Edit tour

Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Analysis ID:	1542454
MD5:	a57dad8c1dae1fa551709713fa74bbee
SHA1:	42bc8573f4eb0a5e1ee83b7bce5dcc952526cb88
SHA256:	3744aed5783f8ffd6dff8d8beb8bfccf8abd1320bc86f58d281f29bc58695ec0
Tags:	exe
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to query locales information (e.g. system language)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample file is different than original file name gathered from version info

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe (PID: 3012 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5: A57DAD8C1DAE1FA551709713FA74BBEE)

conhost.exe (PID: 3060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5640 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

certutil.exe (PID: 3148 cmdline: certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 MD5: F17616EC0522FC5633151F7CAA278CAA)

find.exe (PID: 5892 cmdline: find /i /v "md5" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

find.exe (PID: 3008 cmdline: find /i /v "certutil" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)

cmd.exe (PID: 6588 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

cmd.exe (PID: 6284 cmdline: cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2876 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 4028 cmdline: timeout /t 5 MD5: 100065E21CFBBDE57CBA2838921F84D6)

WerFault.exe (PID: 6788 cmdline: C:\Windows\system32\WerFault.exe -u -p 3012 -s 424 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_d5f26adc-f

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\ied_sec_client_proj\trunk\tessafe\Bin\amd64\TesSafe64.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source:	Binary string: d:\sandbox\154167\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source:	Binary string: C:\Users\gg\Desktop\projects\KernelVault\keyauth-cpp-library-main clix\DriverLoader2\DriverLoader2\x64\Release\DriverLoader2.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Source: Joe Sandbox View

IP Address: 104.26.0.5 104.26.0.5

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: Amcache.hve.13.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2600192022.000001C0852DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2599979839.000000B02718D000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2600192022.000001C0852DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/acec
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2600192022.000001C0852DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/og5f

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.5:49708 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF7176D6680

0_2_00007FF7176D6680

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3012 -s 424

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTesSafe64.sys vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000000.2052537031.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000000.2052537031.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTesSafe64.sys vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Binary or memory string: OriginalFilenameiQVW64.SYSH vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Binary or memory string: OriginalFilenameTesSafe64.sys vs SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Binary string: TesSafe\Device\TesSafe\DosDevices\TesSafe
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Binary string: \Device\Nal

Source: classification engine

Classification label: mal56.winEXE@18/5@1/2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2876:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3012

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\020bfd90-bf78-41db-9ded-8bf77a89730f

Jump to behavior

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

ReversingLabs: Detection: 23%

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

String found in binary or memory: iphlpapi.dllif_nametoindexkernel32LoadLibraryExA\/AddDllDirectory

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3012 -s 424
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\System32\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\System32\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static file information: File size 3873408 > 1048576

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2e6a00

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\ied_sec_client_proj\trunk\tessafe\Bin\amd64\TesSafe64.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source:	Binary string: d:\sandbox\154167\sdk\nal\src\winnt_wdm\driver\objfre_wnet_AMD64\amd64\iqvw64e.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Source:	Binary string: C:\Users\gg\Desktop\projects\KernelVault\keyauth-cpp-library-main clix\DriverLoader2\DriverLoader2\x64\Release\DriverLoader2.pdb source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

API coverage: 0.7 %

Source: C:\Windows\System32\timeout.exe TID: 892

Thread sleep count: 38 > 30

Jump to behavior

Source: Amcache.hve.13.dr	Binary or memory string: VMware
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.13.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.13.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.13.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.13.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.13.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.13.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.13.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.13.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.13.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.13.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.13.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.13.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.13.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.13.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.13.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.13.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2600192022.000001C0852DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllXX
Source: Amcache.hve.13.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF7178A1A58 __vcrt_InitializeCriticalSectionEx,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7178A1A58

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF7178A1A58 __vcrt_InitializeCriticalSectionEx,GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_00007FF7178A1A58

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF7176FEE60 GetProcessHeap,

0_2_00007FF7176FEE60

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF7178A212C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00007FF7178A212C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00007FF7178A1278

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Code function: 0_2_00007FF7178A2BA0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7178A2BA0

Source: Amcache.hve.13.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.13.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	41 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	24%	ReversingLabs
SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe
https://curl.haxx.se/docs/http-cookies.html	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.0.5	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://keyauth.win/api/1.2/og5f	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2600192022.000001C0852DC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win/api/1.2/acec	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2600192022.000001C0852DC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.13.dr	false	URL Reputation: safe	unknown
https://curl.haxx.se/docs/http-cookies.html	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	false	URL Reputation: safe	unknown
https://keyauth.win/api/1.2/	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2600192022.000001C0852DC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe, 00000000.00000002.2599979839.000000B02718D000.00000004.00000010.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.0.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1542454
Start date and time:	2024-10-25 23:48:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Detection:	MAL
Classification:	mal56.winEXE@18/5@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.0.5	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse
	4aOgNkVU5z.exe	Get hash	malicious	Unknown	Browse
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse
	dGuXzI4UlT.exe	Get hash	malicious	Unknown	Browse
	vjlICWbvGT.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.7613.15918.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	4aOgNkVU5z.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	dGuXzI4UlT.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	vjlICWbvGT.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	v2hvYA53Ys.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	Zl5QaBwsTJ.exe	Get hash	malicious	Stealc	Browse	104.21.56.70
	https://louisianalaw.us/awI1AlsoTxn2APQ3EspQ3E4RAI1AoTxnz01coTxm&c=E,1,vvMSQz5CSzvUF_pnZgRSmb_4_6IhFVsFaIdJFKN2k78xDXcVLKO_NH-275AIvCQYfKD3jL3qc4bCIgEC2N6Rr4xli-ez6GBrwxbUrVz5hy4g&typo=1	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://certify.us.com/D5QkoQ3Eniw4G2APQ3ED5QpQ3E4RAionz01coq01	Get hash	malicious	Unknown	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	188.114.97.3
	setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	sgM0Akbldk.exe	Get hash	malicious	Stealc	Browse	172.67.179.207
	5Z1WFRMTOXRH6X21Z8NU8.exe	Get hash	malicious	Unknown	Browse	188.114.97.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ce5f3254611a8c095a3d821d44539877	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.FileRepMalware.12632.12594.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.FileRepMalware.8628.17723.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.29573.28124.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Iyto7FYCJO.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.Evo-gen.20301.32747.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.MalwareX-gen.32411.29244.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Frozen_Slotted.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.TrojanX-gen.12317.30120.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_3614ad19c0cf73c93992fea3fa40529655361d0_1eb0641c_8052aff8-107d-4b21-96e2-11f6789039ee\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9201048697253654
Encrypted:	false
SSDEEP:	96:jCFKF46ssChqtY7q4BSFQXIDcQlc6WcE8cw3d/x+HbHg/8BRTf3o8Fa9KUNsPQEy:jDG6sqV+07SmJ+jHOzuiFeZ24lO8U
MD5:	099A2253FF86BCB911DE77324ABEF5EB
SHA1:	2E7EF81608347DC0E6FB7F6C4FA93D152B592AAE
SHA-256:	409BD710E113B97326C4D041E31ED76C01DE28B203308BAE8CDA702809CE9C4C
SHA-512:	81254EA9923C7D4B870C61B37D9C818009DCD207A53CFB1739466549885C8D8A7B6716FDA6E1E580045484E169A18D40D70FCF11B63612A16A3EE653141F8188
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.6.4.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.3.6.6.5.6.6.1.9.6.3.3.5.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.3.6.6.5.6.6.6.4.9.4.6.5.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.0.5.2.a.f.f.8.-.1.0.7.d.-.4.b.2.1.-.9.6.e.2.-.1.1.f.6.7.8.9.0.3.9.e.e.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.f.b.5.4.8.7.7.-.e.0.b.3.-.4.3.2.c.-.a.9.0.3.-.7.8.f.4.a.0.3.0.c.3.5.b.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...V.a.r.i.a.n.t...T.e.d.y...6.2.7.9.1.5...5.9.9...8.7.4.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.c.4.-.0.0.0.1.-.0.0.1.4.-.7.5.0.c.-.1.f.c.1.2.7.2.7.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.f.8.d.8.5.3.c.7.1.5.f.1.2.d.1.e.9.e.d.0.a.8.8.3.a.d.f.0.8.7.5.a.0.0.0.0.f.f.f.f.!.0.0.0.0.4.2.b.c.8.5.7.3.f.4.e.b.0.a.5.e.1.e.e.8.3.b.7.b.c.e.5.d.c.c.9.5.2.5.2.6.c.b.8.8.!.S.e.c.u.r.i.t.e.I.

