Edit tour

Windows Analysis Report
SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Overview

General Information

Sample name:	SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe
Analysis ID:	1417537
MD5:	aea72794061e7055003524c90109b369
SHA1:	2e21dd9cee8985d0d82cfc2a527d6ce6f830d971
SHA256:	3bac7343a0a848b51baf15fd2c7e9140a8d8f297a50e33fd204929be52617d3b
Tags:	exe
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains sections with non-standard names

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Tries to load missing DLLs

Uses 32bit PE files

Classification

Process Tree

System is w10x64

SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe (PID: 4548 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe" MD5: AEA72794061E7055003524C90109B369)

conhost.exe (PID: 3500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	ReversingLabs: Detection: 13%
Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Virustotal: Detection: 9%			Perma Link

Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Users\sZeD\source\repos\bsd\Debug\walczy.pdb,, source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe
Source:	Binary string: C:\Users\sZeD\source\repos\bsd\Debug\walczy.pdb source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Section loaded: msvcp140d.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Section loaded: vcruntime140d.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Section loaded: ucrtbased.dll	Jump to behavior

Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@2/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3500:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	ReversingLabs: Detection: 13%
Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Virustotal: Detection: 9%

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe "C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: C:\Users\sZeD\source\repos\bsd\Debug\walczy.pdb,, source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe
Source:	Binary string: C:\Users\sZeD\source\repos\bsd\Debug\walczy.pdb source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Static PE information: section name: .textbss
Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Static PE information: section name: .msvcjmc
Source: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Static PE information: section name: .00cfg

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Code function: 0_2_00B6D1D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00B6D1D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Code function: 0_2_00B617CB GetProcessHeap,

0_2_00B617CB

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Code function: 0_2_00B6D1D0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B6D1D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Code function: 0_2_00B61271 SetUnhandledExceptionFilter,	0_2_00B61271
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Code function: 0_2_00B6D480 SetUnhandledExceptionFilter,	0_2_00B6D480
Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	Code function: 0_2_00B6DEA0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B6DEA0

Source: C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Code function: 0_2_00B61393 GetSystemTimeAsFileTime,

0_2_00B61393

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Process Injection	OS Credential Dumping	1 System Time Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 DLL Side-Loading	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	2 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	13%	ReversingLabs
SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe	10%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417537
Start date and time:	2024-03-29 15:25:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe
Detection:	MAL
Classification:	mal48.winEXE@2/0@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 15
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe, PID 4548 because there are no executed function
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

⊘No created / dropped files found

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	5.4602723130301305
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe
File size:	165'888 bytes
MD5:	aea72794061e7055003524c90109b369
SHA1:	2e21dd9cee8985d0d82cfc2a527d6ce6f830d971
SHA256:	3bac7343a0a848b51baf15fd2c7e9140a8d8f297a50e33fd204929be52617d3b
SHA512:	dde9a6caf031d93122bae70c0bba0a08f0e51c8e77a2b0fdf1135019a4477efbc7503b2913c4ceb89c80db89e80b5ffe4dc94896013f9eb250939cd8a8862f41
SSDEEP:	3072:SH8WDQIATG3dSN6ShjbIPYTZ5uEDFhBnH/nyRbC3:SH8fFIAlbIPYt5uEDFhxvyRm3
TLSH:	6FF33A717E4BC877FA93017B4EF888EA1A58D95087D514D3618836ED86663E12F3324F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K....x...x...x.......x.......x.......x..T....x...x..yx.......x....H..x...x ..x.......x..Rich.x..........PE..L...Zm._...........

File Icon


Icon Hash:	0fc69a89a2b20b2b

Static PE Info

General

Entrypoint:	0x411767
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5F8C6D5A [Sun Oct 18 16:29:14 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	dde35834c0080e8293305a230903e455

