00007FF63FB2F2D1

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ecec202655f9c531599374b38fcc20988f0c2ce1ba8e6c9c4af8467a9ed67bab
Instruction ID: d4a2b672f0af4406529839e11aae11c6c277c805126a1fb8c92cd2b46d421629
Opcode Fuzzy Hash: ecec202655f9c531599374b38fcc20988f0c2ce1ba8e6c9c4af8467a9ed67bab
Instruction Fuzzy Hash: 8A51E372618A818AD364CF15F48075EBBB0F78AB94F604125EACE87BA8DF7DD4448F40

Function 00007FF63FB05E30 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

List.LIBCMTD ref: 00007FF63FB05E7C
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF63FB05EEB
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB05F23
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF63FB05F6E

Part of subcall function 00007FF63FB33770: std::make_error_code.LIBCPMTD ref: 00007FF63FB33786
Part of subcall function 00007FF63FB33770: _CxxThrowException.VCRUNTIME140 ref: 00007FF63FB337B8

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: __std_fs_convert_wide_to_narrow$Concurrency::details::EmptyExceptionListQueue::StructuredThrowWorkstd::make_error_code
String ID:
API String ID: 473158611-0
Opcode ID: 8c4fd6d1689670e3fa4bf0a2fbe0c1002703dfa7d8f897caa6212ac84a87bdcc
Instruction ID: 3813e0d70cf04e3c8985f8df49bb554406c2bd8c516354f03dad1dd5a8f1536e
Opcode Fuzzy Hash: 8c4fd6d1689670e3fa4bf0a2fbe0c1002703dfa7d8f897caa6212ac84a87bdcc
Instruction Fuzzy Hash: C131D672A19A818AD6A4DB25E84176FB7A0FBC5780F105136FACE87B5ACF3CD4049B40

Function 00007FF63FB30BA0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

List.LIBCMTD ref: 00007FF63FB30BDF
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF63FB30C4E
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB30C87
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF63FB30CD2

Part of subcall function 00007FF63FB33770: std::make_error_code.LIBCPMTD ref: 00007FF63FB33786
Part of subcall function 00007FF63FB33770: _CxxThrowException.VCRUNTIME140 ref: 00007FF63FB337B8

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide$Concurrency::details::EmptyExceptionListQueue::StructuredThrowWorkstd::make_error_code
String ID:
API String ID: 3467093758-0
Opcode ID: f1c37221971197ef2e6fe997a5e6e49ba08a93edbf11d59a9802932ff8400463
Instruction ID: 68ef8d5b12736b66f27cb8c896c739a2b35e1fb402c43f9be075961d3777e51e
Opcode Fuzzy Hash: f1c37221971197ef2e6fe997a5e6e49ba08a93edbf11d59a9802932ff8400463
Instruction Fuzzy Hash: 1131FA725196818AD664EB15E84176FB7A0FBC5780F001136F6CE83B5ACF3CD4009F40

Function 00007FF63FB190E0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63FB18390: ?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140(?,?,?,?,?,?,00007FF63FB190FD), ref: 00007FF63FB183D2

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF63FB19118
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF63FB1914A

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@U?$char_traits@_$?good@ios_base@std@@?rdbuf@?$basic_ios@_?tie@?$basic_ios@D@std@@@2@D@std@@@std@@V?$basic_ostream@V?$basic_streambuf@_W@std@@@2@W@std@@@std@@
String ID:
API String ID: 770597929-0
Opcode ID: 258c187f890d08a1e9fc0ca30172c85fc87cdba7641fff0cb397c093e47e2444
Instruction ID: e6d0b661a43fffcc369838b081a3cb7a4cddf806fa17c7fa0a9e17efb996f318
Opcode Fuzzy Hash: 258c187f890d08a1e9fc0ca30172c85fc87cdba7641fff0cb397c093e47e2444
Instruction Fuzzy Hash: BE21AA26609B8581DB14CB1AE49422EBBB0FBCAB89F544026EB8E83774DF3DD550D701

Function 00007FF63FCD151C Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF63FCD1565
GetLastError.KERNEL32 ref: 00007FF63FCD1573
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF63FB06060), ref: 00007FF63FCD15A8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF63FB06060), ref: 00007FF63FCD15B6

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: e49e580475eb105ab438402875f7e769b0585cb18dcc6b3ad0ebc97820afbe23
Instruction ID: 1d90202153fa69133e053c85176e690e562008e9156af392b39be2fd0570875a
Opcode Fuzzy Hash: e49e580475eb105ab438402875f7e769b0585cb18dcc6b3ad0ebc97820afbe23
Instruction Fuzzy Hash: 4C21F976A58B8586E7148F11A44432FB7B4FB99B84F544139EB8993B64DF3CD4018B44

Function 00007FF63FB32E70 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_Func_class.LIBCONCRTD ref: 00007FF63FB32E83
_Func_class.LIBCONCRTD ref: 00007FF63FB32EDD