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB0.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Fri Oct 25 21:49:26 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	158670
Entropy (8bit):	1.5976030207549874
Encrypted:	false
SSDEEP:	192:rTnT8mZ3yUcpOlRvVUB05IEMxe0Ru+QOOC94:3nT8s3yUzlR2i5zMRzQmu
MD5:	169F67D796631A0DCAFD7CEF132234B9
SHA1:	9831F9BDB297BB0A37F515A7D89ED6B7B3876CE8
SHA-256:	6DB569B0EB2EBB89FD04C40EA322F81240C1BCACFA4A691A960419070FF4118C
SHA-512:	4235D82732E0CB6BD22D1EF36D6184D46CD82E0CB855EA8DBBD27EDAA22826B6ED80B026AC525B93B0F4B350B8B831A008CAD282FF244B0198517089C6D17826
Malicious:	false
Preview:	MDMP..a..... .......f..g....................................$....7..........T.......8...........T................Q......................................................................................................eJ......\.......Lw......................T...........c..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8C.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	9022
Entropy (8bit):	3.6997485529731486
Encrypted:	false
SSDEEP:	192:R6l7wVeJuKP61u6YEI6cytgmfp0DFpDy89bC+8fcWm:R6lXJ7P61u6YEFNtgmfp0/Cdf0
MD5:	C96B3C7E9E494031AEBAA6095F94A314
SHA1:	5152DE927551A7B97772B4C799E6DBBC2D0BD256
SHA-256:	5223C3F9658D6EDF197AF9C25E1DC6F45D3F27F00BFC2B78AA924072DA55E9ED
SHA-512:	C620FE11E89DCB34F700F668B5593E3CDEF76F49B361CEECBADC22FC854993EBFD925A9FBA641C0BB779EEB00B06A0B2E59490C49A51E6BC35BB2550A486C0D6
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.0.1.2.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBC.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5001
Entropy (8bit):	4.544997033486
Encrypted:	false
SSDEEP:	96:uIjfTkI7UJ7VaJ/IA2Md3WQA2MqpY+oo+Id:uIvkYUJ7Y/IA2M9A2MqpY+T+2
MD5:	1FD4E7FDBC3B2334A2296813A3151C09
SHA1:	9FF95E866BEEF2907FD1B8A231E339F42CA22810
SHA-256:	6CD954658E02A1797A7C400507E0D8276D425E9AB17C09AACEAD2F26608099A5
SHA-512:	8F269F2058A1722BDA8EBEDFBA3692329994D9A81462423A98ED223F2AEF2AC9DD708F08D0F1128C71ADBB147B52EBC51B5018194A8BE8A347B51D64F009C914
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="559492" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.421806827489751
Encrypted:	false
SSDEEP:	6144:4Svfpi6ceLP/9skLmb0OTZWSPHaJG8nAgeMZMMhA2fX4WABlEnN80uhiTw:DvloTZW+EZMM6DFyG03w
MD5:	A3314DC3F41062523ED711E1B2CF6664
SHA1:	B0707A80ECCB33B8618D4F36408C53FCBB09D36F
SHA-256:	B14CB774851363ECEB4E1833F3F6E5A4DBA4B29A9A6BDC757FB504CC78EB4A15
SHA-512:	990D0A8C13E266219AE5D637B019411350DEE4AE04C0A4915205A11DA5AD78B9CFC3D78D09FB20EA997BB32B36CC0C02406809B2CED039515E7DBE4DD39D4DF9
Malicious:	false
Preview:	regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.4..''.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (console) x86-64, for MS Windows
Entropy (8bit):	6.317056142370199
TrID:	Win64 Executable Console (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
File size:	3'873'408 bytes
MD5:	a57dad8c1dae1fa551709713fa74bbee
SHA1:	42bc8573f4eb0a5e1ee83b7bce5dcc952526cb88
SHA256:	3744aed5783f8ffd6dff8d8beb8bfccf8abd1320bc86f58d281f29bc58695ec0
SHA512:	49dfa57823633adcb1d4ff878136bc5dfbe357f526c4d5aa8f4e4f464ee6d34349a4df5e68aa4ed0de32d64c42f44488404bb0967e408df00ea39dfa6f1fc1b7
SSDEEP:	49152:cCC5fA3V7/6Qqj2jsJRyhQ8jl4SAc6Li:c/VA/d5QSaL
TLSH:	14066B065BEED0D8C070407821863217E6327C480A2ADBF71FD08B9667E776966BFF56
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2S..v2..v2..v2...J..`2....x.~2......r2......\|2......S2......p2...B...2..=J..k2..v2...3..e...q2..e...t2..e.z.w2..e...w2..Richv2.

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x1402e262c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66C54A5D [Wed Aug 21 02:01:01 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5315b8464aa682f0e3d3b00df735a946

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F0BBC87B2F0h
dec eax
add esp, 28h
jmp 00007F0BBC87ABF7h
int3
int3
dec eax
mov dword ptr [esp+10h], ebx
dec eax
mov dword ptr [esp+18h], esi
push ebp
push edi
inc ecx
push esi
dec eax
mov ebp, esp
dec eax
sub esp, 10h
xor eax, eax
xor ecx, ecx
cpuid
inc esp
mov eax, ecx
inc esp
mov edx, edx
inc ecx
xor edx, 49656E69h
inc ecx
xor eax, 6C65746Eh
inc esp
mov ecx, ebx
inc esp
mov esi, eax
xor ecx, ecx
mov eax, 00000001h
cpuid
inc ebp
or edx, eax
mov dword ptr [ebp-10h], eax
inc ecx
xor ecx, 756E6547h
mov dword ptr [ebp-0Ch], ebx
inc ebp
or edx, ecx
mov dword ptr [ebp-08h], ecx
mov edi, ecx
mov dword ptr [ebp-04h], edx
jne 00007F0BBC87ADDDh
dec eax
or dword ptr [000B7A85h], FFFFFFFFh
and eax, 0FFF3FF0h
dec eax
mov dword ptr [000B7A6Dh], 00008000h
cmp eax, 000106C0h
je 00007F0BBC87ADAAh
cmp eax, 00020660h
je 00007F0BBC87ADA3h
cmp eax, 00020670h
je 00007F0BBC87AD9Ch
add eax, FFFCF9B0h
cmp eax, 20h
jnbe 00007F0BBC87ADA6h
dec eax
mov ecx, 00010001h
add dword ptr [eax], eax
add byte ptr [eax], al
dec eax
bt ecx, eax
jnc 00007F0BBC87AD96h
inc esp
mov eax, dword ptr [000B8D5Bh]
inc ecx
or eax, 01h
inc esp
mov dword ptr [000B8D50h], eax