Entrypoint Preview

Instruction
jmp 00007FC30C825389h
jmp 00007FC30C8243C4h
jmp 00007FC30C8279CEh
jmp 00007FC30C82794Bh
jmp 00007FC30C8279D0h
jmp 00007FC30C822380h
jmp 00007FC30C825B1Bh
jmp 00007FC30C81DB56h
jmp 00007FC30C820311h
jmp 00007FC30C8278F1h
jmp 00007FC30C8278B0h
jmp 00007FC30C8277D9h
jmp 00007FC30C81F27Dh
jmp 00007FC30C8252E8h
jmp 00007FC30C827818h
jmp 00007FC30C81CD7Eh
jmp 00007FC30C81E749h
jmp 00007FC30C81F5A4h
jmp 00007FC30C825AFFh
jmp 00007FC30C824257h
jmp 00007FC30C82796Eh
jmp 00007FC30C826C20h
jmp 00007FC30C8244CBh
jmp 00007FC30C8244D6h
jmp 00007FC30C81F6F1h
jmp 00007FC30C8272BCh
jmp 00007FC30C8269A7h
jmp 00007FC30C82779Bh
jmp 00007FC30C82059Dh
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2b304	0x78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2f000	0xe0b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3e000	0xad8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x26e44	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x26e80	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2b000	0x304	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.textbss	0x1000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.text	0x11000	0x1303b	0x13200	e0c98f65456ef0266e18f1e6397a29b4	False	0.2261029411764706	data	4.321248844005625	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x25000	0x40de	0x4200	149a7b6eac171fde3dad7382aaaa97fd	False	0.1436434659090909	data	2.1378142425729187	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x2a000	0x758	0x400	fb3e8ad50a4b150b5d4328bcb479e967	False	0.10546875	data	1.0465158531636134	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2b000	0x1500	0x1600	c3d790a286563ab60bee62eaa0b4311b	False	0.32173295454545453	data	4.73050558824712	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.msvcjmc	0x2d000	0x152	0x200	29473316e9a03fc3fca8712fbb8539d5	False	0.033203125	Targa image data - Map (257-257) 257 x 257 x 1 +257 +257 - 1-bit alpha "\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001\001"	0.5703645563524087	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.00cfg	0x2e000	0x109	0x200	6c7c036177ff0cac8633ce58f9e14da6	False	0.03515625	data	0.11055713125913882	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2f000	0xe0b0	0xe200	471219bf07be6fbc07814ccc84e589dd	False	0.6580475663716814	data	6.469591996122458	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3e000	0xe3d	0x1000	85b2b32db8c4a636b4faa792c4c5602f	False	0.582763671875	GLS_BINARY_LSB_FIRST	5.281617383792299	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x2f300	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.7898936170212766
RT_ICON	0x2f768	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	English	United States	0.6491803278688525
RT_ICON	0x300f0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.5189962476547842
RT_ICON	0x31198	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	United States	0.38682572614107885
RT_ICON	0x33740	0x71d8	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9965001372495196
RT_GROUP_ICON	0x3a918	0x4c	data	English	United States	0.7763157894736842
RT_MANIFEST	0x3a968	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
KERNEL32.dll	CloseHandle, Sleep, OpenProcess, ReadProcessMemory, WriteProcessMemory, SetConsoleTitleA, GetConsoleWindow, CreateToolhelp32Snapshot, Module32FirstW, Module32NextW, FreeLibrary, VirtualQuery, GetProcessHeap, HeapFree, HeapAlloc, GetLastError, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentProcessId, QueryPerformanceCounter, TerminateProcess, GetCurrentProcess, WideCharToMultiByte, MultiByteToWideChar, RaiseException, GetModuleHandleW, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, GetCurrentThreadId, GetProcAddress
USER32.dll	GetWindowRect, FindWindowA, GetWindowThreadProcessId, MoveWindow
MSVCP140D.dll	??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAH@Z, _Cnd_do_broadcast_at_thread_exit, ?_Throw_Cpp_error@std@@YAXH@Z, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?put@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@D@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ, ??0_Lockit@std@@QAE@H@Z, ??1_Lockit@std@@QAE@XZ, ?_Xlength_error@std@@YAXPBD@Z, ?uncaught_exception@std@@YA_NXZ, ?good@ios_base@std@@QBE_NXZ, ?flags@ios_base@std@@QBEHXZ, ?width@ios_base@std@@QBE_JXZ, ?width@ios_base@std@@QAE_J_J@Z, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ, ?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAV01@AAV01@@Z@Z
VCRUNTIME140D.dll	__std_exception_copy, memcpy, __std_exception_destroy, _CxxThrowException, __CxxFrameHandler3, memset, __current_exception, __current_exception_context, _except_handler4_common, __std_type_info_destroy_list, __vcrt_GetModuleFileNameW, __vcrt_GetModuleHandleW, __vcrt_LoadLibraryExW, memmove
ucrtbased.dll	_initterm, _initterm_e, exit, _exit, _set_fmode, __p___argc, __p___argv, _c_exit, _register_thread_local_exe_atexit_callback, _configthreadlocale, _set_new_mode, __p__commode, _beginthreadex, strcpy_s, strcat_s, __stdio_common_vsprintf_s, _controlfp_s, _wmakepath_s, _wsplitpath_s, wcscpy_s, strlen, _wcsicmp, system, _CrtDbgReport, _invalid_parameter, _get_initial_narrow_environment, _set_app_type, _seh_filter_exe, _CrtDbgReportW, _cexit, _crt_at_quick_exit, _crt_atexit, _execute_onexit_table, _register_onexit_function, _initialize_onexit_table, _initialize_narrow_environment, _configure_narrow_argv, _seh_filter_dll, malloc, _free_dbg, _callnewh, __setusermatherr, terminate

