Edit tour

Windows Analysis Report
getscreen-120727697-x86.exe

Overview

General Information

Sample name:	getscreen-120727697-x86.exe
Analysis ID:	1503397
MD5:	9c765958b4d463d04c41def1103aa1f2
SHA1:	987ac08a723a10f26c2d5e7270411585456596af
SHA256:	41bc389b3188eaafcc95f195774af57e2fc72b05557539bbd61975d9f82286c5
Infos:

Detection

Score:	54
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Compliance

Score:	47
Range:	0 - 100

Signatures

Modifies Internet Explorer zonemap settings

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to simulate mouse events

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: IE Change Domain Zone

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Classification

Process Tree

System is w10x64native

getscreen-120727697-x86.exe (PID: 6380 cmdline: "C:\Users\user\Desktop\getscreen-120727697-x86.exe" MD5: 9C765958B4D463D04C41DEF1103AA1F2)

getscreen-120727697-x86.exe (PID: 5796 cmdline: "C:\Users\user\Desktop\getscreen-120727697-x86.exe" -gpipe \\.\pipe\PCommand97eevsiwzhbqnwukq -gui MD5: 9C765958B4D463D04C41DEF1103AA1F2)

getscreen-120727697-x86.exe (PID: 4320 cmdline: "C:\Users\user\Desktop\getscreen-120727697-x86.exe" -cpipe \\.\pipe\PCommand96vrvrbjerbhsaigc -cmem 0000pipe0PCommand96vrvrbjerbhsaigc9zl1urwze4y5iil -child MD5: 9C765958B4D463D04C41DEF1103AA1F2)

rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe (PID: 7356 cmdline: "C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe" -elevate \\.\pipe\elevateGS512rzrcqgspmqryvpnwupffnbzpjfygzjn MD5: 9C765958B4D463D04C41DEF1103AA1F2)

svchost.exe (PID: 804 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon MD5: F586835082F632DC8D9404D83BC16316)

cleanup

Sigma Signatures

Sigma detected: IE Change Domain Zone

Source: Registry Key set

Author: frack113: Data: Details: 2, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\getscreen-120727697-x86.exe, ProcessId: 5796, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getscreen.me\http

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 900, ProcessCommandLine: C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon, ProcessId: 804, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Cryptography

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_0079584E crypto_cert_get_dns_names,	5_2_0079584E
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795831 crypto_cert_free,	5_2_00795831
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795966 crypto_cert_get_public_key,	5_2_00795966
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_0079612F crypto_rsa_public_encrypt,	5_2_0079612F
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_0079590A crypto_cert_get_email,	5_2_0079590A
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00796105 crypto_rsa_private_encrypt,	5_2_00796105
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00872165 freerdp_assistance_encrypt_pass_stub,	5_2_00872165
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795A61 crypto_cert_get_signature_alg,	5_2_00795A61
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795A65 crypto_cert_get_upn,	5_2_00795A65
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795ABB crypto_cert_hash,	5_2_00795ABB
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795B39 crypto_cert_print_info,crypto_cert_subject,crypto_cert_issuer,crypto_cert_fingerprint,	5_2_00795B39
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_007A7B3F crypto_base64_encode,	5_2_007A7B3F
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795B24 crypto_cert_issuer,	5_2_00795B24
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_007A7B24 crypto_base64_decode,	5_2_007A7B24
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_007EE437 _EncryptMessage@16,InitOnceExecuteOnce,	5_2_007EE437
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_007EE42E _DecryptMessage@16,InitOnceExecuteOnce,	5_2_007EE42E
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795D58 crypto_cert_read,	5_2_00795D58
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795DA5 crypto_cert_subject_common_name,	5_2_00795DA5
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795D97 crypto_cert_subject_alt_name,	5_2_00795D97
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795D82 crypto_cert_subject,	5_2_00795D82
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795E14 crypto_get_certificate_data,crypto_cert_fingerprint,crypto_cert_issuer,crypto_cert_subject,certificate_data_new,	5_2_00795E14
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00872620 freerdp_assistance_get_encrypted_pass_stub,	5_2_00872620
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795ED1 crypto_reverse,	5_2_00795ED1
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_0079576E crypto_cert_fingerprint,crypto_cert_fingerprint_by_hash,	5_2_0079576E
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795732 crypto_cert_dns_names_free,	5_2_00795732
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_007A3F1C certificate_data_new,crypto_base64_encode,crypto_base64_encode,	5_2_007A3F1C
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_00795782 crypto_cert_fingerprint_by_hash,crypto_cert_hash,	5_2_00795782
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C9584E crypto_cert_get_dns_names,	7_2_00C9584E
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95831 crypto_cert_free,	7_2_00C95831
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95966 crypto_cert_get_public_key,	7_2_00C95966
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00D72165 freerdp_assistance_encrypt_pass_stub,	7_2_00D72165
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C9590A crypto_cert_get_email,	7_2_00C9590A
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C96105 crypto_rsa_private_encrypt,	7_2_00C96105
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C9612F crypto_rsa_public_encrypt,	7_2_00C9612F
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95ABB crypto_cert_hash,	7_2_00C95ABB
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95A61 crypto_cert_get_signature_alg,	7_2_00C95A61
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95A65 crypto_cert_get_upn,	7_2_00C95A65
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95B24 crypto_cert_issuer,	7_2_00C95B24
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00CA7B24 crypto_base64_decode,	7_2_00CA7B24
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95B39 crypto_cert_print_info,crypto_cert_subject,crypto_cert_issuer,crypto_cert_fingerprint,	7_2_00C95B39
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00CA7B3F crypto_base64_encode,	7_2_00CA7B3F
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00CEE42E _DecryptMessage@16,InitOnceExecuteOnce,	7_2_00CEE42E
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00CEE437 _EncryptMessage@16,InitOnceExecuteOnce,	7_2_00CEE437
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95D82 crypto_cert_subject,	7_2_00C95D82
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95D97 crypto_cert_subject_alt_name,	7_2_00C95D97
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95DA5 crypto_cert_subject_common_name,	7_2_00C95DA5
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95D58 crypto_cert_read,	7_2_00C95D58
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95ED1 crypto_reverse,	7_2_00C95ED1
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95E14 crypto_get_certificate_data,crypto_cert_fingerprint,crypto_cert_issuer,crypto_cert_subject,certificate_data_new,	7_2_00C95E14
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00D72620 freerdp_assistance_get_encrypted_pass_stub,	7_2_00D72620
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95782 crypto_cert_fingerprint_by_hash,crypto_cert_hash,	7_2_00C95782
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C9576E crypto_cert_fingerprint,crypto_cert_fingerprint_by_hash,	7_2_00C9576E
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00CA3F1C certificate_data_new,crypto_base64_encode,crypto_base64_encode,	7_2_00CA3F1C
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00C95732 crypto_cert_dns_names_free,	7_2_00C95732

Bitcoin Miner

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION getscreen-120727697-x86.exe			Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION getscreen-120727697-x86.exe			Jump to behavior

Compliance

Uses 32bit PE files

Source: getscreen-120727697-x86.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

PE / OLE file has a valid certificate

Source: getscreen-120727697-x86.exe

Static PE information: certificate valid

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: getscreen-120727697-x86.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:

Binary string: C:\Project\agent-windows\console\Win32\Release\getscreen.pdb source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp

Networking

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 78.47.165.25 78.47.165.25
Source: Joe Sandbox View	IP Address: 51.89.95.37 51.89.95.37

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: OVHFR OVHFR

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global traffic	HTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global traffic	HTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global traffic	HTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global traffic	HTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global traffic	HTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global traffic	HTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global traffic	HTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
Source: global traffic	HTTP traffic detected: GET /signal/agent HTTP/1.1Host: getscreen.meUpgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Origin: https://getscreen.meSec-WebSocket-Protocol: chat, superchatSec-WebSocket-Version: 13User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)

Source: global traffic

DNS traffic detected: DNS query: getscreen.me

Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODOCertificationAuthority.crl0
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://proxy.contoso.com:3128/
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://proxy.pcommand.com:3128
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01http://www.webrtc.org/exper
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-time
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-capture-timeurn:3gpp:video-orientationhttp://www.we
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/abs-send-time
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/color-space
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/generic-frame-descriptor-00
Source: getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/inband-cn
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/playout-delay
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/transport-wide-cc-02
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-content-type
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-frame-tracking-id
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-layers-allocation00
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.webrtc.org/experiments/rtp-hdrext/video-timing
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://%S/%S/agent/chat$.typeoutprocessData4Z
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://getscreen.me/agent-policy
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: https://getscreen.me/agent-policyhttps://%s/docs/agenthttps://%s/?utm_source=agent&utm_campaign=link
Source: getscreen-120727697-x86.exe, rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown	Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown	Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown	Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown	Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown	Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49771 -> 443

System Summary

Detected potential crypto function

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_001CB080	5_2_001CB080
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_001F89A0	5_2_001F89A0
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_001EA30D	5_2_001EA30D
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_006CB080	7_2_006CB080
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_006F89A0	7_2_006F89A0
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_006EA30D	7_2_006EA30D

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: String function: 00CE2354 appears 50 times
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: String function: 00CEE717 appears 101 times
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: String function: 007EE717 appears 101 times
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: String function: 007E2354 appears 50 times

PE file contains executable resources (Code or Archives)

Source: getscreen-120727697-x86.exe	Static PE information: Resource name: AFX_DIALOG_LAYOUT type: DOS executable (COM, 0x8C-variant)
Source: getscreen-120727697-x86.exe	Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: getscreen-120727697-x86.exe	Static PE information: Resource name: RT_DIALOG type: DOS executable (COM, 0x8C-variant)
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	Static PE information: Resource name: AFX_DIALOG_LAYOUT type: DOS executable (COM, 0x8C-variant)
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	Static PE information: Resource name: RT_ICON type: DOS executable (COM)
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	Static PE information: Resource name: RT_DIALOG type: DOS executable (COM, 0x8C-variant)

Sample file is different than original file name gathered from version info

Source: getscreen-120727697-x86.exe, 00000001.00000000.119507532953.0000000001DD3000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-120727697-x86.exe
Source: getscreen-120727697-x86.exe, 00000003.00000000.119512452310.0000000001DD3000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-120727697-x86.exe
Source: getscreen-120727697-x86.exe, 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-120727697-x86.exe
Source: getscreen-120727697-x86.exe, 00000007.00000000.119541151297.0000000001DD3000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-120727697-x86.exe
Source: getscreen-120727697-x86.exe	Binary or memory string: OriginalFilenamegetscreen.exe: vs getscreen-120727697-x86.exe

Uses 32bit PE files

Source: getscreen-120727697-x86.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal54.phis.evad.winEXE@8/5@2/2