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x396140	0x21c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3a6000	0x1e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x39c000	0x9abc	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3a7000	0x600	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x32d2a0	0x70	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x32d380	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x32d160	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2e8000	0xd78	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2e6890	0x2e6a00	249b1edcc5d16a058e72c3d76adff375	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2e8000	0xb1e9e	0xb2000	2243bfab32c6ece4826bbca0b59165af	False	0.4939239159058989	data	6.847170492622551	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x39a000	0x1488	0xa00	fc2b7bf89c934172bbfecdd94ba069e5	False	0.217578125	data	4.052491232704579	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x39c000	0x9abc	0x9c00	5929590dd1d4dbba8e1518d3f590e613	False	0.4462139423076923	data	5.977831928262313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3a6000	0x1e0	0x200	6b3b1701e7ba0fd5f2721ec922bfab3f	False	0.52734375	data	4.70672250389512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3a7000	0x600	0x600	04e47fa203d86d5e6d8e4bbe9c50c4d6	False	0.5904947916666666	data	5.362807738496344	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_MANIFEST	0x3a6060	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	LocalFree, GetModuleHandleW, GetModuleHandleA, GetModuleFileNameW, GetModuleFileNameA, InitializeSListHead, GetSystemTimeAsFileTime, IsProcessorFeaturePresent, TerminateProcess, UnhandledExceptionFilter, SleepConditionVariableSRW, WakeAllConditionVariable, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, IsDebuggerPresent, GetFileInformationByHandleEx, AreFileApisANSI, DeviceIoControl, GetFileAttributesExW, FindFirstFileW, FindClose, CreateDirectoryW, GetCurrentDirectoryW, GetLocaleInfoEx, GetFileSizeEx, CreateFileA, WaitForMultipleObjects, PeekNamedPipe, ReadFile, GetFileType, GetStdHandle, GetEnvironmentVariableA, MultiByteToWideChar, WaitForSingleObjectEx, MoveFileExA, GetTickCount, QueryPerformanceCounter, VerifyVersionInfoA, LoadLibraryA, FreeLibrary, QueryPerformanceFrequency, SleepEx, LeaveCriticalSection, EnterCriticalSection, FormatMessageA, SetLastError, WideCharToMultiByte, GetCurrentProcessId, GetCurrentThreadId, VirtualAlloc, VirtualFree, GetProcAddress, GetSystemDirectoryA, GetTempPathW, CreateFileW, SetUnhandledExceptionFilter, GetCurrentProcess, Sleep, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, HeapDestroy, GetLastError, CloseHandle, OutputDebugStringW
USER32.dll	MessageBoxA
ADVAPI32.dll	CryptEncrypt, GetUserNameA, IsValidSid, GetTokenInformation, GetLengthSid, CopySid, OpenProcessToken, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey, RegCloseKey, RegCreateKeyW, RegOpenKeyW, RegSetKeyValueW, RegDeleteTreeW, CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptGenRandom, CloseServiceHandle, StartServiceA, OpenServiceA, OpenSCManagerA, DeleteService, CreateServiceA, ConvertSidToStringSidW
SHELL32.dll	ShellExecuteA
MSVCP140.dll	?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ, ?fill@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WXZ, ?widen@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBA_WD@Z, ?write@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@PEBD_J@Z, ?_Osfx@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAXXZ, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@_K@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@PEBX@Z, ?put@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@_W@Z, ?flush@?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV12@XZ, ?_Fiopen@std@@YAPEAU_iobuf@@PEB_WHH@Z, ?wcout@std@@3V?$basic_ostream@_WU?$char_traits@_W@std@@@1@A, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAV01@AEAV01@@Z@Z, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@D@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@J@Z, ??6?$basic_ostream@_WU?$char_traits@_W@std@@@std@@QEAAAEAV01@K@Z, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?widen@?$ctype@_W@std@@QEBA_WD@Z, ?_Getcat@?$ctype@_W@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?getloc@ios_base@std@@QEBA?AVlocale@2@XZ, ?id@?$ctype@_W@std@@2V0locale@2@A, ?_Xinvalid_argument@std@@YAXPEBD@Z, ?is@?$ctype@D@std@@QEBA_NFD@Z, ?_Getcat@?$ctype@D@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?rdstate@ios_base@std@@QEBAHXZ, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAADD@Z, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UEAA@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JPEAD_J@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAPEAD0PEAH001@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXXZ, ?_Pnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Pninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z, ?pbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?_Gnavail@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBA_JXZ, ?_Gninc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?_Gndec@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAPEADXZ, ?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z, ?gbump@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXH@Z, ?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?setstate@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEAAXH_N@Z, ?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z, ?sputc@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAAG_W@Z, ??7ios_base@std@@QEBA_NXZ, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAAXXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAA_JXZ, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAPEAV12@PEAD_J@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAHXZ, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MEAAXAEBVlocale@2@@Z, ?_Fiopen@std@@YAPEAU_iobuf@@PEBDHH@Z, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Xbad_function_call@std@@YAXXZ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?pbase@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?gptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAA_JPEBD_J@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEBA?AVlocale@2@XZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?width@ios_base@std@@QEAA_J_J@Z, ?width@ios_base@std@@QEBA_JXZ, ?setf@ios_base@std@@QEAAHHH@Z, ?flags@ios_base@std@@QEBAHXZ, ?good@ios_base@std@@QEBA_NXZ, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z, ?out@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEBD1AEAPEBDPEAD3AEAPEAD@Z, ?always_noconv@codecvt_base@std@@QEBA_NXZ, ?_Getgloballocale@locale@std@@CAPEAV_Locimp@12@XZ, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z, ??Bid@locale@std@@QEAA_KXZ, ?tie@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_ostream@_WU?$char_traits@_W@std@@@2@XZ, ?_Winerror_map@std@@YAHH@Z, ?_Syserror_map@std@@YAPEBDH@Z, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADD@Z, ?uncaught_exceptions@std@@YAHXZ, ?_Xout_of_range@std@@YAXPEBD@Z, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV12@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAAEAV01@P6AAEAVios_base@1@AEAV21@@Z@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAAXXZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UEAA@XZ, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QEAA@PEAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IEAA@XZ, ?_Xlength_error@std@@YAXPEBD@Z, ??1_Lockit@std@@QEAA@XZ, ??0_Lockit@std@@QEAA@H@Z
Normaliz.dll	IdnToAscii
WLDAP32.dll
CRYPT32.dll	CertFreeCertificateChain, CertGetCertificateChain, CertFreeCertificateChainEngine, CertCreateCertificateChainEngine, CryptQueryObject, CertGetNameStringA, CertFindExtension, CertOpenStore, CryptDecodeObjectEx, PFXImportCertStore, CryptStringToBinaryA, CertFreeCertificateContext, CertFindCertificateInStore, CertEnumCertificatesInStore, CertCloseStore, CertAddCertificateContextToStore
WS2_32.dll	WSAGetLastError, getpeername, recv, closesocket, bind, connect, getsockname, getsockopt, htons, ntohs, ntohl, socket, WSASetLastError, WSAIoctl, WSAStartup, select, WSACleanup, accept, gethostname, listen, ioctlsocket, __WSAFDIsSet, freeaddrinfo, getaddrinfo, recvfrom, send, sendto, setsockopt, htonl
SHLWAPI.dll	PathFindFileNameW
RPCRT4.dll	RpcStringFreeA, UuidToStringA, UuidCreate
USERENV.dll	UnloadUserProfile
ntdll.dll	RtlCaptureContext, VerSetConditionMask, RtlInitUnicodeString, NtQuerySystemInformation, RtlLookupFunctionEntry, RtlVirtualUnwind
VCRUNTIME140.dll	__C_specific_handler, strrchr, __current_exception_context, memset, memcpy, strstr, __current_exception, _purecall, wcsstr, memmove, memcmp, memchr, __std_exception_copy, _CxxThrowException, strchr, __std_exception_destroy
VCRUNTIME140_1.dll	__CxxFrameHandler4
api-ms-win-crt-runtime-l1-1-0.dll	_c_exit, __p___argv, __p___argc, terminate, _set_app_type, _seh_filter_exe, system, _resetstkoflw, _configure_narrow_argv, _invalid_parameter_noinfo, _beginthreadex, _invalid_parameter_noinfo_noreturn, _exit, _cexit, _crt_atexit, exit, _initterm_e, _register_thread_local_exe_atexit_callback, abort, _initterm, _initialize_narrow_environment, strerror, _getpid, _register_onexit_function, __sys_nerr, _get_initial_narrow_environment, _errno, _initialize_onexit_table
api-ms-win-crt-heap-l1-1-0.dll	free, calloc, _recalloc, _callnewh, realloc, malloc, _set_new_mode
api-ms-win-crt-convert-l1-1-0.dll	atoi, strtod, strtol, strtoul, strtoll, strtoull
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-stdio-l1-1-0.dll	__stdio_common_vsscanf, __acrt_iob_func, fseek, _lseeki64, ftell, feof, fgets, _open, _close, _write, _get_stream_buffer_pointers, _read, __p__commode, fclose, fflush, fgetc, fgetpos, _set_fmode, __stdio_common_vsprintf, fopen, fputs, ungetc, setvbuf, _popen, _pclose, fwrite, _fseeki64, fsetpos, fread, fputc
api-ms-win-crt-filesystem-l1-1-0.dll	_wremove, _stat64, remove, _lock_file, _fstat64, _access, _unlink, _unlock_file
api-ms-win-crt-time-l1-1-0.dll	_localtime64, _gmtime64, strftime, _time64
api-ms-win-crt-locale-l1-1-0.dll	localeconv, ___lc_codepage_func, _configthreadlocale
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _dsign, _dclass
api-ms-win-crt-string-l1-1-0.dll	strpbrk, strcmp, strcspn, _stricmp, strspn, isupper, strncpy, strncmp, tolower, _strdup
api-ms-win-crt-utility-l1-1-0.dll	rand, qsort, srand

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 23:49:24.685077906 CEST	49708	443	192.168.2.5	104.26.0.5
Oct 25, 2024 23:49:24.685147047 CEST	443	49708	104.26.0.5	192.168.2.5
Oct 25, 2024 23:49:24.685219049 CEST	49708	443	192.168.2.5	104.26.0.5
Oct 25, 2024 23:49:24.695950985 CEST	49708	443	192.168.2.5	104.26.0.5
Oct 25, 2024 23:49:24.696017981 CEST	443	49708	104.26.0.5	192.168.2.5
Oct 25, 2024 23:49:25.320939064 CEST	443	49708	104.26.0.5	192.168.2.5
Oct 25, 2024 23:49:25.321214914 CEST	49708	443	192.168.2.5	104.26.0.5
Oct 25, 2024 23:49:26.350505114 CEST	49708	443	192.168.2.5	104.26.0.5
Oct 25, 2024 23:49:26.350552082 CEST	443	49708	104.26.0.5	192.168.2.5
Oct 25, 2024 23:49:26.350897074 CEST	443	49708	104.26.0.5	192.168.2.5
Oct 25, 2024 23:49:26.350931883 CEST	49708	443	192.168.2.5	104.26.0.5
Oct 25, 2024 23:49:26.350939989 CEST	443	49708	104.26.0.5	192.168.2.5
Oct 25, 2024 23:49:26.350981951 CEST	49708	443	192.168.2.5	104.26.0.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 25, 2024 23:49:24.668593884 CEST	53396	53	192.168.2.5	1.1.1.1
Oct 25, 2024 23:49:24.679630041 CEST	53	53396	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 25, 2024 23:49:24.668593884 CEST	192.168.2.5	1.1.1.1	0xec00	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 25, 2024 23:49:24.679630041 CEST	1.1.1.1	192.168.2.5	0xec00	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Oct 25, 2024 23:49:24.679630041 CEST	1.1.1.1	192.168.2.5	0xec00	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Oct 25, 2024 23:49:24.679630041 CEST	1.1.1.1	192.168.2.5	0xec00	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	17:49:23
Start date:	25/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe"
Imagebase:	0x7ff7175c0000
File size:	3'873'408 bytes
MD5 hash:	A57DAD8C1DAE1FA551709713FA74BBEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	17:49:23
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:49:23
Start date:	25/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Imagebase:	0x7ff63fc50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:49:23
Start date:	25/10/2024
Path:	C:\Windows\System32\certutil.exe
Wow64 process (32bit):	false
Commandline:	certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe" MD5
Imagebase:	0x7ff6864d0000
File size:	1'651'712 bytes
MD5 hash:	F17616EC0522FC5633151F7CAA278CAA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:49:23
Start date:	25/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i /v "md5"
Imagebase:	0x7ff7f8980000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:49:23
Start date:	25/10/2024
Path:	C:\Windows\System32\find.exe
Wow64 process (32bit):	false
Commandline:	find /i /v "certutil"
Imagebase:	0x7ff7f8980000
File size:	17'920 bytes
MD5 hash:	4BF76A28D31FC73AA9FC970B22D056AF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	17:49:25
Start date:	25/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x7ff63fc50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:49:25
Start date:	25/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x7ff63fc50000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:49:25
Start date:	25/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:49:25
Start date:	25/10/2024
Path:	C:\Windows\System32\timeout.exe
Wow64 process (32bit):	false
Commandline:	timeout /t 5
Imagebase:	0x7ff6c5410000
File size:	32'768 bytes
MD5 hash:	100065E21CFBBDE57CBA2838921F84D6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:49:26
Start date:	25/10/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 3012 -s 424
Imagebase:	0x7ff78e9f0000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	1.3%
Total number of Nodes:	77
Total number of Limit Nodes:	4