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exePID: 4548, Parent PID: 4056

General

Target ID:	0
Start time:	15:25:57
Start date:	29/03/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe"
Imagebase:	0xb50000
File size:	165'888 bytes
MD5 hash:	AEA72794061E7055003524C90109B369
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3500, Parent PID: 4548

General

Target ID:	1
Start time:	15:25:57
Start date:	29/03/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exePID: 4548, Parent PID: 4056COMMON

Non-executed Functions

Function 00B6D480 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00B612CB), ref: 00B6D488

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 29cbf1d9c95adc890816edf05a41a95e120a95d3447003db09fa7a6e3c387867
Instruction ID: 018ce93b218bdf3e69d44b50f5cf29a107e30ad1c65f5dcaa5858d020696d879
Opcode Fuzzy Hash: 29cbf1d9c95adc890816edf05a41a95e120a95d3447003db09fa7a6e3c387867
Instruction Fuzzy Hash: ABA0223008030CE3000033EABC0AC02BBECE002AA83008080F20E820320FA2200808F2

Uniqueness

Uniqueness Score: -1.00%

Function 00B61271 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1cc2e3b89f0295a71f4c2f5d98978df9b476ed5ceffc35e5f9f5ecd2d0d18f7
Instruction ID: bf7cd9bd5b828e1ae2049935ff0ba1f35c54f8063d48d9d9fc834b128392b51f
Opcode Fuzzy Hash: f1cc2e3b89f0295a71f4c2f5d98978df9b476ed5ceffc35e5f9f5ecd2d0d18f7
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00B61393 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc89a0a16724be94a9b078e43fc4ca10ba7c085f3852a4c1833e20735b780f8c
Instruction ID: 9ba79d89e76b79da720045f1354ff178bc30a71f87294d1568aa73023c4c4ad5
Opcode Fuzzy Hash: bc89a0a16724be94a9b078e43fc4ca10ba7c085f3852a4c1833e20735b780f8c
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00B617CB Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57142260cce0b422768084dd5dbdefd015e5529017eeaf91892156b1eea33197
Instruction ID: b53746f7afc3a3c98fadd95ffad61a3825ecf13b6b4972f34227b5ef3fb76fa5
Opcode Fuzzy Hash: 57142260cce0b422768084dd5dbdefd015e5529017eeaf91892156b1eea33197
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00B6AC50 Relevance: 75.5, APIs: 31, Strings: 12, Instructions: 204sleepCOMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNEL32 ref: 00B6AC84
GetWindowRect.USER32(?,?), ref: 00B6AC9E
MoveWindow.USER32(?,?,?,000003E8,000001F4,00000001), ref: 00B6ACC5
SetConsoleTitleA.KERNEL32(00B75ECC), ref: 00B6ACE6
Sleep.KERNEL32(00000064), ref: 00B6ACF7
SetConsoleTitleA.KERNEL32(00B7608C), ref: 00B6AD0B
Sleep.KERNEL32(00000064), ref: 00B6AD1C
SetConsoleTitleA.KERNEL32(CREA), ref: 00B6AD30
Sleep.KERNEL32(000000C8), ref: 00B6AD44
SetConsoleTitleA.KERNEL32(CREAT), ref: 00B6AD58
Sleep.KERNEL32(00000064), ref: 00B6AD69
SetConsoleTitleA.KERNEL32(CREATED), ref: 00B6AD7D
Sleep.KERNEL32(00000096), ref: 00B6AD91
SetConsoleTitleA.KERNEL32(CREATED B), ref: 00B6ADA5
Sleep.KERNEL32(00000096), ref: 00B6ADB9
SetConsoleTitleA.KERNEL32(CREATED BY), ref: 00B6ADCD
Sleep.KERNEL32(00000096), ref: 00B6ADE1
SetConsoleTitleA.KERNEL32(CREATED BY W), ref: 00B6ADF5
Sleep.KERNEL32(00000096), ref: 00B6AE09
SetConsoleTitleA.KERNEL32(CREATED BY WA), ref: 00B6AE1D
Sleep.KERNEL32(00000096), ref: 00B6AE31
SetConsoleTitleA.KERNEL32(CREATED BY WAL), ref: 00B6AE45
Sleep.KERNEL32(00000096), ref: 00B6AE59
SetConsoleTitleA.KERNEL32(CREATED BY WALC), ref: 00B6AE6D
Sleep.KERNEL32(00000064), ref: 00B6AE7E
SetConsoleTitleA.KERNEL32(CREATED BY WALCZ), ref: 00B6AE92
Sleep.KERNEL32(00000064), ref: 00B6AEA3
SetConsoleTitleA.KERNEL32(CREATED BY WALCZY), ref: 00B6AEB7
Sleep.KERNEL32(00000BB8), ref: 00B6AECB
SetConsoleTitleA.KERNEL32(Among-Us Cheat), ref: 00B6AEDF
Sleep.KERNEL32(00000FA0), ref: 00B6AEF3