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

File created: C:\Users\user\AppData\Local\Getscreen.me

Jump to behavior

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\PCommandMutextTurbo96phqghum

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

File read: C:\Users\user\Desktop\getscreen-120727697-x86.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\getscreen-120727697-x86.exe "C:\Users\user\Desktop\getscreen-120727697-x86.exe"
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Process created: C:\Users\user\Desktop\getscreen-120727697-x86.exe "C:\Users\user\Desktop\getscreen-120727697-x86.exe" -gpipe \\.\pipe\PCommand97eevsiwzhbqnwukq -gui
Source: unknown	Process created: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe "C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe" -elevate \\.\pipe\elevateGS512rzrcqgspmqryvpnwupffnbzpjfygzjn
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Process created: C:\Users\user\Desktop\getscreen-120727697-x86.exe "C:\Users\user\Desktop\getscreen-120727697-x86.exe" -cpipe \\.\pipe\PCommand96vrvrbjerbhsaigc -cmem 0000pipe0PCommand96vrvrbjerbhsaigc9zl1urwze4y5iil -child
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Process created: C:\Users\user\Desktop\getscreen-120727697-x86.exe "C:\Users\user\Desktop\getscreen-120727697-x86.exe" -gpipe \\.\pipe\PCommand97eevsiwzhbqnwukq -gui	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Users\user\Desktop\getscreen-120727697-x86.exe "C:\Users\user\Desktop\getscreen-120727697-x86.exe" -cpipe \\.\pipe\PCommand96vrvrbjerbhsaigc -cmem 0000pipe0PCommand96vrvrbjerbhsaigc9zl1urwze4y5iil -child	Jump to behavior

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: sas.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: mfwmaaec.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: mfperfhelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: avrt.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: sas.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: sas.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: seclogon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: sas.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: dsparse.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Section loaded: winsta.dll	Jump to behavior

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{304CE942-6E39-40D8-943A-B913C40C9CD4}\InprocServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

PE / OLE file has a valid certificate

Source: getscreen-120727697-x86.exe

Static PE information: certificate valid

Submission file is bigger than most known malware samples

Source: getscreen-120727697-x86.exe

Static file information: File size 3654440 > 1048576

PE file has a big raw section

Source: getscreen-120727697-x86.exe

Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x374e00

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: getscreen-120727697-x86.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Binary contains paths to debug symbols

Source:

Data Obfuscation

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

Code function: 5_2_018D29E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

5_2_018D29E0

PE file contains an invalid checksum

Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe.1.dr	Static PE information: real checksum: 0x38a69d should be: 0x37d1dc
Source: getscreen-120727697-x86.exe	Static PE information: real checksum: 0x38a69d should be: 0x37d1dc

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Drops PE files

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

File created: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

File created: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

Code function: 5_2_007F7449 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

5_2_007F7449

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries memory information (via WMI often done to detect virtual machines)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, Size FROM Win32_DiskDrive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, Manufacturer, MACAddress, Speed, InterfaceIndex, Index, GUID FROM Win32_NetworkAdapter WHERE PhysicalAdapter=TRUE
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 1
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT DHCPServer, DNSServerSearchOrder, IPAddress FROM Win32_NetworkAdapterConfiguration WHERE InterfaceIndex = 2
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'True'
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT IPAddress FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = 'True'

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BankLabel, DeviceLocator, DataWidth, Manufacturer, PartNumber, SerialNumber, Capacity FROM Win32_PhysicalMemory

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption, VolumeName, FileSystem, Size, FreeSpace FROM Win32_LogicalDisk

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Caption FROM Win32_SoundDevice

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	System information queried: FirmwareTableInformation	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Window / User API: threadDelayed 1262	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Window / User API: threadDelayed 4880	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Window / User API: threadDelayed 959	Jump to behavior

Found large amount of non-executed APIs

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	API coverage: 1.5 %
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	API coverage: 1.5 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe TID: 4784	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe TID: 6280	Thread sleep count: 959 > 30			Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT BIOSVersion, Name, ReleaseDate FROM Win32_BIOS

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Model, Name, Domain, Workgroup FROM Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name, NumberOfCores, NumberOfLogicalProcessors, MaxClockSpeed, Caption FROM Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

Last function: Thread delayed

Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: -WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=RT
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Hyper-V console (use port 2179, disable negotiation)
Source: getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMnet
Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119528587098.0000000002040000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllI
Source: getscreen-120727697-x86.exe, 00000007.00000002.119695475730.00000000023C1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll&
Source: getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: }WebRTC-AllowMACBasedIPv6WebRTC-BindUsingInterfaceNameVMnetWebRTC-UseDifferentiatedCellularCostsWebRTC-AddNetworkCostToVpnNet[:id=RTm

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	API call chain: ExitProcess graph end node			graph_5-13223
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	API call chain: ExitProcess graph end node			graph_7-12928

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

Code function: 5_2_007FEE20 IsDebuggerPresent,

5_2_007FEE20

Contains functionality to dynamically determine API calls

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

Code function: 5_2_018D29E0 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,

5_2_018D29E0

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	Code function: 5_2_0083FCA9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		5_2_0083FCA9
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Code function: 7_2_00D3FCA9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		7_2_00D3FCA9

HIPS / PFW / Operating System Protection Evasion

Contains functionality to simulate mouse events

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

Code function: 5_2_00797321 freerdp_input_send_extended_mouse_event,

5_2_00797321

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\svchost.exe

Process created: C:\Users\user\Desktop\getscreen-120727697-x86.exe "C:\Users\user\Desktop\getscreen-120727697-x86.exe" -cpipe \\.\pipe\PCommand96vrvrbjerbhsaigc -cmem 0000pipe0PCommand96vrvrbjerbhsaigc9zl1urwze4y5iil -child

Jump to behavior

Source: rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: loselink.button.copymain.isntall.howconnection.session.titleconnection.menu.copyconnection.menu.generatelogin.password.titlelogin.password.ennterlogin.active.help.1login.link.dashboard.1login.link.dashboard.2login.link.registerlogin.link.restorelogin.link.help.1login.link.help.2login.active.device.titlelogin.active.contactlogin.menu.dashboardlogin.menu.logoutsettings.common.titlesettings.common.agentsettings.common.languagesettings.common.startupsettings.common.onetimesettings.common.adminsettings.permission.titlesettings.permission.controlsettings.permission.audiosettings.permission.micsettings.permission.filesettings.permission.lock_inputsettings.permission.confirmsettings.proxy.buttoninvite.disableinvite.button.agreecall.income.textcall.income.acceptcall.income.rejectcall.out.textcall.out.cancelcall.connect.textcall.connect.closecall.active.closecall.rejecet.textcall.rejecet.againcall.rejecet.closecall.finish.textcall.finish.closeturbo.button.hideturbo.button.endturbo.button.proxyturbo.button.closeturbo.button.callturbo.button.chatturbo.confirm.closeturbo.confirm.close.yesturbo.confirm.close.noturbo.menu.exitturbo.menu.chatturbo.menu.showsettings.proxy.usesettings.proxy.serversettings.proxy.loginsettings.proxy.passwordsettings.proxy.applysettings.proxy.cancelconnection.confirm.acceptinstall.turbo.line2install.turbo.confirmconnection.link.titleconnection.link.text.4connection.link.title.2connection.link.title.3connection.link.getlogin.active.help.title.headlogin.active.help.title.2login.active.help.title.3connection.menu.clipboardconnection.menu.diactivateconnection.menu.disableShell_traywnd z

Language, Device and Operating System Detection

Contains functionality to query CPU information (cpuid)

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

Code function: 5_2_001F89A0 cpuid

5_2_001F89A0

Source: C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

Code function: 5_2_007AE4DD rfx_context_new,GetVersionExA,GetNativeSystemInfo,RegOpenKeyExA,primitives_get,CreateThreadpool,rfx_context_set_pixel_format,

5_2_007AE4DD

Lowering of HIPS / PFW / Operating System Security Settings

Modifies Internet Explorer zonemap settings

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getscreen.me http	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\getscreen.me https	Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\getscreen.me https	Jump to behavior

Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION			Jump to behavior
Source: C:\Users\user\Desktop\getscreen-120727697-x86.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	631 Windows Management Instrumentation	1 Scripting	12 Process Injection	1 Masquerading	OS Credential Dumping	731 Security Software Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	53 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Browser Session Hijacking	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	53 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Modify Registry	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Process Injection	LSA Secrets	133 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Obfuscated Files or Information	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
getscreen-120727697-x86.exe	3%	Virustotal		Browse
getscreen-120727697-x86.exe	3%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	3%	Virustotal		Browse
C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe	3%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
getscreen.me	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension	1%	Virustotal		Browse
https://getscreen.me/agent-policyhttps://%s/docs/agenthttps://%s/?utm_source=agent&utm_campaign=link	0%	Avira URL Cloud	safe
http://proxy.contoso.com:3128/	0%	Virustotal		Browse
https://%S/%S/agent/chat$.typeoutprocessData4Z	0%	Avira URL Cloud	safe
https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension	0%	Avira URL Cloud	safe
http://proxy.contoso.com:3128/	0%	Avira URL Cloud	safe
http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01	0%	Avira URL Cloud	safe
http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01	0%	Virustotal		Browse
https://getscreen.me/signal/agent	0%	Avira URL Cloud	safe
http://proxy.pcommand.com:3128	0%	Avira URL Cloud	safe
https://getscreen.me/agent-policy	0%	Avira URL Cloud	safe
https://getscreen.me/agent-policy	0%	Virustotal		Browse
https://getscreen.me/signal/agent	0%	Virustotal		Browse
https://getscreen.me/agent-policyhttps://%s/docs/agenthttps://%s/?utm_source=agent&utm_campaign=link	0%	Virustotal		Browse
http://proxy.pcommand.com:3128	0%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
getscreen.me	51.89.95.37	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://getscreen.me/signal/agent	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://getscreen.me/agent-policyhttps://%s/docs/agenthttps://%s/?utm_source=agent&utm_campaign=link	rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://proxy.contoso.com:3128/	rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.ietf.org/id/draft-holmer-rmcat-transport-wide-cc-extensions-01	rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://%S/%S/agent/chat$.typeoutprocessData4Z	rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	unknown
https://aomediacodec.github.io/av1-rtp-spec/#dependency-descriptor-rtp-header-extension	rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://getscreen.me/agent-policy	rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://proxy.pcommand.com:3128	rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe, 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmp, getscreen-120727697-x86.exe, 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
78.47.165.25	unknown	Germany		24940	HETZNER-ASDE	false
51.89.95.37	getscreen.me	France		16276	OVHFR	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1503397
Start date and time:	2024-09-03 14:41:14 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected VM Detection
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	getscreen-120727697-x86.exe
Detection:	MAL
Classification:	mal54.phis.evad.winEXE@8/5@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Connection to analysis system has been lost, crash info: Unknown
Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, c.pki.goog
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:43:25	API Interceptor	28697x Sleep call for process: getscreen-120727697-x86.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
78.47.165.25	getscreen-669912037.exe	Get hash	malicious	Unknown	Browse
	getscreen-456311346-x86.exe	Get hash	malicious	Unknown	Browse
	getscreen-456311346-x86.exe	Get hash	malicious	Unknown	Browse
	getscreen-941605629.exe	Get hash	malicious	Unknown	Browse
	getscreen-941605629.exe	Get hash	malicious	Unknown	Browse
	getscreen-156413884-x86.exe	Get hash	malicious	Unknown	Browse
	getscreen-156413884-x86.exe	Get hash	malicious	Unknown	Browse
	getscreen-511588515.exe	Get hash	malicious	Unknown	Browse
	getscreen-973519027.exe	Get hash	malicious	Unknown	Browse
	getscreen-973519027.exe	Get hash	malicious	Unknown	Browse
51.89.95.37	getscreen-456311346-x86.exe	Get hash	malicious	Unknown	Browse
	getscreen-941605629-x86.exe	Get hash	malicious	Unknown	Browse
	getscreen-469829524.exe	Get hash	malicious	Unknown	Browse
	getscreen-469829524.exe	Get hash	malicious	Unknown	Browse
	getscreen-156413884-x86.exe	Get hash	malicious	Unknown	Browse
	getscreen-511588515.exe	Get hash	malicious	Unknown	Browse
	getscreen-959987858.exe	Get hash	malicious	Unknown	Browse
	getscreen-973519027.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
getscreen.me	getscreen-669912037.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-456311346-x86.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	getscreen-456311346-x86.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-941605629.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	getscreen-941605629-x86.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-941605629.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-469829524.exe	Get hash	malicious	Unknown	Browse	51.89.95.37
	getscreen-469829524.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-156413884-x86.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	getscreen-156413884-x86.exe	Get hash	malicious	Unknown	Browse	5.75.168.191