Executed Functions

Function 00007FF7178A1B34 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00007FF7176FFD43,?,?,?,?,?,?,?,?,?,00007FF717704340), ref: 00007FF7178A1B4E
Concurrency::cancel_current_task.LIBCPMT ref: 00007FF7178A1B64

Part of subcall function 00007FF7178A2930: std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF7178A2939
Part of subcall function 00007FF7178A2930: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF7178A1B69,?,?,?,00007FF7176FFD43), ref: 00007FF7178A294A

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrowmallocstd::bad_alloc::bad_alloc
String ID:
API String ID: 514126270-0
Opcode ID: f8a4103838cfa4670266cde32cbc1b6d3760155078776d00e363d5b4da3d2167
Instruction ID: 80bb79109ca133054718f8443d788b91a326ecb37fb44ac76100175a58490a10
Opcode Fuzzy Hash: f8a4103838cfa4670266cde32cbc1b6d3760155078776d00e363d5b4da3d2167
Instruction Fuzzy Hash: 75E0B601E1DA1B05FB39366114154B488500F98FB0E9C1734D93D096C3FD1CA47F4130

Function 00007FF7176D5AE0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF7176D5B0C

Part of subcall function 00007FF7176DC530: Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF7176DC5A6
Part of subcall function 00007FF7176DC530: Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF7176DC5B5

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_CriticalLock::_ReentrantScoped_lockScoped_lock::~_$Concurrency::details::EmptyQueue::StructuredWork
String ID:
API String ID: 2595383736-0
Opcode ID: 576b010e4d79c71d416d7fa9ea3cde484612d8b2d44409d99271f6b5ee5e5ba0
Instruction ID: 0cfec89f4b70503aa60ef4dfbb7fc83af084292efe72c7ad071b28339e276d49
Opcode Fuzzy Hash: 576b010e4d79c71d416d7fa9ea3cde484612d8b2d44409d99271f6b5ee5e5ba0
Instruction Fuzzy Hash: 86213932628F8981DA10EB15F49025AB7A1F7C9BD4F901126FACD43B2ADF3CD156CB10

Function 00007FF7176D4A10 Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF717703510: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00007FF717703519
Part of subcall function 00007FF717703510: _CxxThrowException.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF7176D4A38), ref: 00007FF71770352A

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00007FF7176D4772), ref: 00007FF7176D4A52

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionThrow_invalid_parameter_noinfo_noreturnstdext::threads::lock_error::lock_error
String ID:
API String ID: 2622805724-0
Opcode ID: 6374f793fb6f722ee5878ab83d7be588fd6d591f92a24dbc7afee8e052767654
Instruction ID: 3ffe2e5fee3941018faaa0fb0289c477f5912a3caee1d4924f0a2e86ae7b0642
Opcode Fuzzy Hash: 6374f793fb6f722ee5878ab83d7be588fd6d591f92a24dbc7afee8e052767654
Instruction Fuzzy Hash: 44015662628F4181DA60AB18E48032FE794FB887B4F441631EADD43B99EF3CD5668B14

Function 00007FF7176FFEB0 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF7176FFEF3

Part of subcall function 00007FF7176D4790: allocator.LIBCONCRTD ref: 00007FF7176D47AB

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::EmptyQueue::StructuredWorkallocator
String ID:
API String ID: 1755220593-0
Opcode ID: b78befe849ce56f157e027da90f8e68232d6b693ab0334466e71ee11ad11378e
Instruction ID: fae4002ca1f2da8a7a785840f93816868c6827cca04ffd9ffa902559d8ff5536
Opcode Fuzzy Hash: b78befe849ce56f157e027da90f8e68232d6b693ab0334466e71ee11ad11378e
Instruction Fuzzy Hash: 85015E36619F8482CA60DB0AF89011EB7A5F7C9BA4F504125FACE83B29DF3CD1618B00

Function 00007FF7176D4790 Relevance: 1.5, APIs: 1, Instructions: 9
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

allocator.LIBCONCRTD ref: 00007FF7176D47AB

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: allocator
String ID:
API String ID: 3447690668-0
Opcode ID: c46cd13c757347ee5ae45a1ac98d4f5a8e92b1abd091d4f9b2d6aefa4f4cafc4
Instruction ID: c95bbc4ef661b5b39e91720b6720392c4d19d7ac41c045d81bcd561b75d95956
Opcode Fuzzy Hash: c46cd13c757347ee5ae45a1ac98d4f5a8e92b1abd091d4f9b2d6aefa4f4cafc4
Instruction Fuzzy Hash: 7DC0C976A29F8481CA04EB12F88100AB360F7C9BC1F90A421EA8E03729CF28C0598B00

Non-executed Functions

Function 00007FF7178A1A58 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

__vcrt_InitializeCriticalSectionEx.LIBVCRUNTIMED ref: 00007FF7178A1AB0

Part of subcall function 00007FF7176FFD60: InitializeCriticalSectionEx.KERNEL32 ref: 00007FF7176FFD80

GetLastError.KERNEL32 ref: 00007FF7178A1AB9
IsDebuggerPresent.KERNEL32 ref: 00007FF7178A1AD1
OutputDebugStringW.KERNEL32 ref: 00007FF7178A1AE2

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00007FF7178A1ADB

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: CriticalInitializeSection$DebugDebuggerErrorLastOutputPresentString__vcrt_
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3055932891-631824599
Opcode ID: 783119a43e65aac90d12e51b1c615accf096e0dfaa7eb4c44b9032a0703a7d66
Instruction ID: 1c9cbe8167821c402a328cae8ecabc6bff16acfac1c37d1b32cf375d09c1d35b
Opcode Fuzzy Hash: 783119a43e65aac90d12e51b1c615accf096e0dfaa7eb4c44b9032a0703a7d66
Instruction Fuzzy Hash: 08118C32A14F5293E744AB22DA543B9B6A0FB44764F804035C60D42A92EF3CE5BEC720

Function 00007FF7178A2BA0 Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32 ref: 00007FF7178A2BCC
GetCurrentThreadId.KERNEL32 ref: 00007FF7178A2BDA
GetCurrentProcessId.KERNEL32 ref: 00007FF7178A2BE6
QueryPerformanceCounter.KERNEL32 ref: 00007FF7178A2BF6

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
String ID:
API String ID: 2933794660-0
Opcode ID: 4e2d1bd58a9d8448902597674e7da3e3367d4cfbcb8d42016aa474c77cdf1e72
Instruction ID: c99e053f82efbda5e9a82537fb2a0502caaa9778ddffb93bb75324f0380a0790
Opcode Fuzzy Hash: 4e2d1bd58a9d8448902597674e7da3e3367d4cfbcb8d42016aa474c77cdf1e72
Instruction Fuzzy Hash: 70113622B24F068AEB009F60E8542B877B4FB19B68F840A31DA6D427A5DF7CD5698350

Function 00007FF7178A1278 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(?,?,?,?,?,?,?,00007FF7176E860A), ref: 00007FF7178A129E
FormatMessageA.KERNEL32 ref: 00007FF7178A12D1

Strings

!x-sys-default-locale, xrefs: 00007FF7178A1291

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: ae7cb96a73b823519f046e9a82413b3af816002884d7848d87413d8fa98ec08b
Instruction ID: ec6a5304d57c231623a64a8aa2d7438258374af6585055136a4e322bf64397b0
Opcode Fuzzy Hash: ae7cb96a73b823519f046e9a82413b3af816002884d7848d87413d8fa98ec08b
Instruction Fuzzy Hash: A701C471F0CF8182E7119B51B4007BAABA1F788BE4F844135DA4947B9ADF3CD51AC710