Strings

CREATED BY WALCZ, xrefs: 00B6AE8D
CREATED BY, xrefs: 00B6ADC8
CREATED BY WAL, xrefs: 00B6AE40
CREATED, xrefs: 00B6AD78
CREATED BY W, xrefs: 00B6ADF0
Among-Us Cheat, xrefs: 00B6AEDA
CREATED B, xrefs: 00B6ADA0
CREAT, xrefs: 00B6AD53
CREATED BY WA, xrefs: 00B6AE18
CREATED BY WALC, xrefs: 00B6AE68
CREATED BY WALCZY, xrefs: 00B6AEB2
CREA, xrefs: 00B6AD2B

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: Console$SleepTitle$Window$MoveRect
String ID: Among-Us Cheat$CREA$CREAT$CREATED$CREATED B$CREATED BY$CREATED BY W$CREATED BY WA$CREATED BY WAL$CREATED BY WALC$CREATED BY WALCZ$CREATED BY WALCZY
API String ID: 2512251847-3335021109
Opcode ID: 884d422c5d8c8ac2247942751792347ed22bd7b61b60c62ab99e5ffedc508eaa
Instruction ID: 7e16f3a487572e1f1c32f380050f0fc81e71cdc68b79d53d9afc4fcf0d32498d
Opcode Fuzzy Hash: 884d422c5d8c8ac2247942751792347ed22bd7b61b60c62ab99e5ffedc508eaa
Instruction Fuzzy Hash: 43515432900524BBC57037AAE94BB4D7AE69F01365F8A4AC1F96D772A5CF5A0C804FD3

Uniqueness

Uniqueness Score: -1.00%

Function 00B6B460 Relevance: 68.6, APIs: 13, Strings: 26, Instructions: 343sleepprocessCOMMON

Download Yara Rule

APIs

??5?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV01@AAH@Z.MSVCP140D(?), ref: 00B6B4EA
Sleep.KERNEL32(000003E8), ref: 00B6B5AE
system.UCRTBASED(cls), ref: 00B6B5C2