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HETZNER-ASDE	getscreen-669912037.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	154.213.187.80-mips-2024-08-30T23_29_44.elf	Get hash	malicious	Mirai	Browse	136.243.206.131
	getscreen-456311346-x86.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-456311346-x86.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-941605629.exe	Get hash	malicious	Unknown	Browse	78.47.165.25
	getscreen-941605629-x86.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	getscreen-941605629.exe	Get hash	malicious	Unknown	Browse	5.75.168.191
	http://ipscanadvsf.com	Get hash	malicious	Unknown	Browse	116.203.55.214
	http://instagrab000.blogspot.com/	Get hash	malicious	HTMLPhisher	Browse	116.202.167.133
	SecuriteInfo.com.Exploit.CVE-2017-0199.121.20522.7152.xlsx	Get hash	malicious	FormBook	Browse	88.99.66.38
OVHFR	20-EM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook	Browse	37.187.158.211
	getscreen-456311346-x86.exe	Get hash	malicious	Unknown	Browse	51.89.95.37
	getscreen-941605629-x86.exe	Get hash	malicious	Unknown	Browse	51.89.95.37
	BTC.exe	Get hash	malicious	AsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWorm	Browse	91.134.207.16
	https://src-assistanceclient.com/robots.txt	Get hash	malicious	Unknown	Browse	54.37.149.170
	http://instagrab000.blogspot.com/	Get hash	malicious	HTMLPhisher	Browse	149.56.240.27
	sBX8VM67ZE.exe	Get hash	malicious	FormBook	Browse	94.23.162.163
	ROOMING 24034 Period Check-in on July 5th and departure on July 15th, 2024.bat	Get hash	malicious	Unknown	Browse	94.23.17.185
	RFQ STR-160-01.exe	Get hash	malicious	FormBook	Browse	37.187.158.211
	mirai.dbg.elf	Get hash	malicious	Mirai	Browse	178.33.114.253

Process:	C:\Users\user\Desktop\getscreen-120727697-x86.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.78125
Encrypted:	false
SSDEEP:	3:BvF3qsDDWackos/TIOM+C8uzP:ypXkFRJuj
MD5:	EFB6D99CFEFFB4B681465A5C6FA71623
SHA1:	D9D3231653A010BEB937AC50606D5D7689B0DEA0
SHA-256:	8AA160E3775FAD327B47F14D58FCFF2B29F3174D314546C89266B42F6746F878
SHA-512:	7DAEA4B0A9BA6AADFF14890E874BC60947D13CD1A05DF9CB559A1F46F1C3607DEA46FB8BBBF094C394CDB69EDFE96707D729B84A23EEE36D650835D4214DBA7B
Malicious:	false
Reputation:	low
Preview:	...J.+.q....:.O.._...t............,.6.<.....2.@\.%.+.#.K.jK..

C:\ProgramData\Getscreen.me\logs\20240903.log

Download File

Process:	C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	4033
Entropy (8bit):	5.17666070990986
Encrypted:	false
SSDEEP:	96:bGNvekYUlsiAsMywsCeQvHc3QbtL77wsFosf3z0nhZ17PH8amiiP:6gkYbvZJos/whZ17PH8a9iP
MD5:	749B5F85EA1623AC5723ED21C20E5FDC
SHA1:	46A4132FA3D6B7CFCC1D86E6EC123845E6DB2D15
SHA-256:	80F4C32C9E53C1E5B6B9002D187E0BF06428AC2189F89A07FE1853343185A84E
SHA-512:	C6A1F3926FFA98C678162BEB625F3C1013AD565E4DACD6EEC5ECE36EF217F169A1A879B64995502FBB1A3BA142A1B035FFDD998CFE8FBA23E9E185CDE2AEA9DC
Malicious:	false
Reputation:	low
Preview:	12:43:22.923.INFO.GuiSessionList created new gui session for: 1, is active: false..12:43:22.923.INFO.Server start server run....12:43:22.923.INFO.Start Getscreen.me v 2.21.3 build 2 revision 0..12:43:22.984.INFO.GUI GUI started..12:43:23.187.INFO.CGuiSessionList m_active is null..12:43:23.646.INFO.CConfigStore Loaded config from `C:\ProgramData\Getscreen.me\folder\settings.dat`..12:43:23.647.ERROR.Service service 'GetscreenSV' not found..12:43:23.929.INFO.Service service 'GetscreenSV' installed..12:43:24.202.INFO.Service service 'GetscreenSV' start success..12:43:24.205.INFO.Service get control message 1..12:43:24.242.INFO.FrameMark hide frame..12:43:24.714.INFO.Service service 'GetscreenSV' stop [0] (0)..12:43:25.229.INFO.Service service 'GetscreenSV' removed..12:43:25.245.INFO.Child success get system token..12:43:25.246.INFO.Child start child process simply..12:43:25.247.INFO

C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

Download File

Process:	C:\Users\user\Desktop\getscreen-120727697-x86.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	3654440
Entropy (8bit):	7.931175093248247
Encrypted:	false
SSDEEP:	98304:w2WbzRq8h0oEPel9/DLRAHyGBydPnYMJojL5Np:w2ez4o0OmyVnvKLF
MD5:	9C765958B4D463D04C41DEF1103AA1F2
SHA1:	987AC08A723A10F26C2D5E7270411585456596AF
SHA-256:	41BC389B3188EAAFCC95F195774AF57E2FC72B05557539BBD61975D9F82286C5
SHA-512:	523526BEE9067845910E90888BBC1B704BACA0AC1F331F5B02CAD61A9BF868A5BC15F7D6C62956A8A3B4E8D36BD8FB07C0DEEA30314E1C9395A20FFD4B0B14EE
Malicious:	true
Antivirus:	Antivirus: Virustotal, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 3%
Reputation:	low
Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......iI/.-(AD-(AD-(ADfPBE.(AD.D)(AD.EE5(AD9WEE.(AD-(AD./ADfPFE,(AD.BE3(AD.DE](ADfPEE.(ADfPDE.(ADfPGE/(ADfP@En(AD-(@D.*AD>.HE.(AD>.AE,(AD>..D,(AD-(.D,(AD>.CE,(ADRich-(AD........................PE..L..../.f...............(.P7..P....=..)u...=..0u...@...........................u.......8...@..............................U..Pju......0u.P:............7.(/...qu. ............................+u.....<,u.............................................UPX0......=.............................UPX1.....P7...=..N7.................@....rsrc....P...0u..B...R7.............@..............................................................................................................................................................................................................................................................................................................4.22.UPX!....

C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\getscreen-120727697-x86.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Getscreen.me\folder\settings.dat

Download File

Process:	C:\Users\user\Desktop\getscreen-120727697-x86.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	5.8125
Encrypted:	false
SSDEEP:	3:BvF3qsDDWackos/TIOMpFl8g:ypXkFROFz
MD5:	E444EE54DCA0021D3740527C9CEF7C38
SHA1:	BF0776FBD10045A1411B62B75CD74D28B05D8328
SHA-256:	3833DC4C5BEAB75ACA4219D2FDF5795E234CD3CED75CBB056EB9CF3A24AB4C6B
SHA-512:	0B043D2CE15E62A7B68082894A603978D53C3A6A37FE5CAA008764C49C3DC8B939C2B7DE0562C960A999CB621579D8835FF1620EF009088D2079A05284C3ECFD
Malicious:	false
Preview:	...J.+.q....:.O.._...t............,.6.<.....2.8UO..u.C/.A{;

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.931175093248247
TrID:	Win32 Executable (generic) a (10002005/4) 99.66% UPX compressed Win32 Executable (30571/9) 0.30% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	getscreen-120727697-x86.exe
File size:	3'654'440 bytes
MD5:	9c765958b4d463d04c41def1103aa1f2
SHA1:	987ac08a723a10f26c2d5e7270411585456596af
SHA256:	41bc389b3188eaafcc95f195774af57e2fc72b05557539bbd61975d9f82286c5
SHA512:	523526bee9067845910e90888bbc1b704baca0ac1f331f5b02cad61a9bf868a5bc15f7d6c62956a8a3b4e8d36bd8fb07c0deea30314e1c9395a20ffd4b0b14ee
SSDEEP:	98304:w2WbzRq8h0oEPel9/DLRAHyGBydPnYMJojL5Np:w2ez4o0OmyVnvKLF
TLSH:	900633E1ED6939A1D33D5CB8111B56BD73FAA03658FE23C78A1D9B219E347028F52113
File Content Preview:	MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$.......iI/.-(AD-(AD-(ADfPBE.(AD...D)(AD..EE5(AD9WEE.(AD-(AD./ADfPFE,(AD..BE3(AD..DE](ADfPEE.(ADfPDE.(ADfPGE/(ADfP@En(AD-(@D.*AD>.HE.(A