Function 00007FF7176FEE60 Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7178A1E70: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7176FEF0E,?,?,?,?,00007FF7176E81DE,?,?,?,?,00007FF7175C1050), ref: 00007FF7178A1E80

GetProcessHeap.KERNEL32(?,?,?,?,00007FF7176E81DE,?,?,?,?,00007FF7175C1050), ref: 00007FF7176FEEAF

Part of subcall function 00007FF7178A1E04: AcquireSRWLockExclusive.KERNEL32(?,?,?,00007FF7176FEF53,?,?,?,?,00007FF7176E81DE,?,?,?,?,00007FF7175C1050), ref: 00007FF7178A1E14
Part of subcall function 00007FF7178A1E04: ReleaseSRWLockExclusive.KERNEL32(?,?,?,00007FF7176FEF53,?,?,?,?,00007FF7176E81DE,?,?,?,?,00007FF7175C1050), ref: 00007FF7178A1E54

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: ExclusiveLock$Acquire$HeapProcessRelease
String ID:
API String ID: 3865638231-0
Opcode ID: 71a3de95a5db07dcad1cd2507a2d500c210894f8145dd710bfa4608815be444e
Instruction ID: 6c1f14eb2986500f3730d2f481b302b1aad433a01d8b2ccb327fbd1dae32e773
Opcode Fuzzy Hash: 71a3de95a5db07dcad1cd2507a2d500c210894f8145dd710bfa4608815be444e
Instruction Fuzzy Hash: 9021CE24E19E1396EB00F714EC611B4AB75EF94B61FC05132D40E422A3DE2CEA5EC764

Function 00007FF7176D6680 Relevance: .7, Instructions: 713COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741ea51273af6ced77d8204fa0c22d04b1cf6953300260873340e5f8a9195d54
Instruction ID: 6f8f186aea73e60c4ed80b53fee2f2b6c74dd37f06260d5ee28c8e1777c6041e
Opcode Fuzzy Hash: 741ea51273af6ced77d8204fa0c22d04b1cf6953300260873340e5f8a9195d54
Instruction Fuzzy Hash: 8182B036219AC58ADB70CB19E4907AEB7A1F3C8B94F544126EACD83B59CE3CD555CF00

Function 00007FF7176DA5D0 Relevance: 21.2, APIs: 14, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF7176DA620
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF7176DA64B
?width@ios_base@std@@QEBA_JXZ.MSVCP140 ref: 00007FF7176DA686
?flags@ios_base@std@@QEBAHXZ.MSVCP140 ref: 00007FF7176DA6F3
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140 ref: 00007FF7176DA742
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140 ref: 00007FF7176DA76D
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7176DA781
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140 ref: 00007FF7176DA7E9
?sputn@?$basic_streambuf@_WU?$char_traits@_W@std@@@std@@QEAA_JPEB_W_J@Z.MSVCP140 ref: 00007FF7176DA809
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140 ref: 00007FF7176DA86E
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBADXZ.MSVCP140 ref: 00007FF7176DA899
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHD@Z.MSVCP140 ref: 00007FF7176DA8AD
?width@ios_base@std@@QEAA_J_J@Z.MSVCP140 ref: 00007FF7176DA917
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7176DA94E

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@_$D@std@@@std@@U?$char_traits@$?width@ios_base@std@@W@std@@@std@@$?rdbuf@?$basic_ios@_V?$basic_streambuf@_W@std@@@2@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@_
String ID:
API String ID: 3628490770-0
Opcode ID: 9f70a5b17ca0f15cc1049185e283ac8fd5907c399e60a8d025d402138028276d
Instruction ID: a4884503ab7d792ce2e03a81494d136860cd7097889fea5da9802b6e372536d2
Opcode Fuzzy Hash: 9f70a5b17ca0f15cc1049185e283ac8fd5907c399e60a8d025d402138028276d
Instruction Fuzzy Hash: 91A1D726A1DF8586DB70EB15E49036EB7A1FBC8B94F404036DA8E83B69DF3CD5158B10

Function 00007FF71773B850 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00007FF7176E6CD0: char_traits.LIBCPMTD ref: 00007FF7176E6CFD

type_info::_name_internal_method.LIBCMTD ref: 00007FF71773B912
type_info::_name_internal_method.LIBCMTD ref: 00007FF71773B943
type_info::_name_internal_method.LIBCMTD ref: 00007FF71773BA7B
type_info::_name_internal_method.LIBCMTD ref: 00007FF71773BBF0

Part of subcall function 00007FF7176D3D10: char_traits.LIBCPMTD ref: 00007FF7176D3D30
Part of subcall function 00007FF7176D3D10: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF7176D3D84

type_info::_name_internal_method.LIBCMTD ref: 00007FF71773BB48

Strings

syntax error , xrefs: 00007FF71773B873
while parsing , xrefs: 00007FF71773B8BA
; expected , xrefs: 00007FF71773BBB4
unexpected , xrefs: 00007FF71773BB0C
; last read: ', xrefs: 00007FF71773B9CD

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: type_info::_name_internal_method$char_traits$Concurrency::details::EmptyQueue::StructuredWork
String ID: ; expected $; last read: '$syntax error $unexpected $while parsing
API String ID: 3012117132-4239264347
Opcode ID: a5dc54af2d110ee15b9334c1b336f1c85abe22bcc17acc6ed72fc8297cf45f24
Instruction ID: 98ee026a1f38d5f6e444b387f4d000df66fbf29567315c626b690839c6910d6f
Opcode Fuzzy Hash: a5dc54af2d110ee15b9334c1b336f1c85abe22bcc17acc6ed72fc8297cf45f24
Instruction Fuzzy Hash: 8191D57250DFC581DAA0EB15E4903EAB7A5FB84750F804532EA8D43BAADF2CD45ACB50

Function 00007FF717702910 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__std_fs_code_page.MSVCPRT ref: 00007FF717702964

Part of subcall function 00007FF7178A1388: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00007FF7178A138C
Part of subcall function 00007FF7178A1388: AreFileApisANSI.KERNEL32 ref: 00007FF7178A139B

Part of subcall function 00007FF7176EB1E0: std::_Fac_node::_Fac_node.LIBCPMTD ref: 00007FF7176EB21D

Part of subcall function 00007FF7176D5FA0: List.LIBCMTD ref: 00007FF7176D5FEC
Part of subcall function 00007FF7176D5FA0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF7176D6093

type_info::_name_internal_method.LIBCMTD ref: 00007FF717702B04
type_info::_name_internal_method.LIBCMTD ref: 00007FF717702B2F
type_info::_name_internal_method.LIBCMTD ref: 00007FF717702B45
type_info::_name_internal_method.LIBCMTD ref: 00007FF717702B84
type_info::_name_internal_method.LIBCMTD ref: 00007FF717702B9A
Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 00007FF717702BAA

Strings

: ", xrefs: 00007FF717702B10
", ", xrefs: 00007FF717702B65

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: type_info::_name_internal_method$ApisConcurrency::details::Concurrency::task_continuation_context::task_continuation_contextEmptyFac_nodeFac_node::_FileListQueue::StructuredWork___lc_codepage_func__std_fs_code_pagestd::_
String ID: ", "$: "
API String ID: 1700522703-747220369
Opcode ID: 7cfcadc2253ab10c95d59581eebc5d8042cdd7e241ff29f6e7fafbed051b3339
Instruction ID: cb19580ffdb48db5cdec53f2e7baa7a73bef28965fd31f686c840f81d89eb474
Opcode Fuzzy Hash: 7cfcadc2253ab10c95d59581eebc5d8042cdd7e241ff29f6e7fafbed051b3339
Instruction Fuzzy Hash: C761013261CA8691DA70EB11E8913EFE361FBC8794F800531EA8D87A5ADE7CD509CB50

Function 00007FF7176E4130 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 497COMMON

Download Yara Rule

APIs

_Func_class.LIBCPMTD ref: 00007FF7176E4ED9

Strings

object, xrefs: 00007FF7176E5630
object key, xrefs: 00007FF7176E51B1
value, xrefs: 00007FF7176E4CED
object separator, xrefs: 00007FF7176E53EB
array, xrefs: 00007FF7176E4FA3

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Func_class
String ID: array$object$object key$object separator$value
API String ID: 1670654298-2448007618
Opcode ID: db5e975a570036553e7f94d44da9c56933bdf259cb22937827a301dce5654bd8
Instruction ID: 221e00817d1a3a0c58b2228c204137a5e1458732f7b480dbf66bd71dbcd90850
Opcode Fuzzy Hash: db5e975a570036553e7f94d44da9c56933bdf259cb22937827a301dce5654bd8
Instruction Fuzzy Hash: 1552056260DFC185DAB0EB15E4902EEB3A5EBC5794F800122EACD57B5ADF2CD549CB20

Function 00007FF7176E29F0 Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 497COMMON

Download Yara Rule

APIs

_Func_class.LIBCPMTD ref: 00007FF7176E3799

Strings

object, xrefs: 00007FF7176E3EF0
object key, xrefs: 00007FF7176E3A71
value, xrefs: 00007FF7176E35AD
object separator, xrefs: 00007FF7176E3CAB
array, xrefs: 00007FF7176E3863