Strings

H, xrefs: 00B6B91E
Crew Role Activated, xrefs: 00B6B740
Imposter Role Activated, xrefs: 00B6B802
,, xrefs: 00B6B533
cls, xrefs: 00B6B5BD, 00B6B665, 00B6B769, 00B6B82B, 00B6B8F0, 00B6B977
\ 4(, xrefs: 00B6B7D5, 00B6B7DB
4, xrefs: 00B6B7A1
1-Speed Hack 2-Full Vision 3-Change Role (You Can Be Imposter or Ghost Or Crew Also You Will Be Able To See The Real Imposter in Crew)!4:Instant SkipEnter Number : , xrefs: 00B6B4CB
\, xrefs: 00B6B5F5
(, xrefs: 00B6B86D
4, xrefs: 00B6B6DF
, xrefs: 00B6B797
, xrefs: 00B6B6D5
1-CREW 2-IMPOSTER 3-GHOST:, xrefs: 00B6B686
\ 4(, xrefs: 00B6B89A, 00B6B8A0
4, xrefs: 00B6B863
(, xrefs: 00B6B7AB
\ 4(, xrefs: 00B6B713, 00B6B719
Invalid Number, xrefs: 00B6B98E
(, xrefs: 00B6B6E9
GHOST Role Activated, xrefs: 00B6B8C7
$, xrefs: 00B6B5EB
, xrefs: 00B6B609
<D, xrefs: 00B6B681
Speed Hack Activated, xrefs: 00B6B594
, xrefs: 00B6B859

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: ??5?$basic_istream@D@std@@@std@@SleepU?$char_traits@V01@system
String ID: $ $ $ $$$($($($,$1-CREW 2-IMPOSTER 3-GHOST:$1-Speed Hack 2-Full Vision 3-Change Role (You Can Be Imposter or Ghost Or Crew Also You Will Be Able To See The Real Imposter in Crew)!4:Instant SkipEnter Number : $4$4$4$Crew Role Activated$GHOST Role Activated$H$Imposter Role Activated$Invalid Number$Speed Hack Activated$\$\ 4($\ 4($\ 4($cls$<D
API String ID: 1856734369-1046371
Opcode ID: bedf38de4b9fa47260a2fdb17ee9673a661d95a63f233adf3e1bd86da2a5d9c0
Instruction ID: b838b4c1ef491a0edda5b7a00f1b7057563108f269ad60b61d982bf3705e8072
Opcode Fuzzy Hash: bedf38de4b9fa47260a2fdb17ee9673a661d95a63f233adf3e1bd86da2a5d9c0
Instruction Fuzzy Hash: 4ED17F72D00214AFDB20EB58DC8AFDEB7F8AB44304F0445D9E51EA7291DB795E848F92

Uniqueness

Uniqueness Score: -1.00%

Function 00B63E90 Relevance: 21.3, APIs: 14, Instructions: 319COMMON

Download Yara Rule

APIs

?width@ios_base@std@@QBE_JXZ.MSVCP140D ref: 00B63F08
?width@ios_base@std@@QBE_JXZ.MSVCP140D ref: 00B63F44
?width@ios_base@std@@QBE_JXZ.MSVCP140D ref: 00B63F82
?flags@ios_base@std@@QBEHXZ.MSVCP140D(?), ref: 00B64003
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ.MSVCP140D ref: 00B64063
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00B64085
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140D(?), ref: 00B640A8
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00B64114
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140D(?,?,?), ref: 00B6413B
?fill@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDXZ.MSVCP140D ref: 00B641B6
?rdbuf@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_streambuf@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00B641D8
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140D(?), ref: 00B641FB
?width@ios_base@std@@QAE_J_J@Z.MSVCP140D(00000000,00000000), ref: 00B64265
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140D(00000000,00000000), ref: 00B642BD

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$?width@ios_base@std@@$?rdbuf@?$basic_ios@D@std@@@2@V?$basic_streambuf@$?fill@?$basic_ios@?sputc@?$basic_streambuf@$?flags@ios_base@std@@?setstate@?$basic_ios@?sputn@?$basic_streambuf@
String ID:
API String ID: 4125389999-0
Opcode ID: 4a9f832e9cc5a458d52cf96dc74c64c7623b47704579e3d6b379914dce846e6e
Instruction ID: 132d4468b74461e96f15fd56a7e892a7f13adf8639b3366ab0160f0d0baeb694
Opcode Fuzzy Hash: 4a9f832e9cc5a458d52cf96dc74c64c7623b47704579e3d6b379914dce846e6e
Instruction Fuzzy Hash: 4AD1E375D00618DFCB14DF58D895BEDBBF1AF88305F148599E91AAB351CB39AE808F80

Uniqueness

Uniqueness Score: -1.00%

Function 00B68740 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 117COMMON