File Icon


Icon Hash:	418c6963696c9643

Static PE Info

General

Entrypoint:	0x1b529e0
Entrypoint Section:	UPX1
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66912FD6 [Fri Jul 12 13:29:58 2024 UTC]
TLS Callbacks:	0x1b52bd3
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	26c6aff4250b45d1c4ee6d86013ea70c

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=GlobalSign GCC R45 EV CodeSigning CA 2020, O=GlobalSign nv-sa, C=BE
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	28/05/2024 15:50:28 28/06/2026 16:36:10
Subject Chain	CN=POINT B LTD, O=POINT B LTD, L=Limassol, S=Limassol, C=CY, OID.1.3.6.1.4.1.311.60.2.1.3=CY, SERIALNUMBER=HE 430957, OID.2.5.4.15=Private Organization
Version:	3
Thumbprint MD5:	9B083870477F4699693EEECABF351BF8
Thumbprint SHA-1:	B3C999E29AED18DEA59733F3CAA94E788B1AC3A1
Thumbprint SHA-256:	3E73B7C28C18DC6A03B9816F200365F1DF1FF80A7BD0D55DB920F1B24BBD74E7
Serial:	7AE0E9C1CFE2DCE0E21C4327

Entrypoint Preview

Instruction
pushad
mov esi, 017DE000h
lea edi, dword ptr [esi-013DD000h]
push edi
or ebp, FFFFFFFFh
jmp 00007F6B44E41A82h
nop
nop
nop
nop
nop
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007F6B44E41A79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F6B44E41A5Fh
mov eax, 00000001h
add ebx, ebx
jne 00007F6B44E41A79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007F6B44E41A7Dh
jne 00007F6B44E41A9Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F6B44E41A91h
dec eax
add ebx, ebx
jne 00007F6B44E41A79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007F6B44E41A46h
add ebx, ebx
jne 00007F6B44E41A79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007F6B44E41AC4h
xor ecx, ecx
sub eax, 03h
jc 00007F6B44E41A83h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007F6B44E41AE7h
sar eax, 1
mov ebp, eax
jmp 00007F6B44E41A7Dh
add ebx, ebx
jne 00007F6B44E41A79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F6B44E41A3Eh
inc ecx
add ebx, ebx
jne 00007F6B44E41A79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007F6B44E41A30h
add ebx, ebx
jne 00007F6B44E41A79h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007F6B44E41A61h
jne 00007F6B44E41A7Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007F6B44E41A56h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [eax+eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x820d90	0x5500	UPX0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1756a50	0x6c0	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1753000	0x3a50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x379400	0x2f28	UPX0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1757110	0x20	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x1752bf4	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1752c3c	0xc0	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0x13dd000	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0x13de000	0x375000	0x374e00	a216f7d1a8e4e14b94fdfbca52f7b652	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1753000	0x5000	0x4200	5871e1397e577651929aa76b50980e16	False	0.4675662878787879	data	5.104875966236682	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x168ca98	0x2	ASCII text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168caa0	0x2	Non-ISO extended-ASCII text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cb08	0x2	ISO-8859 text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x16d4db0	0x2	ASCII text, with no line terminators			5.0
AFX_DIALOG_LAYOUT	0x168caa8	0x2	ISO-8859 text, with CR line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cb00	0x2	ISO-8859 text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cb10	0x2a	DOS executable (COM, 0x8C-variant)	Russian	Russia	1.2142857142857142
AFX_DIALOG_LAYOUT	0x168cb40	0x22	data	Russian	Russia	1.2647058823529411
AFX_DIALOG_LAYOUT	0x168cb68	0x22	data	Russian	Russia	1.2647058823529411
AFX_DIALOG_LAYOUT	0x168cb90	0x22	data	Russian	Russia	1.2647058823529411
AFX_DIALOG_LAYOUT	0x168cbb8	0x22	data	Russian	Russia	1.2647058823529411
AFX_DIALOG_LAYOUT	0x168cbe0	0x2a	data	Russian	Russia	1.2142857142857142
AFX_DIALOG_LAYOUT	0x168cc10	0x2	ASCII text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc28	0x2	ISO-8859 text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc20	0x2	data	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc18	0x2	ASCII text	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc30	0x2	ISO-8859 text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc38	0x2	ASCII text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc40	0x2	ISO-8859 text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x16d4ff0	0x2	ISO-8859 text, with no line terminators	English	United States	5.0
AFX_DIALOG_LAYOUT	0x168cc48	0x2	ISO-8859 text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc50	0x2	data	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc58	0x2	data	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc60	0x2	ISO-8859 text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc68	0x2	data	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc70	0x2	ISO-8859 text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cab0	0x42	data	Russian	Russia	1.1666666666666667
AFX_DIALOG_LAYOUT	0x168caf8	0x2	ISO-8859 text, with no line terminators	Russian	Russia	5.0
AFX_DIALOG_LAYOUT	0x168cc78	0x2	ISO-8859 text, with no line terminators, with overstriking	Russian	Russia	5.0
INI	0x16d3a18	0xa	data	Russian	Russia	1.8
LANG	0x16ace60	0x1b82	data	Russian	Russia	0.8660891792104516
LANG	0x16ae9e8	0x26fb	data	Russian	Russia	0.950796673013328
LANG	0x16b10e8	0x1e2b	data	Russian	Russia	0.9835556131037162
LANG	0x16b2f18	0x1e5d	data	Russian	Russia	0.9994853981731635
LANG	0x16b4d78	0x1ca1	data	Russian	Russia	0.9953608950743621
LANG	0x16b6a20	0x21fd	data	Russian	Russia	0.983794966095851
LANG	0x16b8c20	0x1de4	data	Russian	Russia	0.9225039205436487
LANG	0x16baa08	0x1a50	data	Russian	Russia	0.962143705463183
LANG	0x16bc458	0x1d25	data	Russian	Russia	0.9987937273823885
LANG	0x16be180	0x1e03	data	Russian	Russia	0.9980476376415462
LANG	0x16e7c38	0x1ddc	data	English	United States	0.9955520669806384
OPUS	0x16bff88	0xa5e5	data	Russian	Russia	0.9886505451034873
OPUS	0x16ca570	0x94a4	data	Russian	Russia	0.978082623777988
RT_ICON	0x168cc80	0x139	data	Russian	Russia	1.035143769968051
RT_ICON	0x168cdc0	0x1ef	data	Russian	Russia	1.0222222222222221
RT_ICON	0x168cfb0	0x225	data	Russian	Russia	1.0200364298724955
RT_ICON	0x168d1d8	0x26b	OpenPGP Public Key	Russian	Russia	1.0177705977382876
RT_ICON	0x168d448	0x326	data	Russian	Russia	1.0136476426799008
RT_ICON	0x168d770	0x402	data	Russian	Russia	1.010721247563353
RT_ICON	0x17550f0	0x13b	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.034920634920635
RT_ICON	0x1755230	0x1c5	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.0242825607064017
RT_ICON	0x17553fc	0x1ee	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.0222672064777327
RT_ICON	0x17555f0	0x253	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.0184873949579831
RT_ICON	0x1755848	0x2e7	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.0148048452220726
RT_ICON	0x1755b34	0x3ad	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	Russian	Russia	1.0116896918172158
RT_ICON	0x168ea20	0xac	data	Russian	Russia	1.063953488372093
RT_ICON	0x168eae8	0x159	data	Russian	Russia	1.0318840579710145
RT_ICON	0x168ec48	0x1e6	data	Russian	Russia	1.022633744855967
RT_ICON	0x168ee30	0x1f6	data	Russian	Russia	1.0219123505976095
RT_ICON	0x168f028	0x26d	data	Russian	Russia	1.0177133655394526
RT_ICON	0x168f298	0x31b	data	Russian	Russia	1.0138364779874214
RT_ICON	0x168f5b8	0x3e7	data	Russian	Russia	1.011011011011011
RT_ICON	0x168fa00	0xdd	DOS executable (COM)	Russian	Russia	1.0497737556561086
RT_ICON	0x168faf8	0x10f	data	Russian	Russia	1.040590405904059
RT_ICON	0x168fc20	0x25a8	data	Russian	Russia	0.999896265560166
RT_ICON	0x16921e0	0x12d	data	Russian	Russia	1.0365448504983388
RT_ICON	0x1692328	0x106	data	Russian	Russia	1.0419847328244274
RT_ICON	0x1692448	0x109	data	Russian	Russia	1.0415094339622641
RT_ICON	0x1692570	0x171	data	Russian	Russia	1.029810298102981
RT_ICON	0x1692700	0x109d	data	Russian	Russia	1.0025864095932282
RT_ICON	0x16937b8	0xdd9	data	Russian	Russia	1.0031029619181946
RT_ICON	0x16945b0	0xc0e	data	Russian	Russia	1.0035644847699288
RT_ICON	0x16951d8	0xb91	data	Russian	Russia	1.0037149611617697
RT_ICON	0x1695d88	0xdd9	data	Russian	Russia	1.0031029619181946
RT_ICON	0x1696b80	0x11c	data	Russian	Russia	1.0387323943661972
RT_ICON	0x1696cb8	0x116	data	Russian	Russia	1.039568345323741
RT_ICON	0x1696de8	0x1c4	data	Russian	Russia	1.0243362831858407
RT_ICON	0x1696fc8	0x1a1	data	Russian	Russia	1.026378896882494
RT_ICON	0x1697188	0x182	data	Russian	Russia	1.028497409326425
RT_ICON	0x1697328	0x222	data	Russian	Russia	1.02014652014652
RT_ICON	0x1697568	0x11f	OpenPGP Secret Key	Russian	Russia	1.038327526132404
RT_ICON	0x16976a0	0x103	data	Russian	Russia	1.0424710424710424
RT_ICON	0x16977c0	0x1588	data	Russian	Russia	1.0019956458635704
RT_ICON	0x1698d60	0x580	data	Russian	Russia	1.0078125
RT_ICON	0x16992f8	0x988	data	Russian	Russia	1.0045081967213114
RT_ICON	0x1699c98	0x25a8	data	Russian	Russia	0.9986514522821577
RT_ICON	0x169c258	0x10828	data	Russian	Russia	0.9908316573997398
RT_ICON	0x16d3a28	0x163	data			1.0309859154929577
RT_ICON	0x16d3b90	0x20d	data			1.020952380952381
RT_ICON	0x16d3da0	0x21b	data			1.0148423005565863
RT_ICON	0x16d3fc0	0x282	data			1.017133956386293
RT_ICON	0x16d4248	0x33c	data			1.0132850241545894
RT_ICON	0x16d4588	0x413	data			1.0105465004793863
RT_ICON	0x16d4a00	0x152	data			0.9792899408284024
RT_ICON	0x16d4ff8	0x10a8	data	English	United States	0.9798311444652908
RT_ICON	0x16d60b8	0x988	data	English	United States	1.0045081967213114
RT_ICON	0x16d6a58	0x988	data	English	United States	0.9721311475409836
RT_ICON	0x16d73f8	0x10828	data	English	United States	0.9158286998698687
RT_MENU	0x16d4b70	0xf8	data			1.0161290322580645
RT_MENU	0x16acd20	0xd2	data	Russian	Russia	1.0523809523809524
RT_MENU	0x16acdf8	0x66	data	Russian	Russia	1.088235294117647
RT_MENU	0x16d4c68	0x46	data			1.1571428571428573
RT_DIALOG	0x168a0f0	0x490	data	Russian	Russia	1.009417808219178
RT_DIALOG	0x168a580	0x78	data	Russian	Russia	1.0916666666666666
RT_DIALOG	0x16d4cb0	0x100	data			0.9765625
RT_DIALOG	0x168a5f8	0x1f8	data	Russian	Russia	1.0218253968253967
RT_DIALOG	0x168acb0	0x190	data	Russian	Russia	1.0275
RT_DIALOG	0x168ae40	0x154	data	Russian	Russia	1.0323529411764707
RT_DIALOG	0x168af98	0xf4	data	Russian	Russia	1.0450819672131149
RT_DIALOG	0x168b090	0x12c	data	Russian	Russia	1.0366666666666666
RT_DIALOG	0x168b1c0	0x110	data	Russian	Russia	1.0404411764705883
RT_DIALOG	0x168b2d0	0x128	data	Russian	Russia	1.037162162162162
RT_DIALOG	0x168b3f8	0x154	data	Russian	Russia	1.0323529411764707
RT_DIALOG	0x168b550	0x7e	data	Russian	Russia	1.0873015873015872
RT_DIALOG	0x168b808	0x148	data	Russian	Russia	1.0335365853658536
RT_DIALOG	0x168b738	0xd0	data	Russian	Russia	1.0528846153846154
RT_DIALOG	0x168b5d0	0x164	data	Russian	Russia	1.0308988764044944
RT_DIALOG	0x168b950	0x14c	data	Russian	Russia	1.033132530120482
RT_DIALOG	0x168baa0	0x1f0	data	Russian	Russia	1.0221774193548387
RT_DIALOG	0x168bc90	0x284	data	Russian	Russia	1.0170807453416149
RT_DIALOG	0x16d4db8	0x232	data	English	United States	1.019572953736655
RT_DIALOG	0x168bf18	0x182	data	Russian	Russia	1.0129533678756477
RT_DIALOG	0x168c0a0	0x68	data	Russian	Russia	1.1057692307692308
RT_DIALOG	0x168c108	0x1f8	DOS executable (COM, 0x8C-variant)	Russian	Russia	1.0218253968253967
RT_DIALOG	0x168c300	0x218	data	Russian	Russia	1.0205223880597014
RT_DIALOG	0x168c518	0x2ba	data	Russian	Russia	1.015759312320917
RT_DIALOG	0x168c7d8	0x242	data	Russian	Russia	1.019031141868512
RT_DIALOG	0x168a7f0	0x21c	data	Russian	Russia	1.0203703703703704
RT_DIALOG	0x168aa10	0x29a	data	Russian	Russia	1.0165165165165164
RT_DIALOG	0x168ca20	0x72	OpenPGP Secret Key	Russian	Russia	1.0964912280701755
RT_STRING	0x16e9a18	0x38	data	Russian	Russia	1.1964285714285714
RT_GROUP_ICON	0x1755ee8	0x5a	data	Russian	Russia	0.8
RT_GROUP_ICON	0x168db78	0x5a	data	Russian	Russia	1.1222222222222222
RT_GROUP_ICON	0x16d49a0	0x5a	data			1.1222222222222222
RT_GROUP_ICON	0x16977a8	0x14	data	Russian	Russia	1.4
RT_GROUP_ICON	0x168ead0	0x14	data	Russian	Russia	1.4
RT_GROUP_ICON	0x168f9a0	0x5a	data	Russian	Russia	1.1222222222222222
RT_GROUP_ICON	0x1698d48	0x14	Non-ISO extended-ASCII text, with CR line terminators	Russian	Russia	1.45
RT_GROUP_ICON	0x168fae0	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x168fc08	0x14	data	Russian	Russia	1.2
RT_GROUP_ICON	0x16921c8	0x14	Non-ISO extended-ASCII text, with LF, NEL line terminators	Russian	Russia	1.4
RT_GROUP_ICON	0x16d4b58	0x14	Non-ISO extended-ASCII text, with no line terminators			1.4
RT_GROUP_ICON	0x1692310	0x14	data	Russian	Russia	1.4
RT_GROUP_ICON	0x1692430	0x14	locale data table	Russian	Russia	1.4
RT_GROUP_ICON	0x1692558	0x14	International EBCDIC text, with NEL line terminators	Russian	Russia	1.45
RT_GROUP_ICON	0x16926e8	0x14	data	Russian	Russia	1.4
RT_GROUP_ICON	0x16937a0	0x14	Non-ISO extended-ASCII text, with no line terminators, with overstriking	Russian	Russia	1.45
RT_GROUP_ICON	0x1694598	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x16951c0	0x14	Non-ISO extended-ASCII text, with no line terminators	Russian	Russia	1.4
RT_GROUP_ICON	0x1695d70	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x1696b68	0x14	data	Russian	Russia	1.4
RT_GROUP_ICON	0x1696ca0	0x14	data	Russian	Russia	1.4
RT_GROUP_ICON	0x1696dd0	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x1696fb0	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x1697170	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x1697310	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x1697550	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x1697688	0x14	data	Russian	Russia	1.4
RT_GROUP_ICON	0x16992e0	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x1699c80	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x16d60a0	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x169c240	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x16aca80	0x14	data	Russian	Russia	1.45
RT_GROUP_ICON	0x16d6a40	0x14	data	English	United States	1.4
RT_GROUP_ICON	0x16d73e0	0x14	data	English	United States	1.45
RT_GROUP_ICON	0x16e7c20	0x14	data	English	United States	1.45
RT_VERSION	0x1755f48	0x284	data	Russian	Russia	0.468944099378882
RT_MANIFEST	0x17561d0	0x87f	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2115), with CRLF line terminators	English	United States	0.31264367816091954