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Func_class
String ID: array$object$object key$object separator$value
API String ID: 1670654298-2448007618
Opcode ID: 30ffda3624d6424a67e43499c31331b4d80e8fde3fb8fef4d10a9750cdbf09ca
Instruction ID: 07099a22193c203fbd0204c71358e408c98d0ca97ca8d84396730da0a287eef3
Opcode Fuzzy Hash: 30ffda3624d6424a67e43499c31331b4d80e8fde3fb8fef4d10a9750cdbf09ca
Instruction Fuzzy Hash: 2F52176260DFC185DAB0EB15E4902EEB3A5EBC5794F800136EACD57B5ADF2CC549CB20

Function 00007FF7177D0010 Relevance: 10.6, APIs: 7, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7177D0060
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7177D006C

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: dd6bd2d32ed0a4552d503deda97d75ee8b407b9f55deb67a79f7f18f5301eac7
Instruction ID: bdd356f2ee83bd7942e6ddd9ba80bacba9f84ba780003b7e35fe7edbf1ec9c4a
Opcode Fuzzy Hash: dd6bd2d32ed0a4552d503deda97d75ee8b407b9f55deb67a79f7f18f5301eac7
Instruction Fuzzy Hash: 0B31017181CB45CAE721AF50E44436AFAA0F7887A4F801135EA8D42A95CF7DD59ECF31

Function 00007FF7177038D0 Relevance: 10.6, APIs: 7, Instructions: 55COMMON

Download Yara Rule

APIs

?pptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF7176E9A72), ref: 00007FF7177038FF
?epptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF7176E9A72), ref: 00007FF71770390F
?egptr@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF7176E9A72), ref: 00007FF717703921
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF7176E9A72), ref: 00007FF717703931
?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEBAPEADXZ.MSVCP140(?,?,?,?,?,?,?,?,00007FF7176E9A72), ref: 00007FF71770394C
?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD00@Z.MSVCP140(?,?,?,?,?,?,?,?,00007FF7176E9A72), ref: 00007FF717703981
?setp@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IEAAXPEAD0@Z.MSVCP140(?,?,?,?,?,?,?,?,00007FF7176E9A72), ref: 00007FF717703991

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?eback@?$basic_streambuf@$?egptr@?$basic_streambuf@?epptr@?$basic_streambuf@?pptr@?$basic_streambuf@?setg@?$basic_streambuf@?setp@?$basic_streambuf@D00@
String ID:
API String ID: 2626452370-0
Opcode ID: 185698c16b04f3af74c471cbd5ae4026bdc4d43d4a3e66adb1fa6317d3853b89
Instruction ID: 83b5eea165b05c5ab4d9f4f11df88fc879a7972f74f1b72dca85bed34f633aa4
Opcode Fuzzy Hash: 185698c16b04f3af74c471cbd5ae4026bdc4d43d4a3e66adb1fa6317d3853b89
Instruction Fuzzy Hash: ED21E536629E4186DB10EB55E85062AF7A0FBC8BA4F400135EE8D83725DF7CD419CB10

Function 00007FF717737DA0 Relevance: 9.3, APIs: 6, Instructions: 260COMMON

Download Yara Rule

APIs

UnDecorator::getVbTableType.LIBCMTD ref: 00007FF717737E21

Part of subcall function 00007FF717703FD0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF717703FE3

bool_.LIBCPMTD ref: 00007FF717737F44
shared_ptr.LIBCMTD ref: 00007FF717737F54
UnDecorator::getVbTableType.LIBCMTD ref: 00007FF71773800F
bool_.LIBCPMTD ref: 00007FF71773810C
shared_ptr.LIBCMTD ref: 00007FF71773811C

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Decorator::getTableTypebool_shared_ptr$Concurrency::details::EmptyQueue::StructuredWork
String ID:
API String ID: 2631667939-0
Opcode ID: 6a7545cfe1b610ce745b30f18c353a4de252b4bffb2beafc8b9a099a3b72e1a9
Instruction ID: 6d856ea5911e39be3f58bc2362685fe177e09062755c2db15a80628fad80b7b0
Opcode Fuzzy Hash: 6a7545cfe1b610ce745b30f18c353a4de252b4bffb2beafc8b9a099a3b72e1a9
Instruction Fuzzy Hash: D6D10D3260CEC690DA71EB15E4913EAA361FBD9750F804432DACD47BABDE6CD54D8B20

Function 00007FF7176DFAA0 Relevance: 9.1, APIs: 6, Instructions: 119COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7176E9080: ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QEAA_N_N@Z.MSVCP140 ref: 00007FF7176E90BA

?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140 ref: 00007FF7176DFB3B
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7176DFB44
?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140 ref: 00007FF7176DFBF8
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QEAAHXZ.MSVCP140 ref: 00007FF7176DFC01
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QEAAXH_N@Z.MSVCP140 ref: 00007FF7176DFCAC

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@U?$char_traits@_$?rdbuf@?$basic_ios@_V?$basic_streambuf@_W@std@@@2@W@std@@@std@@$?sbumpc@?$basic_streambuf@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 436491974-0
Opcode ID: c49e1b7a0487597d69a27c8c4d730118aa05dbd207d796b72402560918768041
Instruction ID: daafeaf4d6a2d66413969fae35ea68b94a863e332e57001cf2115751b29abc47
Opcode Fuzzy Hash: c49e1b7a0487597d69a27c8c4d730118aa05dbd207d796b72402560918768041
Instruction Fuzzy Hash: F451417261CA8185DB70EB15E49027EF7A0FBC8B94F804435EACD87766DE3CD51A8B20

Function 00007FF7177CFED0 Relevance: 9.1, APIs: 6, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7177CFF22
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00007FF7177CFF2E

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfo
String ID:
API String ID: 2959964966-0
Opcode ID: 33e67c687726017ec922af3165dd94ef506de64be0c18755618cffadda7841a0
Instruction ID: 06b93162029880aaec395418d3300f7a31c0f9954ac0beec1e2b56341dd4d44a
Opcode Fuzzy Hash: 33e67c687726017ec922af3165dd94ef506de64be0c18755618cffadda7841a0
Instruction Fuzzy Hash: 4A310C7291CB4686E721AB14E44432AF6E4F78C7A4F500135EA8D42A99CF7CE49ECF20

Function 00007FF7176E5C40 Relevance: 9.1, APIs: 6, Instructions: 68COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QEAA@H@Z.MSVCP140 ref: 00007FF7176E5C5F
??Bid@locale@std@@QEAA_KXZ.MSVCP140 ref: 00007FF7176E5C79
std::locale::_Getfacet.LIBCPMTD ref: 00007FF7176E5C8E
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SA_KPEAPEBVfacet@locale@2@PEBV42@@Z.MSVCP140 ref: 00007FF7176E5CC5
??1_Lockit@std@@QEAA@XZ.MSVCP140 ref: 00007FF7176E5D57

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Getcat@?$codecvt@GetfacetMbstatet@@@std@@V42@@Vfacet@locale@2@std::locale::_
String ID:
API String ID: 930135289-0
Opcode ID: 60e422734b0b0876130bd5e3988b4cc4bf4b6618fe5ac51d24d2c6d2df6d8229
Instruction ID: cb35e6bc80edea89cced31e52bf6c6720ae21bff550081d37b54820281f7120d
Opcode Fuzzy Hash: 60e422734b0b0876130bd5e3988b4cc4bf4b6618fe5ac51d24d2c6d2df6d8229
Instruction Fuzzy Hash: 9C31122651DE4582DA10EB15E89016AF771FBC97A4F900131EA8D43BAADF3CD55ACB10

Function 00007FF717744FF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF717745049
HandleT.LIBCPMTD ref: 00007FF717745058
type_info::_name_internal_method.LIBCMTD ref: 00007FF7177450F9

Strings

<U+%.4X>, xrefs: 00007FF7177450CE

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_CriticalHandleLock::_ReentrantScoped_lockScoped_lock::~_type_info::_name_internal_method
String ID: <U+%.4X>
API String ID: 1503085150-1919636860
Opcode ID: d7689c8780e7e9517fd381439f4adfe240bb0a6583ab39670c4d4a601100ede1
Instruction ID: c49a23cb914d70973a106d07b4eb79fdedf03e12a845a0e5d26a5f520c59ca8d
Opcode Fuzzy Hash: d7689c8780e7e9517fd381439f4adfe240bb0a6583ab39670c4d4a601100ede1
Instruction Fuzzy Hash: D8314D3251CE8185D660EB11F89126EFBA0FBC87A0F904531EACD87B6ADE2CD559CB10

Function 00007FF71779EB00 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60COMMON

Download Yara Rule

APIs

Concurrency::cancellation_token::_FromImpl.LIBCPMTD ref: 00007FF71779EB2D
Concurrency::cancellation_token::_FromImpl.LIBCPMTD ref: 00007FF71779EB65