Part of subcall function 00007FF63FB33850: _Func_class.LIBCONCRTD ref: 00007FF63FB3385E
Part of subcall function 00007FF63FB33850: _Func_class.LIBCONCRTD ref: 00007FF63FB338BC

_Func_class.LIBCONCRTD ref: 00007FF63FB32F01
_Func_class.LIBCONCRTD ref: 00007FF63FB32F0D

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Func_class
String ID:
API String ID: 1670654298-0
Opcode ID: e77f79d9cf39988b35128cb69f5d17508d7ad36d8d49692ac75ebe8530a279bd
Instruction ID: b6df9eb4e294f3c6178c075965b2016056d2d43544b33a9531b4f069d693186b
Opcode Fuzzy Hash: e77f79d9cf39988b35128cb69f5d17508d7ad36d8d49692ac75ebe8530a279bd
Instruction Fuzzy Hash: F411FEA2A4CA4182DA14EB16EC5112FA7A4FBC6BC0F544036EACEC777ADE2DD4419B01

Function 00007FF63FB06220 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

shared_ptr.LIBCMTD ref: 00007FF63FB0625E

Part of subcall function 00007FF63FB1B6E0: shared_ptr.LIBCMTD ref: 00007FF63FB1B6EE

allocator.LIBCPMTD ref: 00007FF63FB06272
shared_ptr.LIBCMTD ref: 00007FF63FB06284
allocator.LIBCPMTD ref: 00007FF63FB06298

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: shared_ptr$allocator
String ID:
API String ID: 426846764-0
Opcode ID: fe7b6fd1f7e30fa00660d5006c6cb6fedca7224268ee6b27a83a09b9491fca5c
Instruction ID: 751b365ba583917891976fa2e6784c96fadda950eaff2d0af9fc2a30039c7408
Opcode Fuzzy Hash: fe7b6fd1f7e30fa00660d5006c6cb6fedca7224268ee6b27a83a09b9491fca5c
Instruction Fuzzy Hash: 4711576260CA8281DA70EB15F4412AFB365FBC97C0F408131EACE87B5ADF3CD1519B00

Function 00007FF63FB03850 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF63FB0388A
HandleT.LIBCPMTD ref: 00007FF63FB03899
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF63FB038A8
_Find_unchecked.LIBCPMTD ref: 00007FF63FB038C1

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_CriticalLock::_ReentrantScoped_lockScoped_lock::~_$Find_uncheckedHandle
String ID:
API String ID: 1005945929-0
Opcode ID: eec8d121c8286cafcff43c719952123da7a1a0ff476df82a5753a9bbffeecc93
Instruction ID: 49fe2409377b06b28411bc2f378d15df74633b6069153f64b73aaf38851348bd
Opcode Fuzzy Hash: eec8d121c8286cafcff43c719952123da7a1a0ff476df82a5753a9bbffeecc93
Instruction Fuzzy Hash: B0F04BA2A1CA8281DA54EB11F85106FA3A0FBC97D0F001435F6CFC3B6ADFACD0009B00

Function 00007FF63FB03780 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF63FB037BA
HandleT.LIBCPMTD ref: 00007FF63FB037C9
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF63FB037D8
_Find_unchecked.LIBCPMTD ref: 00007FF63FB037F1

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_CriticalLock::_ReentrantScoped_lockScoped_lock::~_$Find_uncheckedHandle
String ID:
API String ID: 1005945929-0
Opcode ID: 291345dabd49c7083a4d0a6fd68b288ae2a2360adec0d06b4a22fb5c96f750aa
Instruction ID: 34c61d98efa3fcd7b250a1bc41742d90102629d86e55bb41d7bf008f0f3661ba
Opcode Fuzzy Hash: 291345dabd49c7083a4d0a6fd68b288ae2a2360adec0d06b4a22fb5c96f750aa
Instruction Fuzzy Hash: E5F028A261DA8281DA54EB11F85106BA7A0FBC97D0F001031FACFC3B6ADFACD0009B40

Function 00007FF63FB0AB60 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF63FB0AB78
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF63FB0AB87
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF63FB0AB96
memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF63FB0EF75), ref: 00007FF63FB0ABBD

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_CriticalLock::_ReentrantScoped_lockScoped_lock::~_$memcmp
String ID:
API String ID: 2606901649-0
Opcode ID: 694c53b12d12f6eba441c196b00874dfc9c15d4e7ec539bb03d53240b683f1a5
Instruction ID: c16bda2e28e04fdf788021127ff7b3b606c843dce80f761018981746179989c9
Opcode Fuzzy Hash: 694c53b12d12f6eba441c196b00874dfc9c15d4e7ec539bb03d53240b683f1a5
Instruction Fuzzy Hash: 4BF0F472618B8581CA14EB11F8910ABB3A0FBD83C4F404535FACE82B6ADFBCC210CB40