Imports

DLL	Import
ADVAPI32.dll	FreeSid
COMCTL32.dll	_TrackMouseEvent
d3d11.dll	D3D11CreateDevice
dbghelp.dll	StackWalk
dxgi.dll	CreateDXGIFactory1
GDI32.dll	LineTo
gdiplus.dll	GdipFree
IPHLPAPI.DLL	GetIfEntry2
KERNEL32.DLL	LoadLibraryA, ExitProcess, GetProcAddress, VirtualProtect
MPR.dll	WNetGetConnectionW
msdmo.dll	MoInitMediaType
NETAPI32.dll	NetUserGetInfo
ntdll.dll	RtlGetVersion
NTDSAPI.dll	DsMakeSpnW
ole32.dll	OleCreate
OLEAUT32.dll	SysFreeString
POWRPROF.dll	PowerGetActiveScheme
RPCRT4.dll	UuidEqual
SAS.dll	SendSAS
Secur32.dll	FreeCredentialsHandle
SHELL32.dll
SHLWAPI.dll	PathFileExistsA
USER32.dll	GetDC
USERENV.dll	CreateEnvironmentBlock
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WINHTTP.dll	WinHttpOpen
WINMM.dll	waveInOpen
WINSPOOL.DRV	GetPrinterW
WS2_32.dll	WSASetLastError
WTSAPI32.dll	WTSFreeMemory