Strings

, column , xrefs: 00007FF71779EBA1
at line , xrefs: 00007FF71779EB7E

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancellation_token::_FromImpl
String ID: at line $, column
API String ID: 2278334151-191570568
Opcode ID: 0b0476e683444410c06c89faf219409f412737b45ccb73666e32d8119b3c7eb2
Instruction ID: 252f728fa8b4470b90a1383c2962231d705316a999b9532be9bf0fea94d78a3d
Opcode Fuzzy Hash: 0b0476e683444410c06c89faf219409f412737b45ccb73666e32d8119b3c7eb2
Instruction Fuzzy Hash: 2A310572609F8582DA60EB15F88029AF7A5FBC8794F504122EACD43B6ADF3CC559CB50

Function 00007FF7176E6D80 Relevance: 6.2, APIs: 4, Instructions: 214COMMON

Download Yara Rule

APIs

Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF7176E6DC4
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF7176E6F85
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF7176E6F9A

Part of subcall function 00007FF71779CDD0: Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF71779CDED
Part of subcall function 00007FF71779CDD0: _Max_value.LIBCPMTD ref: 00007FF71779CE12
Part of subcall function 00007FF71779CDD0: _Min_value.LIBCPMTD ref: 00007FF71779CE40

Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF7176E70DC

Part of subcall function 00007FF717704180: ?_Xlength_error@std@@YAXPEBD@Z.MSVCP140(?,?,?,?,00007FF7176D50B5), ref: 00007FF71770418B

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::EmptyQueue::StructuredWork$Max_valueMin_valueXlength_error@std@@
String ID:
API String ID: 4007518583-0
Opcode ID: 0f077840f1ac01a53fb5d9f445c245d8c4bb494e84aab70f3904c119a19f714d
Instruction ID: 7e6f7081b9c768cd79bfc8303eaa4d5e0bddab75712bcee722f2fc198b3c3e58
Opcode Fuzzy Hash: 0f077840f1ac01a53fb5d9f445c245d8c4bb494e84aab70f3904c119a19f714d
Instruction Fuzzy Hash: 16B11C2261DFC581DA60EB16E4903ABE7A1F7C9BD0F400036EACD43B6ADF2CD5598B10

Function 00007FF7176FF110 Relevance: 6.1, APIs: 4, Instructions: 103COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7176FF1EA
GetLastError.KERNEL32 ref: 00007FF7176FF219
WideCharToMultiByte.KERNEL32 ref: 00007FF7176FF261
WideCharToMultiByte.KERNEL32 ref: 00007FF7176FF2D1

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast
String ID:
API String ID: 1717984340-0
Opcode ID: ecec202655f9c531599374b38fcc20988f0c2ce1ba8e6c9c4af8467a9ed67bab
Instruction ID: 15f4b8d428c17018f7f84b406b162b089fb2a7a7708c4f827b3cdf4321aaa7c7
Opcode Fuzzy Hash: ecec202655f9c531599374b38fcc20988f0c2ce1ba8e6c9c4af8467a9ed67bab
Instruction Fuzzy Hash: 25514632618A808AD760DB05E49039AFBB1F7C9BA4F604125EACC83B99DF7DD4498F40

Function 00007FF7176D5E30 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

List.LIBCMTD ref: 00007FF7176D5E7C
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7176D5EEB
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF7176D5F23
__std_fs_convert_wide_to_narrow.LIBCPMT ref: 00007FF7176D5F6E

Part of subcall function 00007FF717703770: std::make_error_code.LIBCPMTD ref: 00007FF717703786
Part of subcall function 00007FF717703770: _CxxThrowException.VCRUNTIME140 ref: 00007FF7177037B8

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: __std_fs_convert_wide_to_narrow$Concurrency::details::EmptyExceptionListQueue::StructuredThrowWorkstd::make_error_code
String ID:
API String ID: 473158611-0
Opcode ID: 8c4fd6d1689670e3fa4bf0a2fbe0c1002703dfa7d8f897caa6212ac84a87bdcc
Instruction ID: afdf606e1ea213f9f18acb7a384941f61435318b9867a4c3b00857d376224082
Opcode Fuzzy Hash: 8c4fd6d1689670e3fa4bf0a2fbe0c1002703dfa7d8f897caa6212ac84a87bdcc
Instruction Fuzzy Hash: A831EA32929A818AD760EB11E48176EB7A1FBC9790F501035EACD87A5ACE3CD4198F50

Function 00007FF717700BA0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

List.LIBCMTD ref: 00007FF717700BDF
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF717700C4E
Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF717700C87
__std_fs_convert_narrow_to_wide.LIBCPMT ref: 00007FF717700CD2

Part of subcall function 00007FF717703770: std::make_error_code.LIBCPMTD ref: 00007FF717703786
Part of subcall function 00007FF717703770: _CxxThrowException.VCRUNTIME140 ref: 00007FF7177037B8

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: __std_fs_convert_narrow_to_wide$Concurrency::details::EmptyExceptionListQueue::StructuredThrowWorkstd::make_error_code
String ID:
API String ID: 3467093758-0
Opcode ID: f1c37221971197ef2e6fe997a5e6e49ba08a93edbf11d59a9802932ff8400463
Instruction ID: a23ee685c4d3ae475b9a076d2304f7c64eab50f3ab6959b308d1dfda19b0dd8d
Opcode Fuzzy Hash: f1c37221971197ef2e6fe997a5e6e49ba08a93edbf11d59a9802932ff8400463
Instruction Fuzzy Hash: AC310B3292DA818AD760EB21E84176FF7A0FBC9790F501135EA8D83B5ACE3CD4198F50

Function 00007FF7176E90E0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF7176E8390: ?rdbuf@?$basic_ios@_WU?$char_traits@_W@std@@@std@@QEBAPEAV?$basic_streambuf@_WU?$char_traits@_W@std@@@2@XZ.MSVCP140(?,?,?,?,?,?,00007FF7176E90FD), ref: 00007FF7176E83D2

?good@ios_base@std@@QEBA_NXZ.MSVCP140 ref: 00007FF7176E9118
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QEBAPEAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140 ref: 00007FF7176E914A

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@U?$char_traits@_$?good@ios_base@std@@?rdbuf@?$basic_ios@_?tie@?$basic_ios@D@std@@@2@D@std@@@std@@V?$basic_ostream@V?$basic_streambuf@_W@std@@@2@W@std@@@std@@
String ID:
API String ID: 770597929-0
Opcode ID: 258c187f890d08a1e9fc0ca30172c85fc87cdba7641fff0cb397c093e47e2444
Instruction ID: cb7f0dd13c717193b21fc05a59b8ffe5fdb98a8dbba5d2f5256e44d5a0891668
Opcode Fuzzy Hash: 258c187f890d08a1e9fc0ca30172c85fc87cdba7641fff0cb397c093e47e2444
Instruction Fuzzy Hash: 6221F826A09F8585DF11DB0AE48422EABB0FBCAB98F508026EB8D43765DF3DC455C720

Function 00007FF7178A151C Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32 ref: 00007FF7178A1565
GetLastError.KERNEL32 ref: 00007FF7178A1573
WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7176D6060), ref: 00007FF7178A15A8
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00007FF7176D6060), ref: 00007FF7178A15B6

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: e49e580475eb105ab438402875f7e769b0585cb18dcc6b3ad0ebc97820afbe23
Instruction ID: b668939f639680601462d29bc29a3925cf25c469c65484d650662cf5150d1224
Opcode Fuzzy Hash: e49e580475eb105ab438402875f7e769b0585cb18dcc6b3ad0ebc97820afbe23
Instruction Fuzzy Hash: A4214772E28B8187E7209F15A44432EBAB4FB89FD0F640139EB8993B55DF3CD4168B10

Function 00007FF717702E70 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

_Func_class.LIBCONCRTD ref: 00007FF717702E83
_Func_class.LIBCONCRTD ref: 00007FF717702EDD

Part of subcall function 00007FF717703850: _Func_class.LIBCONCRTD ref: 00007FF71770385E
Part of subcall function 00007FF717703850: _Func_class.LIBCONCRTD ref: 00007FF7177038BC

_Func_class.LIBCONCRTD ref: 00007FF717702F01
_Func_class.LIBCONCRTD ref: 00007FF717702F0D

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Func_class
String ID:
API String ID: 1670654298-0
Opcode ID: e77f79d9cf39988b35128cb69f5d17508d7ad36d8d49692ac75ebe8530a279bd
Instruction ID: ab5bca962e2ef704315d7314070e2f162bcaecee4e5c99e586ddc744c0a04a06
Opcode Fuzzy Hash: e77f79d9cf39988b35128cb69f5d17508d7ad36d8d49692ac75ebe8530a279bd
Instruction Fuzzy Hash: 0911EC2260DE4180DA10FB16EC5112FE7A0FBCABD1F904035FE8D87B6ADE2DD44A8B10

Function 00007FF7176D6220 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

shared_ptr.LIBCMTD ref: 00007FF7176D625E

Part of subcall function 00007FF7176EB6E0: shared_ptr.LIBCMTD ref: 00007FF7176EB6EE

allocator.LIBCPMTD ref: 00007FF7176D6272
shared_ptr.LIBCMTD ref: 00007FF7176D6284
allocator.LIBCPMTD ref: 00007FF7176D6298