Function 00007FF63FB12A8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

object key, xrefs: 00007FF63FB12B1C
object separator, xrefs: 00007FF63FB12D2C

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: object key$object separator
API String ID: 0-2279923633
Opcode ID: a8f2c7678eb8f3b54bc150a978054d1c7856fc2a79208d43f394fedce2280f94
Instruction ID: fd5bd99da5bc35d20844a0ab0ecae97dac89834818c4bbe96474514048b93494
Opcode Fuzzy Hash: a8f2c7678eb8f3b54bc150a978054d1c7856fc2a79208d43f394fedce2280f94
Instruction Fuzzy Hash: 9CC10AA260DAC194DA74AB15F4903EFB3A0EBC6784F400132E6CE87B9ADF2CD545DB41

Function 00007FF63FB141CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

object key, xrefs: 00007FF63FB1425C
object separator, xrefs: 00007FF63FB1446C

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: object key$object separator
API String ID: 0-2279923633
Opcode ID: 1e970a03f6bfa36e8a92cf90c08ce7a5caa9367753a1c01c580f077706461c82
Instruction ID: 0aaa7c2af14458e3b72c1745aed8de4343823016d3089827baca465b44fa5244
Opcode Fuzzy Hash: 1e970a03f6bfa36e8a92cf90c08ce7a5caa9367753a1c01c580f077706461c82
Instruction Fuzzy Hash: 39C10BA260DAC1D4DA74AB15E4913EFB3A0EBC6784F404132E6CE87B9ADF2CD544DB41

Function 00007FF63FB3F790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF63FBCEB00: Concurrency::cancellation_token::_FromImpl.LIBCPMTD ref: 00007FF63FBCEB2D
Part of subcall function 00007FF63FBCEB00: Concurrency::cancellation_token::_FromImpl.LIBCPMTD ref: 00007FF63FBCEB65

Part of subcall function 00007FF63FB16CD0: char_traits.LIBCPMTD ref: 00007FF63FB16CFD

Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF63FB3F930

Strings

parse error, xrefs: 00007FF63FB3F833
parse_error, xrefs: 00007FF63FB3F7F2

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancellation_token::_FromImpl$Concurrency::details::EmptyQueue::StructuredWorkchar_traits
String ID: parse error$parse_error
API String ID: 3940763495-1820534363
Opcode ID: 225d94126315b9ff481c257670acb08f044ef1bb55069bb0d9d9c434ea7b6b3d
Instruction ID: 4eeca924edc88d49205af5225a904303069cdd0cc142beb3ce9ffc7ce6d64f4d
Opcode Fuzzy Hash: 225d94126315b9ff481c257670acb08f044ef1bb55069bb0d9d9c434ea7b6b3d
Instruction Fuzzy Hash: 7551E376609AC691DAA09B15F4903DBB7A4FBC5384F404122EACE83B6ADF3CD545DB40

Function 00007FF63FB30E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94fileCOMMON

Download Yara Rule

APIs

?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z.MSVCP140 ref: 00007FF63FB30EF1
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF63FB30F60

Strings

, xrefs: 00007FF63FB30EA9

Memory Dump Source

Source File: 00000000.00000002.1546323219.00007FF63F9F1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF63F9F0000, based on PE: true

Associated: 00000000.00000002.1546304615.00007FF63F9F0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546585956.00007FF63FCD8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546655499.00007FF63FD8A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1546673307.00007FF63FD8C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff63f9f0000_SecuriteInfo.jbxd

Similarity

API ID: ?unshift@?$codecvt@Mbstatet@@Mbstatet@@@std@@fwrite
String ID:
API String ID: 1347553915-3916222277
Opcode ID: 94081bf84289e140f870bed1d50639b63d428586c365cbc78b24cb85a2ac98e2
Instruction ID: 1fe5415d88affd97d8d67726e2340b0cc2b5d6edfbb7bfd3bd1c260914c89fdf
Opcode Fuzzy Hash: 94081bf84289e140f870bed1d50639b63d428586c365cbc78b24cb85a2ac98e2
Instruction Fuzzy Hash: 63410B76A5C78186DB64DB15E4543AAB7A1FBC6784F101036EACE83BA8CF3CD444EB41

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_3614ad19c0cf73c93992fea3fa40529655361d0_1eb0641c_22ceb5d7-5df2-476a-9f30-497bd522f034\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER7652.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER775C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER778C.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Function 00007FF63FCD1B34 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Function 00007FF63FB05AE0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 00007FF63FB04A10 Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Function 00007FF63FB2FEB0 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Function 00007FF63FB04790 Relevance: 1.5, APIs: 1, Instructions: 9
COMMONLIBRARYCODE

Function 00007FF63FB0A5D0 Relevance: 21.2, APIs: 14, Instructions: 207
COMMON

Function 00007FF63FB6B850 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 169
COMMON

Function 00007FF63FB32910 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148
COMMON