Download Yara Rule

APIs

_CrtDbgReport.UCRTBASED(00000002,C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory,0000007B,00000000,00B75CA8,invalid argument), ref: 00B687C2
_invalid_parameter.UCRTBASED("invalid argument",std::_Adjust_manually_vector_aligned,C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory,0000007B,00000000), ref: 00B687F4
_CrtDbgReport.UCRTBASED(00000002,C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory,00000071,00000000,00B75CA8,invalid argument), ref: 00B6884A
_invalid_parameter.UCRTBASED("invalid argument",std::_Adjust_manually_vector_aligned,C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory,00000071,00000000), ref: 00B6887C

Strings

C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory, xrefs: 00B687BB, 00B68843
std::_Adjust_manually_vector_aligned, xrefs: 00B687EA, 00B68872
C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory, xrefs: 00B687E5, 00B6886D
"invalid argument", xrefs: 00B687EF, 00B68877
', xrefs: 00B68824
invalid argument, xrefs: 00B687A6, 00B6882E

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: Report_invalid_parameter
String ID: "invalid argument"$'$C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory$C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory$invalid argument$std::_Adjust_manually_vector_aligned
API String ID: 4134963321-75597745
Opcode ID: 40d5e7931015afb73bad07e163175ebf147581e4b08a74bba7a02be18fe822f2
Instruction ID: d7f5d70e93f87d30ff82b0661d9eb39009e7605c5f9a95d8b6911fc4e2693573
Opcode Fuzzy Hash: 40d5e7931015afb73bad07e163175ebf147581e4b08a74bba7a02be18fe822f2
Instruction Fuzzy Hash: E741A070A40204AFDB30AB6CDC56F6D77E4FF00714F4086D5E919AB3A2DAB59D808BD6

Uniqueness

Uniqueness Score: -1.00%

Function 00B6D700 Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 79COMMON

Download Yara Rule

APIs

failwithmessage.LIBCMTD ref: 00B6D73D

Part of subcall function 00B6DA20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00B6D7D2,000000FF,00000000,00000000,?), ref: 00B6DA81
Part of subcall function 00B6DA20: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00B6D7D2,000000FF,?,00000000), ref: 00B6DAA0
Part of subcall function 00B6DA20: DebuggerProbe.LIBCMTD ref: 00B6DABA
Part of subcall function 00B6DA20: DebuggerRuntime.LIBCMTD ref: 00B6DAD6
Part of subcall function 00B6DA20: IsDebuggerPresent.KERNEL32 ref: 00B6DAFF

_getMemBlockDataString.LIBCMTD ref: 00B6D769
failwithmessage.LIBCMTD ref: 00B6D7CD

Strings

Allocation number within this function: , xrefs: 00B6D78E
Address: 0x, xrefs: 00B6D79A
Data: <, xrefs: 00B6D783
Stack area around _alloca memory reserved by this function is corrupted, xrefs: 00B6D79F
Size: , xrefs: 00B6D794
Stack area around _alloca memory reserved by this function is corrupted, xrefs: 00B6D734
%s%s%p%s%zd%s%d%s%s%s%s%s, xrefs: 00B6D7A4

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: Debugger$ByteCharMultiWidefailwithmessage$BlockDataPresentProbeRuntimeString_get
String ID: Address: 0x$Allocation number within this function: $Data: <$Size: $%s%s%p%s%zd%s%d%s%s%s%s%s$Stack area around _alloca memory reserved by this function is corrupted$Stack area around _alloca memory reserved by this function is corrupted
API String ID: 4067135985-3301296223
Opcode ID: 7bf0c85c4b9b87af3b5ec1c3534ecb83a0d2d2f5ea1467b6859f204b3e1dc5cf
Instruction ID: e2ae53c6be968ec78d1015ab1f026c801bf59b3596cc3217cd9fbc3c2c91743c
Opcode Fuzzy Hash: 7bf0c85c4b9b87af3b5ec1c3534ecb83a0d2d2f5ea1467b6859f204b3e1dc5cf
Instruction Fuzzy Hash: 32215072A40208BBCB10DEA9DC82DEEB7ECEB48710F0485E5FA1DB7191DA749A448B50