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 3, 2024 14:43:26.308003902 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:26.308024883 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:26.308335066 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:26.308608055 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:26.308619022 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:26.812908888 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:26.813476086 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:26.813504934 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:26.817676067 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:26.817852974 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:26.819153070 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:26.819364071 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:26.819628000 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:26.819658995 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:26.866641045 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:27.292135000 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:27.292201042 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:27.292383909 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:27.969671011 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:27.969691992 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:27.969772100 CEST	49748	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:27.969788074 CEST	443	49748	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:38.976334095 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:38.976357937 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:38.976660967 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:38.976886988 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:38.976898909 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:39.460633993 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:39.461184025 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:39.461194038 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:39.462165117 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:39.462397099 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:39.463151932 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:39.463252068 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:39.463562965 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:39.463572979 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:39.504535913 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:39.988579035 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:39.988857985 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:39.988989115 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:39.990447044 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:39.990447998 CEST	49749	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:39.990515947 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:39.990540028 CEST	443	49749	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.004472017 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.004502058 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.004797935 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.005018950 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.005033016 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.474735022 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.475198030 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.475217104 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.476656914 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.476875067 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.477626085 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.477772951 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.477938890 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.477962017 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.531778097 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.990669966 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.990916014 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.991089106 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.992280006 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.992347002 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:43:58.992386103 CEST	49752	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:43:58.992414951 CEST	443	49752	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:04.860835075 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:04.860872030 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:04.861089945 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:04.861337900 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:04.861357927 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:05.347266912 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:05.347877026 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:05.347898960 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:05.349615097 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:05.349970102 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:05.350733995 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:05.350925922 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:05.351228952 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:05.351252079 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:05.405177116 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:05.907071114 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:05.907521963 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:05.907706022 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:05.909168005 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:05.909168959 CEST	49753	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:05.909288883 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:05.909318924 CEST	443	49753	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:15.280420065 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:15.280572891 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:15.280891895 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:15.281037092 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:15.281095982 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:15.778245926 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:15.778852940 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:15.778889894 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:15.780608892 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:15.780843973 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:15.781579971 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:15.781754017 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:15.781960011 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:15.781987906 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:15.824898958 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:16.310478926 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:16.310806036 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:16.311031103 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:16.312544107 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:16.312545061 CEST	49754	443	192.168.11.20	51.89.95.37
Sep 3, 2024 14:44:16.312618017 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:16.312640905 CEST	443	49754	51.89.95.37	192.168.11.20
Sep 3, 2024 14:44:28.805222034 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:28.805378914 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:28.805604935 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:28.805835962 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:28.805912971 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:29.248995066 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:29.249460936 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:29.249473095 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:29.250371933 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:29.250601053 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:29.251334906 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:29.251411915 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:29.251563072 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:29.251574993 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:29.306155920 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:29.734770060 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:29.735138893 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:29.735325098 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:29.736531973 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:29.736531973 CEST	49755	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:29.736603022 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:29.736625910 CEST	443	49755	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:31.245619059 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:31.245765924 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:31.246125937 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:31.246295929 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:31.246357918 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:31.702331066 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:31.702934980 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:31.702946901 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:31.704016924 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:31.704596043 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:31.705379963 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:31.705466986 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:31.705670118 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:31.705682039 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:31.758749962 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:32.190772057 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:32.191225052 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:32.191410065 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:32.192468882 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:32.192579031 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:32.192610979 CEST	49756	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:32.192657948 CEST	443	49756	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:35.760210991 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:35.760315895 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:35.760520935 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:35.760752916 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:35.760828018 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:36.209028959 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:36.209619999 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:36.209630013 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:36.210530996 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:36.210757971 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:36.211540937 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:36.211616993 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:36.211921930 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:36.211935997 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:36.257792950 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:36.689661980 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:36.690010071 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:36.690448999 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:36.698162079 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:36.698162079 CEST	49757	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:36.698285103 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:36.698316097 CEST	443	49757	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:40.291436911 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:40.291583061 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:40.291824102 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:40.292072058 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:40.292141914 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:40.742638111 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:40.743083000 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:40.743114948 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:40.745853901 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:40.746098995 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:40.746845961 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:40.747059107 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:40.747191906 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:40.747217894 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:40.788162947 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:41.230652094 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:41.230967999 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:41.231137037 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:41.232439041 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:41.232439995 CEST	49758	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:41.232530117 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:41.232561111 CEST	443	49758	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.602051973 CEST	49759	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.602174997 CEST	443	49759	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.602413893 CEST	49759	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.602663040 CEST	49759	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.602737904 CEST	443	49759	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.609364033 CEST	49759	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.633141041 CEST	49760	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.633196115 CEST	443	49760	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.633359909 CEST	49760	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.633630037 CEST	49760	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.633666992 CEST	443	49760	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.639981031 CEST	49760	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.652204037 CEST	443	49759	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.664510012 CEST	49761	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.664561033 CEST	443	49761	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.664732933 CEST	49761	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.664977074 CEST	49761	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.665019989 CEST	443	49761	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.667507887 CEST	49761	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.684281111 CEST	443	49760	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.695700884 CEST	49762	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.695718050 CEST	443	49762	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.695945978 CEST	49762	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.696151972 CEST	49762	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.696162939 CEST	443	49762	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.698646069 CEST	49762	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.708218098 CEST	443	49761	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.727314949 CEST	49763	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.727330923 CEST	443	49763	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.727549076 CEST	49763	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.727780104 CEST	49763	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.727792025 CEST	443	49763	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.732687950 CEST	49763	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.744210958 CEST	443	49762	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.761399984 CEST	49764	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.761416912 CEST	443	49764	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.761663914 CEST	49764	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.761899948 CEST	49764	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.761912107 CEST	443	49764	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.764158964 CEST	49764	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.776177883 CEST	443	49763	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.789362907 CEST	49765	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.789465904 CEST	443	49765	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.789686918 CEST	49765	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.789911032 CEST	49765	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.789968967 CEST	443	49765	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.796705961 CEST	49765	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.804222107 CEST	443	49764	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.820429087 CEST	49766	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.820517063 CEST	443	49766	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.820760965 CEST	49766	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.820996046 CEST	49766	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.821050882 CEST	443	49766	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.828041077 CEST	49766	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.840265036 CEST	443	49765	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.851713896 CEST	49767	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.851767063 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.851999044 CEST	49767	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.852195978 CEST	49767	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.852230072 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.854840040 CEST	49767	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.872189045 CEST	443	49766	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.883074045 CEST	49768	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.883097887 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.883280039 CEST	49768	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.883503914 CEST	49768	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.883517027 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.886257887 CEST	49768	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.900221109 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.914829016 CEST	49769	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.914850950 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.915030003 CEST	49769	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.915220976 CEST	49769	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.915235996 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.917390108 CEST	49769	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.928215981 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.945656061 CEST	49770	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.945672035 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.945823908 CEST	49770	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.946034908 CEST	49770	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.946046114 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.952869892 CEST	49770	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.960176945 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.976761103 CEST	49771	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.976775885 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.977011919 CEST	49771	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.977262974 CEST	49771	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.977273941 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:44.979988098 CEST	49771	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:44.996222019 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.008068085 CEST	49772	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.008084059 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.008306980 CEST	49772	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.008582115 CEST	49772	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.008593082 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.011213064 CEST	49772	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.020226002 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.039608002 CEST	49773	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.039623976 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.039844036 CEST	49773	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.040117979 CEST	49773	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.040128946 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.042793036 CEST	49773	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.047822952 CEST	443	49759	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.047934055 CEST	49759	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.056219101 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.070363045 CEST	49774	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.070389986 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.070642948 CEST	49774	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.070904970 CEST	49774	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.070918083 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.073499918 CEST	49774	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.076489925 CEST	443	49760	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.076611996 CEST	443	49760	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.076699018 CEST	49760	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.076759100 CEST	49760	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.084217072 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.102510929 CEST	49775	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.102526903 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.102696896 CEST	49775	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.102931023 CEST	49775	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.102941990 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.105115891 CEST	49775	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.110889912 CEST	443	49761	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.111027002 CEST	443	49761	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.111156940 CEST	49761	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.111234903 CEST	49761	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.116218090 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.133471012 CEST	49776	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.133554935 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.133723021 CEST	49776	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.133970976 CEST	49776	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.134022951 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.140043974 CEST	443	49762	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.140152931 CEST	443	49762	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.140212059 CEST	49762	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.140265942 CEST	49762	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.140705109 CEST	49776	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.148179054 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.164048910 CEST	49777	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.164071083 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.164262056 CEST	49777	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.164546967 CEST	49777	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.164560080 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.167514086 CEST	49777	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.169372082 CEST	443	49763	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.169493914 CEST	443	49763	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.169514894 CEST	49763	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.169616938 CEST	49763	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.184235096 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.195384979 CEST	49778	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.195467949 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.195774078 CEST	49778	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.195965052 CEST	49778	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.196010113 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.199999094 CEST	49778	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.208292007 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.216017962 CEST	443	49764	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.216201067 CEST	49764	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.226908922 CEST	49779	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.227001905 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.227349043 CEST	49779	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.227576017 CEST	49779	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.227634907 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.229792118 CEST	49779	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.238559961 CEST	443	49765	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.238792896 CEST	49765	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.240221977 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.258239031 CEST	49780	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.258327007 CEST	443	49780	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.258550882 CEST	49780	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.258764029 CEST	49780	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.258934021 CEST	443	49780	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.259175062 CEST	49780	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.267699003 CEST	443	49766	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.267867088 CEST	49766	443	192.168.11.20	78.47.165.25
Sep 3, 2024 14:44:45.272233963 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.306853056 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.307519913 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.312333107 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.330096960 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.330640078 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.336374044 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.363692999 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.364316940 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.372375011 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.392146111 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.392827988 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.400381088 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.421489000 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.421892881 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.432388067 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.457437992 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.458077908 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.464379072 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.487766981 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.488383055 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.496320009 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.518821955 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.519478083 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.520263910 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.524380922 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.548306942 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.552525997 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.553124905 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.560384035 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.583945036 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.584228992 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.584530115 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.596318007 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.608298063 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.613593102 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.613989115 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.620377064 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.643147945 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.643567085 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.644231081 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.648308992 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.672302961 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.680068970 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.680519104 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.688369989 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.704394102 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.732383013 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.768404007 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.804397106 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.828383923 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.856321096 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.896332026 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.960372925 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:45.960372925 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.024391890 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.024415016 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.056379080 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.088407040 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.120306015 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.156316996 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.184331894 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.216370106 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.248341084 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.280390978 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.312303066 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.792386055 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.792386055 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.856395960 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.856415033 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.888369083 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.920312881 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.952395916 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:46.984344006 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:47.016377926 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:47.048393011 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:47.080390930 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:47.112399101 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:47.144329071 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.456202030 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.456232071 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.520330906 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.520330906 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.552340984 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.584394932 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.620258093 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.648367882 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.680382967 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.712377071 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.744395018 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.776380062 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:48.808372021 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:51.848427057 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:51.848427057 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:51.848428011 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:51.848453045 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:51.848483086 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:52.104420900 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:52.104420900 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:52.104422092 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:52.104422092 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:52.104446888 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:52.104475975 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:52.104484081 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:52.104512930 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.504410028 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.504410028 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.504431009 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.504462957 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.504472017 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.760323048 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.760324001 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.760324001 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.760344028 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.760346889 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.760351896 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.760390043 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:44:58.760416985 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:11.816404104 CEST	443	49769	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:11.816405058 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:11.816426039 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:11.816426992 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:11.816462040 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:12.072276115 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:12.072316885 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:12.072315931 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:12.072315931 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:12.072339058 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:12.072348118 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:12.072365046 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:12.072393894 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696408987 CEST	443	49772	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696408987 CEST	443	49774	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696408987 CEST	443	49776	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696408987 CEST	443	49773	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696434975 CEST	443	49767	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696441889 CEST	443	49775	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696446896 CEST	443	49771	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696463108 CEST	443	49777	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696475983 CEST	443	49778	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696476936 CEST	443	49770	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696507931 CEST	443	49779	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696537018 CEST	443	49768	78.47.165.25	192.168.11.20
Sep 3, 2024 14:45:38.696552992 CEST	443	49769	78.47.165.25	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 3, 2024 14:43:26.186781883 CEST	55960	53	192.168.11.20	1.1.1.1
Sep 3, 2024 14:43:26.306277990 CEST	53	55960	1.1.1.1	192.168.11.20
Sep 3, 2024 14:44:28.684020996 CEST	53811	53	192.168.11.20	1.1.1.1
Sep 3, 2024 14:44:28.804490089 CEST	53	53811	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 3, 2024 14:43:26.186781883 CEST	192.168.11.20	1.1.1.1	0x3cc6	Standard query (0)	getscreen.me	A (IP address)	IN (0x0001)	false
Sep 3, 2024 14:44:28.684020996 CEST	192.168.11.20	1.1.1.1	0x700c	Standard query (0)	getscreen.me	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 3, 2024 14:43:26.306277990 CEST	1.1.1.1	192.168.11.20	0x3cc6	No error (0)	getscreen.me	51.89.95.37	A (IP address)	IN (0x0001)	false
Sep 3, 2024 14:43:26.306277990 CEST	1.1.1.1	192.168.11.20	0x3cc6	No error (0)	getscreen.me	5.75.168.191	A (IP address)	IN (0x0001)	false
Sep 3, 2024 14:43:26.306277990 CEST	1.1.1.1	192.168.11.20	0x3cc6	No error (0)	getscreen.me	78.47.165.25	A (IP address)	IN (0x0001)	false
Sep 3, 2024 14:44:28.804490089 CEST	1.1.1.1	192.168.11.20	0x700c	No error (0)	getscreen.me	78.47.165.25	A (IP address)	IN (0x0001)	false
Sep 3, 2024 14:44:28.804490089 CEST	1.1.1.1	192.168.11.20	0x700c	No error (0)	getscreen.me	5.75.168.191	A (IP address)	IN (0x0001)	false
Sep 3, 2024 14:44:28.804490089 CEST	1.1.1.1	192.168.11.20	0x700c	No error (0)	getscreen.me	51.89.95.37	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