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: shared_ptr$allocator
String ID:
API String ID: 426846764-0
Opcode ID: fe7b6fd1f7e30fa00660d5006c6cb6fedca7224268ee6b27a83a09b9491fca5c
Instruction ID: a5fe64ca8447460fd26816100f534282f1038b72ae329e40f026e0919e14c01e
Opcode Fuzzy Hash: fe7b6fd1f7e30fa00660d5006c6cb6fedca7224268ee6b27a83a09b9491fca5c
Instruction Fuzzy Hash: 15114832618E8181DE60EB15F4412AFB362FBC47D0F804131EACD57B5ADE2CC55A8B20

Function 00007FF7176D3850 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF7176D388A
HandleT.LIBCPMTD ref: 00007FF7176D3899
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF7176D38A8
_Find_unchecked.LIBCPMTD ref: 00007FF7176D38C1

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_CriticalLock::_ReentrantScoped_lockScoped_lock::~_$Find_uncheckedHandle
String ID:
API String ID: 1005945929-0
Opcode ID: eec8d121c8286cafcff43c719952123da7a1a0ff476df82a5753a9bbffeecc93
Instruction ID: dedc8491e077f3b868bb8ac225c805ad85a7bd9ba0e8c033858575b5bae9c1f8
Opcode Fuzzy Hash: eec8d121c8286cafcff43c719952123da7a1a0ff476df82a5753a9bbffeecc93
Instruction Fuzzy Hash: 97F0E12252DE4181DA50FB11F49106EE765FBC87E0F800535FACE83B5BDE6CD5598B50

Function 00007FF7176D3780 Relevance: 6.0, APIs: 4, Instructions: 28COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF7176D37BA
HandleT.LIBCPMTD ref: 00007FF7176D37C9
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF7176D37D8
_Find_unchecked.LIBCPMTD ref: 00007FF7176D37F1

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_CriticalLock::_ReentrantScoped_lockScoped_lock::~_$Find_uncheckedHandle
String ID:
API String ID: 1005945929-0
Opcode ID: 291345dabd49c7083a4d0a6fd68b288ae2a2360adec0d06b4a22fb5c96f750aa
Instruction ID: 5f8b96bcfef1bba8110bd139fe7beaf68fc15626207308194e108cf5cd40d296
Opcode Fuzzy Hash: 291345dabd49c7083a4d0a6fd68b288ae2a2360adec0d06b4a22fb5c96f750aa
Instruction Fuzzy Hash: 92F02C6252DE8181DA50EB11E89106FE7A1FBC87E0F400035FACE87B6BDE6CC0598B50

Function 00007FF7176DAB60 Relevance: 6.0, APIs: 4, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF7176DAB78
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF7176DAB87
Concurrency::details::_CriticalNonReentrantLock::_Scoped_lock::~_Scoped_lock.LIBCMTD ref: 00007FF7176DAB96
memcmp.VCRUNTIME140(?,?,?,?,?,?,?,?,00007FF7176DEF75), ref: 00007FF7176DABBD

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::details::_CriticalLock::_ReentrantScoped_lockScoped_lock::~_$memcmp
String ID:
API String ID: 2606901649-0
Opcode ID: 694c53b12d12f6eba441c196b00874dfc9c15d4e7ec539bb03d53240b683f1a5
Instruction ID: 4e56d81bfff5b589541eee46458db02f9ba3f9dfddd6f07a96977d5e343bac2d
Opcode Fuzzy Hash: 694c53b12d12f6eba441c196b00874dfc9c15d4e7ec539bb03d53240b683f1a5
Instruction Fuzzy Hash: BEF09762529F8485CA10EB55F49105EB7A5F7D87D4F500129E6CD83B6ADF2CD2258B40

Function 00007FF7176E2A8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

object key, xrefs: 00007FF7176E2B1C
object separator, xrefs: 00007FF7176E2D2C

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: object key$object separator
API String ID: 0-2279923633
Opcode ID: a8f2c7678eb8f3b54bc150a978054d1c7856fc2a79208d43f394fedce2280f94
Instruction ID: 558613ca8d11a6c42600af11bfcfcee5574be44bc26d50d1ae5b4fb282da8310
Opcode Fuzzy Hash: a8f2c7678eb8f3b54bc150a978054d1c7856fc2a79208d43f394fedce2280f94
Instruction Fuzzy Hash: 3DC1086250DEC184DA70EB15E4513EEF3A1EB85794F800132EACD57B9ADF2CD549CB60

Function 00007FF7176E41CC Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 219COMMON

Download Yara Rule

Strings

object key, xrefs: 00007FF7176E425C
object separator, xrefs: 00007FF7176E446C

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: object key$object separator
API String ID: 0-2279923633
Opcode ID: 1e970a03f6bfa36e8a92cf90c08ce7a5caa9367753a1c01c580f077706461c82
Instruction ID: 0a1a3b32dc7046da529965d23995bd3a96c0b6d8dca087e8f411036683541f24
Opcode Fuzzy Hash: 1e970a03f6bfa36e8a92cf90c08ce7a5caa9367753a1c01c580f077706461c82
Instruction Fuzzy Hash: A9C1266260DEC184DA70EB15E4513EEB7A1EBC5794F800132EACD57B9BDF2CD44A8B60

Function 00007FF71770F790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00007FF71779EB00: Concurrency::cancellation_token::_FromImpl.LIBCPMTD ref: 00007FF71779EB2D
Part of subcall function 00007FF71779EB00: Concurrency::cancellation_token::_FromImpl.LIBCPMTD ref: 00007FF71779EB65

Part of subcall function 00007FF7176E6CD0: char_traits.LIBCPMTD ref: 00007FF7176E6CFD

Concurrency::details::WorkQueue::IsStructuredEmpty.LIBCMTD ref: 00007FF71770F930

Strings

parse_error, xrefs: 00007FF71770F7F2
parse error, xrefs: 00007FF71770F833

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancellation_token::_FromImpl$Concurrency::details::EmptyQueue::StructuredWorkchar_traits
String ID: parse error$parse_error
API String ID: 3940763495-1820534363
Opcode ID: 225d94126315b9ff481c257670acb08f044ef1bb55069bb0d9d9c434ea7b6b3d
Instruction ID: 9372cca973403f69effb7a78c80f5f79b7246ae9729b933201e2cb66de43ef91
Opcode Fuzzy Hash: 225d94126315b9ff481c257670acb08f044ef1bb55069bb0d9d9c434ea7b6b3d
Instruction Fuzzy Hash: 8D51F532509FC591DAA0EB15E4903EAF3A5FBC9794F804122E6CC43B6ADF2CD55ACB50

Function 00007FF717700E10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94fileCOMMON

Download Yara Rule

APIs

?unshift@?$codecvt@DDU_Mbstatet@@@std@@QEBAHAEAU_Mbstatet@@PEAD1AEAPEAD@Z.MSVCP140 ref: 00007FF717700EF1
fwrite.API-MS-WIN-CRT-STDIO-L1-1-0 ref: 00007FF717700F60

Strings

, xrefs: 00007FF717700EA9

Memory Dump Source

Source File: 00000000.00000002.2600397583.00007FF7175C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF7175C0000, based on PE: true

Associated: 00000000.00000002.2600376378.00007FF7175C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600639862.00007FF7178A8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600705443.00007FF71795A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2600727416.00007FF71795C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff7175c0000_SecuriteInfo.jbxd

Similarity

API ID: ?unshift@?$codecvt@Mbstatet@@Mbstatet@@@std@@fwrite
String ID:
API String ID: 1347553915-3916222277
Opcode ID: 94081bf84289e140f870bed1d50639b63d428586c365cbc78b24cb85a2ac98e2
Instruction ID: 4f423316eaca842a81c06b6a6719665bc18cbff7654deca5eb4283f864ecafef
Opcode Fuzzy Hash: 94081bf84289e140f870bed1d50639b63d428586c365cbc78b24cb85a2ac98e2
Instruction Fuzzy Hash: E6415C3651CB8189DB61EB15E4843AAB7A0F7CA760F501036EA8D43B6ACF3CE44DDB50

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_3614ad19c0cf73c93992fea3fa40529655361d0_1eb0641c_8052aff8-107d-4b21-96e2-11f6789039ee\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WEREB0.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERF8C.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBC.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe

Function 00007FF7178A1B34 Relevance: 3.0, APIs: 2, Instructions: 21
COMMONLIBRARYCODE

Function 00007FF7176D5AE0 Relevance: 1.5, APIs: 1, Instructions: 49
COMMON

Function 00007FF7176D4A10 Relevance: 1.5, APIs: 1, Instructions: 36
COMMONLIBRARYCODE

Function 00007FF7176FFEB0 Relevance: 1.5, APIs: 1, Instructions: 33
COMMON

Function 00007FF7176D4790 Relevance: 1.5, APIs: 1, Instructions: 9
COMMONLIBRARYCODE

Function 00007FF7176DA5D0 Relevance: 21.2, APIs: 14, Instructions: 207
COMMON

Function 00007FF71773B850 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 169
COMMON

Function 00007FF717702910 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148
COMMON