Uniqueness

Uniqueness Score: -1.00%

Function 00B6EC80 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 310memorylibraryloaderCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32(?,?,0000001C), ref: 00B6ECA5
GetPdbDll.LIBCMTD ref: 00B6ED49
GetProcAddress.KERNEL32(00000000,PDBOpenValidate5), ref: 00B6ED6F
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B6EECC
HeapFree.KERNEL32(00000000), ref: 00B6EED3
GetProcessHeap.KERNEL32 ref: 00B6EF44
HeapAlloc.KERNEL32(00000000,00000000,?), ref: 00B6EF4E

Strings

PDBOpenValidate5, xrefs: 00B6ED69

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: Heap$Process$AddressAllocFreeProcQueryVirtual
String ID: PDBOpenValidate5
API String ID: 1898765391-413491164
Opcode ID: 09c29896e16ca802290e0bdd421bf920b547eeba2c3076b757fd2b51b8c5db3d
Instruction ID: 42a235f9cd7d4eab2f463d5068fb2a4c9154f7f604d7671d2a60455dccb40946
Opcode Fuzzy Hash: 09c29896e16ca802290e0bdd421bf920b547eeba2c3076b757fd2b51b8c5db3d
Instruction Fuzzy Hash: 56B17C39A002199FDF10DF64C854BAEBBB6FF48714F180099E925AB390DB75ED42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00B64500 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 78COMMON

Download Yara Rule

APIs

_CrtDbgReport.UCRTBASED(00000002,C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory,00000079,00000000,00B75CA8,invalid argument), ref: 00B6456C
_invalid_parameter.UCRTBASED("invalid argument",std::_Allocate_manually_vector_aligned,C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory,00000079,00000000), ref: 00B64597

Strings

C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory, xrefs: 00B64565
C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory, xrefs: 00B64588
"invalid argument", xrefs: 00B64592
invalid argument, xrefs: 00B64557
std::_Allocate_manually_vector_aligned, xrefs: 00B6458D

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: Report_invalid_parameter
String ID: "invalid argument"$C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory$C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\xmemory$invalid argument$std::_Allocate_manually_vector_aligned
API String ID: 4134963321-2438732324
Opcode ID: 8a954d66e8b5ffc64f446679b137a8c432d128ed9245124e3af3f70fa6e9defd
Instruction ID: ea9a0d42f3e94dc82a15ccaf56f6429ed976f296f7a5a4a1d61e420787c046ce
Opcode Fuzzy Hash: 8a954d66e8b5ffc64f446679b137a8c432d128ed9245124e3af3f70fa6e9defd
Instruction Fuzzy Hash: 2121C871E00618ABDB20ABACDC47B9D76F4EF04304F1445A5F619BB391D7799D408B92

Uniqueness

Uniqueness Score: -1.00%

Function 00B67F70 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 78COMMON

Download Yara Rule

APIs

_CrtDbgReport.UCRTBASED(00000002,C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\vector,000005DD,00000000,00B75CA8,vector subscript out of range,DD221F19), ref: 00B67FF2
_invalid_parameter.UCRTBASED("vector subscript out of range",std::vector<unsigned int,class std::allocator<unsigned int> >::operator [],C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\vector,000005DD,00000000), ref: 00B68020

Strings

C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\vector, xrefs: 00B68011
C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\vector, xrefs: 00B67FEB
"vector subscript out of range", xrefs: 00B6801B
vector subscript out of range, xrefs: 00B67FDA
std::vector<unsigned int,class std::allocator<unsigned int> >::operator [], xrefs: 00B68016

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: Report_invalid_parameter
String ID: "vector subscript out of range"$C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\vector$C:\Program Files (x86)\Microsoft Visual Studio\2019\Enterprise\VC\Tools\MSVC\14.27.29110\include\vector$std::vector<unsigned int,class std::allocator<unsigned int> >::operator []$vector subscript out of range
API String ID: 4134963321-2269947116
Opcode ID: 778b76dfd4716759a5a8a75d2682ac490ec18ebe44c5c0d9653816b3b07842d5
Instruction ID: 004d9e2272e14ae89499b1591205536de643a7e07b142cc80c4fbd286c1272a8
Opcode Fuzzy Hash: 778b76dfd4716759a5a8a75d2682ac490ec18ebe44c5c0d9653816b3b07842d5
Instruction Fuzzy Hash: 8F212831A84644ABCB20DB5CCC42F9EB7F4EB04714F1086ABF919B7791DE3999048AA1