getscreen.me

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.11.20	49748	51.89.95.37	443	6380	C:\Users\user\Desktop\getscreen-120727697-x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 12:43:26 UTC	290	OUT	GET /signal/agent HTTP/1.1 Host: getscreen.me Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: https://getscreen.me Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
2024-09-03 12:43:27 UTC	265	IN	HTTP/1.1 400 Bad Request content-type: text/plain; charset=utf-8 sec-websocket-version: 13 x-content-type-options: nosniff date: Tue, 03 Sep 2024 12:43:27 GMT content-length: 12 x-envoy-upstream-service-time: 6 server: ov1.getscreen.me connection: close
2024-09-03 12:43:27 UTC	12	IN	Data Raw: 42 61 64 20 52 65 71 75 65 73 74 0a Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.11.20	49749	51.89.95.37	443	6380	C:\Users\user\Desktop\getscreen-120727697-x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 12:43:39 UTC	290	OUT	GET /signal/agent HTTP/1.1 Host: getscreen.me Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: https://getscreen.me Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
2024-09-03 12:43:39 UTC	265	IN	HTTP/1.1 400 Bad Request content-type: text/plain; charset=utf-8 sec-websocket-version: 13 x-content-type-options: nosniff date: Tue, 03 Sep 2024 12:43:39 GMT content-length: 12 x-envoy-upstream-service-time: 6 server: ov1.getscreen.me connection: close
2024-09-03 12:43:39 UTC	12	IN	Data Raw: 42 61 64 20 52 65 71 75 65 73 74 0a Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.11.20	49752	51.89.95.37	443	6380	C:\Users\user\Desktop\getscreen-120727697-x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 12:43:58 UTC	290	OUT	GET /signal/agent HTTP/1.1 Host: getscreen.me Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: https://getscreen.me Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
2024-09-03 12:43:58 UTC	265	IN	HTTP/1.1 400 Bad Request content-type: text/plain; charset=utf-8 sec-websocket-version: 13 x-content-type-options: nosniff date: Tue, 03 Sep 2024 12:43:58 GMT content-length: 12 x-envoy-upstream-service-time: 7 server: ov1.getscreen.me connection: close
2024-09-03 12:43:58 UTC	12	IN	Data Raw: 42 61 64 20 52 65 71 75 65 73 74 0a Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.11.20	49753	51.89.95.37	443	6380	C:\Users\user\Desktop\getscreen-120727697-x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 12:44:05 UTC	290	OUT	GET /signal/agent HTTP/1.1 Host: getscreen.me Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: https://getscreen.me Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
2024-09-03 12:44:05 UTC	266	IN	HTTP/1.1 400 Bad Request content-type: text/plain; charset=utf-8 sec-websocket-version: 13 x-content-type-options: nosniff date: Tue, 03 Sep 2024 12:44:05 GMT content-length: 12 x-envoy-upstream-service-time: 40 server: ov1.getscreen.me connection: close
2024-09-03 12:44:05 UTC	12	IN	Data Raw: 42 61 64 20 52 65 71 75 65 73 74 0a Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.11.20	49754	51.89.95.37	443	6380	C:\Users\user\Desktop\getscreen-120727697-x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 12:44:15 UTC	290	OUT	GET /signal/agent HTTP/1.1 Host: getscreen.me Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: https://getscreen.me Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
2024-09-03 12:44:16 UTC	265	IN	HTTP/1.1 400 Bad Request content-type: text/plain; charset=utf-8 sec-websocket-version: 13 x-content-type-options: nosniff date: Tue, 03 Sep 2024 12:44:16 GMT content-length: 12 x-envoy-upstream-service-time: 6 server: ov1.getscreen.me connection: close
2024-09-03 12:44:16 UTC	12	IN	Data Raw: 42 61 64 20 52 65 71 75 65 73 74 0a Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.11.20	49755	78.47.165.25	443	6380	C:\Users\user\Desktop\getscreen-120727697-x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 12:44:29 UTC	290	OUT	GET /signal/agent HTTP/1.1 Host: getscreen.me Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: https://getscreen.me Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
2024-09-03 12:44:29 UTC	265	IN	HTTP/1.1 400 Bad Request content-type: text/plain; charset=utf-8 sec-websocket-version: 13 x-content-type-options: nosniff date: Tue, 03 Sep 2024 12:44:29 GMT content-length: 12 x-envoy-upstream-service-time: 0 server: lb1.getscreen.me connection: close
2024-09-03 12:44:29 UTC	12	IN	Data Raw: 42 61 64 20 52 65 71 75 65 73 74 0a Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.11.20	49756	78.47.165.25	443	6380	C:\Users\user\Desktop\getscreen-120727697-x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 12:44:31 UTC	290	OUT	GET /signal/agent HTTP/1.1 Host: getscreen.me Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: https://getscreen.me Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
2024-09-03 12:44:32 UTC	265	IN	HTTP/1.1 400 Bad Request content-type: text/plain; charset=utf-8 sec-websocket-version: 13 x-content-type-options: nosniff date: Tue, 03 Sep 2024 12:44:32 GMT content-length: 12 x-envoy-upstream-service-time: 0 server: lb1.getscreen.me connection: close
2024-09-03 12:44:32 UTC	12	IN	Data Raw: 42 61 64 20 52 65 71 75 65 73 74 0a Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.11.20	49757	78.47.165.25	443	6380	C:\Users\user\Desktop\getscreen-120727697-x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 12:44:36 UTC	290	OUT	GET /signal/agent HTTP/1.1 Host: getscreen.me Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: https://getscreen.me Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
2024-09-03 12:44:36 UTC	265	IN	HTTP/1.1 400 Bad Request content-type: text/plain; charset=utf-8 sec-websocket-version: 13 x-content-type-options: nosniff date: Tue, 03 Sep 2024 12:44:36 GMT content-length: 12 x-envoy-upstream-service-time: 1 server: lb1.getscreen.me connection: close
2024-09-03 12:44:36 UTC	12	IN	Data Raw: 42 61 64 20 52 65 71 75 65 73 74 0a Data Ascii: Bad Request

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.11.20	49758	78.47.165.25	443	6380	C:\Users\user\Desktop\getscreen-120727697-x86.exe

Timestamp	Bytes transferred	Direction	Data
2024-09-03 12:44:40 UTC	290	OUT	GET /signal/agent HTTP/1.1 Host: getscreen.me Upgrade: websocket Connection: Upgrade Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ== Origin: https://getscreen.me Sec-WebSocket-Protocol: chat, superchat Sec-WebSocket-Version: 13 User-Agent: Getscreen.me/2.21.3 (Win, getscreen.me, 2)
2024-09-03 12:44:41 UTC	265	IN	HTTP/1.1 400 Bad Request content-type: text/plain; charset=utf-8 sec-websocket-version: 13 x-content-type-options: nosniff date: Tue, 03 Sep 2024 12:44:41 GMT content-length: 12 x-envoy-upstream-service-time: 2 server: lb1.getscreen.me connection: close
2024-09-03 12:44:41 UTC	12	IN	Data Raw: 42 61 64 20 52 65 71 75 65 73 74 0a Data Ascii: Bad Request

Target ID:	1
Start time:	08:43:22
Start date:	03/09/2024
Path:	C:\Users\user\Desktop\getscreen-120727697-x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\getscreen-120727697-x86.exe"
Imagebase:	0x680000
File size:	3'654'440 bytes
MD5 hash:	9C765958B4D463D04C41DEF1103AA1F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	08:43:22
Start date:	03/09/2024
Path:	C:\Users\user\Desktop\getscreen-120727697-x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\getscreen-120727697-x86.exe" -gpipe \\.\pipe\PCommand97eevsiwzhbqnwukq -gui
Imagebase:	0x680000
File size:	3'654'440 bytes
MD5 hash:	9C765958B4D463D04C41DEF1103AA1F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	08:43:23
Start date:	03/09/2024
Path:	C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe" -elevate \\.\pipe\elevateGS512rzrcqgspmqryvpnwupffnbzpjfygzjn
Imagebase:	0x180000
File size:	3'654'440 bytes
MD5 hash:	9C765958B4D463D04C41DEF1103AA1F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, Virustotal, Browse Detection: 3%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	08:43:25
Start date:	03/09/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
Imagebase:	0x7ff61ee50000
File size:	57'360 bytes
MD5 hash:	F586835082F632DC8D9404D83BC16316
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	08:43:25
Start date:	03/09/2024
Path:	C:\Users\user\Desktop\getscreen-120727697-x86.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\getscreen-120727697-x86.exe" -cpipe \\.\pipe\PCommand96vrvrbjerbhsaigc -cmem 0000pipe0PCommand96vrvrbjerbhsaigc9zl1urwze4y5iil -child
Imagebase:	0x680000
File size:	3'654'440 bytes
MD5 hash:	9C765958B4D463D04C41DEF1103AA1F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	9.1%
Total number of Nodes:	77
Total number of Limit Nodes:	6

Executed Functions

Function 018D29E0 Relevance: 7.7, APIs: 5, Instructions: 212
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 018D2B13
GetProcAddress.KERNELBASE(?,018ACFF9), ref: 018D2B31
ExitProcess.KERNEL32(?,018ACFF9), ref: 018D2B42
VirtualProtect.KERNELBASE(00180000,00001000,00000004,?,00000000), ref: 018D2B90
VirtualProtect.KERNELBASE(00180000,00001000), ref: 018D2BA5

Memory Dump Source

Source File: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 82ec3467bb6c8ff48a64dfa68f3e0d0ada13ed72d3e91decfc82c48231bdfeaf
Instruction ID: a60e809a45c9af5581e937b6edb793cd99586a44d4a22bba266fa457c072803b
Opcode Fuzzy Hash: 82ec3467bb6c8ff48a64dfa68f3e0d0ada13ed72d3e91decfc82c48231bdfeaf
Instruction Fuzzy Hash: 245139726507129BD7319EBCCCC0674BB96EB41334B180739DAE2DB3C6E7E45A068762