Uniqueness

Uniqueness Score: -1.00%

Function 00B6B020 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108threadinjectionCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(00000000,Among Us), ref: 00B6B07A
GetWindowThreadProcessId.USER32(?,?), ref: 00B6B094
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00B6B0C2
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B6B120

Strings

Among Us, xrefs: 00B6B073
GameAssembly.dll, xrefs: 00B6B0A1

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: Process$Window$FindMemoryOpenThreadWrite
String ID: Among Us$GameAssembly.dll
API String ID: 1529833687-2060409246
Opcode ID: 4ab4554cb8fd7f9577bda08afec19f64d446d2e28b696801c2fdfccee4ed07ec
Instruction ID: 8b3aa4a2a67e429a86f5f14c121b5769501de879e19d1a745e5b0e19ce6e822a
Opcode Fuzzy Hash: 4ab4554cb8fd7f9577bda08afec19f64d446d2e28b696801c2fdfccee4ed07ec
Instruction Fuzzy Hash: E4415F72D00208AFCB10EBA8D852BDEB7F8EF48310F544699F519A7291DB395A408F91

Uniqueness

Uniqueness Score: -1.00%

Function 00B6B1F0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 108threadinjectionCOMMON

Download Yara Rule

APIs

FindWindowA.USER32(00000000,Among Us), ref: 00B6B24A
GetWindowThreadProcessId.USER32(?,?), ref: 00B6B264
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00B6B292
WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00B6B2F0

Strings

Among Us, xrefs: 00B6B243
GameAssembly.dll, xrefs: 00B6B271

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: Process$Window$FindMemoryOpenThreadWrite
String ID: Among Us$GameAssembly.dll
API String ID: 1529833687-2060409246
Opcode ID: 23af19e2d3f8c4240e7add44cadcce89a53b40b209e498aa3c4db0b13709c9d3
Instruction ID: a79e1f7434f2425acb736631981720bb5d507ed04eea5451aed7f0d20a2d0b3c
Opcode Fuzzy Hash: 23af19e2d3f8c4240e7add44cadcce89a53b40b209e498aa3c4db0b13709c9d3
Instruction Fuzzy Hash: D9415F72E00208AFCB10EBA8D852BDEB7F8EF48710F544699F519A7391DB395A408B91

Uniqueness

Uniqueness Score: -1.00%

Function 00B673D0 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

?good@ios_base@std@@QBE_NXZ.MSVCP140D(?,DD221F19), ref: 00B6743E
?tie@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEPAV?$basic_ostream@DU?$char_traits@D@std@@@2@XZ.MSVCP140D ref: 00B6746A

Memory Dump Source

Source File: 00000000.00000002.2441016965.0000000000B63000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000000.00000002.2440974274.0000000000B50000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441016965.0000000000B61000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441293127.0000000000B75000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441342459.0000000000B7A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441388968.0000000000B7C000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B7F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2441433761.0000000000B8E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b50000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$?good@ios_base@std@@?tie@?$basic_ios@D@std@@@2@D@std@@@std@@V?$basic_ostream@
String ID:
API String ID: 136917557-0
Opcode ID: 334dc96423a073f84e823e9b9183032801b102189d43cb8bb78d3a717c93c5e0
Instruction ID: 1d09d4167012fd7358873556d59aeea61dc55a0c34c4f492dbcbec09f410cdfb
Opcode Fuzzy Hash: 334dc96423a073f84e823e9b9183032801b102189d43cb8bb78d3a717c93c5e0
Instruction Fuzzy Hash: 6A318D35A04208EFCB10DF58D485BADBBF5EF48314F148699E819AB391CF39AD41CBA1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

Behavior

System Behavior

Analysis Process: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exePID: 4548, Parent PID: 4056

General

Chronological Activities

Analysis Process: conhost.exePID: 3500, Parent PID: 4548

General

Chronological Activities

Disassembly

Analysis Process: SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exePID: 4548, Parent PID: 4056COMMON

Non-executed Functions

Function 00B6D480 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Function 00B61271 Relevance: .0, Instructions: 2COMMON

Function 00B61393 Relevance: .0, Instructions: 2COMMON

Function 00B617CB Relevance: .0, Instructions: 2COMMON

Windows Analysis Report
SecuriteInfo.com.BScope.Trojan.Swrort.25034.19636.exe