Function 0084B6E0 Relevance: 6.1, APIs: 4, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0085F42C: GetLastError.KERNEL32(00000000,?,00845FDD,0085F0E3,?,?,007EF77A,0000000C,?,?,?,?,007627D2,?,?,?), ref: 0085F581
Part of subcall function 0085F42C: SetLastError.KERNEL32(00000000,00000006), ref: 0085F623

CloseHandle.KERNEL32(?,?,?,0084B817,?,?,0084B689,00000000), ref: 0084B711
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,0084B817,?,?,0084B689,00000000), ref: 0084B727
RtlExitUserThread.NTDLL(?,?,?,0084B817,?,?,0084B689,00000000), ref: 0084B730
GetModuleHandleExW.KERNEL32(00000004,?,0000000C), ref: 0084B76E

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ErrorExitHandleLastThread$CloseFreeLibraryModuleUser
String ID:
API String ID: 1062721995-0
Opcode ID: c31c250c571ce6efb338e4a61d521e41bdf65ec43ec45e3c15dd64ae6ef5ebc9
Instruction ID: 5f27575bb1144085d76aa07cbcb7c97881f6ad27bc0489bedbc28ec1c04c8328
Opcode Fuzzy Hash: c31c250c571ce6efb338e4a61d521e41bdf65ec43ec45e3c15dd64ae6ef5ebc9
Instruction Fuzzy Hash: 001190B2501208ABC7249BA9DC09E9A7BE8FF80760F148129FD15C72A2DB70ED05C7A1

Function 0084B62B Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(009A0388,0000000C), ref: 0084B63E
RtlExitUserThread.NTDLL(00000000), ref: 0084B645

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ErrorExitLastThreadUser
String ID:
API String ID: 1750398979-0
Opcode ID: dc1f464ff99053d18e43df5bb8bfb64d336a87ad9c6bd9a84fbb9532c33c5c93
Instruction ID: 1e9ba1a823bb82665c59721a52daef1432b04780800927bc5e1caaff5c126cb4
Opcode Fuzzy Hash: dc1f464ff99053d18e43df5bb8bfb64d336a87ad9c6bd9a84fbb9532c33c5c93
Instruction Fuzzy Hash: 38F0CD72900209AFDF00AFB8D80AA6E7B75FF40721F220158F502D7292DB70A941CBA6

Non-executed Functions

Function 007F7449 Relevance: 224.3, APIs: 64, Strings: 64, Instructions: 269
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(wtsapi32.dll,007F7168), ref: 007F744E
GetProcAddress.KERNEL32(00000000,WTSStopRemoteControlSession), ref: 007F746B
GetProcAddress.KERNEL32(WTSStartRemoteControlSessionW), ref: 007F747D
GetProcAddress.KERNEL32(WTSStartRemoteControlSessionA), ref: 007F748F
GetProcAddress.KERNEL32(WTSConnectSessionW), ref: 007F74A1
GetProcAddress.KERNEL32(WTSConnectSessionA), ref: 007F74B3
GetProcAddress.KERNEL32(WTSEnumerateServersW), ref: 007F74C5
GetProcAddress.KERNEL32(WTSEnumerateServersA), ref: 007F74D7
GetProcAddress.KERNEL32(WTSOpenServerW), ref: 007F74E9
GetProcAddress.KERNEL32(WTSOpenServerA), ref: 007F74FB
GetProcAddress.KERNEL32(WTSOpenServerExW), ref: 007F750D
GetProcAddress.KERNEL32(WTSOpenServerExA), ref: 007F751F
GetProcAddress.KERNEL32(WTSCloseServer), ref: 007F7531
GetProcAddress.KERNEL32(WTSEnumerateSessionsW), ref: 007F7543
GetProcAddress.KERNEL32(WTSEnumerateSessionsA), ref: 007F7555
GetProcAddress.KERNEL32(WTSEnumerateSessionsExW), ref: 007F7567
GetProcAddress.KERNEL32(WTSEnumerateSessionsExA), ref: 007F7579
GetProcAddress.KERNEL32(WTSEnumerateProcessesW), ref: 007F758B
GetProcAddress.KERNEL32(WTSEnumerateProcessesA), ref: 007F759D
GetProcAddress.KERNEL32(WTSTerminateProcess), ref: 007F75AF
GetProcAddress.KERNEL32(WTSQuerySessionInformationW), ref: 007F75C1
GetProcAddress.KERNEL32(WTSQuerySessionInformationA), ref: 007F75D3
GetProcAddress.KERNEL32(WTSQueryUserConfigW), ref: 007F75E5
GetProcAddress.KERNEL32(WTSQueryUserConfigA), ref: 007F75F7
GetProcAddress.KERNEL32(WTSSetUserConfigW), ref: 007F7609

Strings

WTSStartRemoteControlSessionA, xrefs: 007F747F
WTSDisconnectSession, xrefs: 007F7641
WTSTerminateProcess, xrefs: 007F759F
WTSCloseServer, xrefs: 007F7521
WTSEnumerateSessionsExW, xrefs: 007F7557
WTSEnumerateServersA, xrefs: 007F74C7
WTSEnableChildSessions, xrefs: 007F7881
WTSEnumerateSessionsA, xrefs: 007F7545
WTSEnumerateServersW, xrefs: 007F74B5
WTSRegisterSessionNotificationEx, xrefs: 007F774F
WTSQueryUserConfigW, xrefs: 007F75D5
WTSGetActiveConsoleSessionId, xrefs: 007F78B7
WTSQueryUserConfigA, xrefs: 007F75E7
WTSVirtualChannelClose, xrefs: 007F76AD
WTSCreateListenerA, xrefs: 007F7827
WTSOpenServerExA, xrefs: 007F750F
WTSWaitSystemEvent, xrefs: 007F7677
WTSUnRegisterSessionNotification, xrefs: 007F773D
WTSGetChildSessionId, xrefs: 007F78A5
WTSOpenServerW, xrefs: 007F74D9
WTSEnumerateListenersA, xrefs: 007F77DF
WTSEnumerateListenersW, xrefs: 007F77CD
WTSVirtualChannelOpenEx, xrefs: 007F769B
WTSEnumerateProcessesW, xrefs: 007F757B
WTSSetListenerSecurityA, xrefs: 007F784B
WTSIsChildSessionsEnabled, xrefs: 007F7898
WTSSetUserConfigA, xrefs: 007F760B
WTSEnumerateProcessesA, xrefs: 007F758D
WTSShutdownSystem, xrefs: 007F7665
WTSCreateListenerW, xrefs: 007F7815
WTSConnectSessionA, xrefs: 007F74A3
WTSQueryUserToken, xrefs: 007F7773
WTSVirtualChannelPurgeInput, xrefs: 007F76E3
WTSStopRemoteControlSession, xrefs: 007F7465
WTSRegisterSessionNotification, xrefs: 007F7730
WTSSendMessageW, xrefs: 007F761D
WTSQueryListenerConfigW, xrefs: 007F77F1
WTSLogoffSession, xrefs: 007F7653
WTSEnumerateProcessesExW, xrefs: 007F77A9
WTSEnumerateSessionsExA, xrefs: 007F7569
WTSVirtualChannelRead, xrefs: 007F76BF
WTSStartRemoteControlSessionW, xrefs: 007F746D
WTSSetUserConfigW, xrefs: 007F75F9
WTSOpenServerExW, xrefs: 007F74FD
WTSVirtualChannelOpen, xrefs: 007F7689
WTSQueryListenerConfigA, xrefs: 007F7803
WTSQuerySessionInformationA, xrefs: 007F75C3
WTSGetListenerSecurityA, xrefs: 007F786F
WTSVirtualChannelQuery, xrefs: 007F7707
WTSSendMessageA, xrefs: 007F762F
WTSQuerySessionInformationW, xrefs: 007F75B1
WTSEnumerateProcessesExA, xrefs: 007F77BB
WTSConnectSessionW, xrefs: 007F7491
wtsapi32.dll, xrefs: 007F7449
WTSGetListenerSecurityW, xrefs: 007F785D
WTSFreeMemory, xrefs: 007F7719
WTSUnRegisterSessionNotificationEx, xrefs: 007F7761
WTSVirtualChannelPurgeOutput, xrefs: 007F76F5
WTSFreeMemoryExA, xrefs: 007F7797
WTSSetListenerSecurityW, xrefs: 007F7839
WTSEnumerateSessionsW, xrefs: 007F7533
WTSFreeMemoryExW, xrefs: 007F7785
WTSOpenServerA, xrefs: 007F74EB
WTSVirtualChannelWrite, xrefs: 007F76D1

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: WTSCloseServer$WTSConnectSessionA$WTSConnectSessionW$WTSCreateListenerA$WTSCreateListenerW$WTSDisconnectSession$WTSEnableChildSessions$WTSEnumerateListenersA$WTSEnumerateListenersW$WTSEnumerateProcessesA$WTSEnumerateProcessesExA$WTSEnumerateProcessesExW$WTSEnumerateProcessesW$WTSEnumerateServersA$WTSEnumerateServersW$WTSEnumerateSessionsA$WTSEnumerateSessionsExA$WTSEnumerateSessionsExW$WTSEnumerateSessionsW$WTSFreeMemory$WTSFreeMemoryExA$WTSFreeMemoryExW$WTSGetActiveConsoleSessionId$WTSGetChildSessionId$WTSGetListenerSecurityA$WTSGetListenerSecurityW$WTSIsChildSessionsEnabled$WTSLogoffSession$WTSOpenServerA$WTSOpenServerExA$WTSOpenServerExW$WTSOpenServerW$WTSQueryListenerConfigA$WTSQueryListenerConfigW$WTSQuerySessionInformationA$WTSQuerySessionInformationW$WTSQueryUserConfigA$WTSQueryUserConfigW$WTSQueryUserToken$WTSRegisterSessionNotification$WTSRegisterSessionNotificationEx$WTSSendMessageA$WTSSendMessageW$WTSSetListenerSecurityA$WTSSetListenerSecurityW$WTSSetUserConfigA$WTSSetUserConfigW$WTSShutdownSystem$WTSStartRemoteControlSessionA$WTSStartRemoteControlSessionW$WTSStopRemoteControlSession$WTSTerminateProcess$WTSUnRegisterSessionNotification$WTSUnRegisterSessionNotificationEx$WTSVirtualChannelClose$WTSVirtualChannelOpen$WTSVirtualChannelOpenEx$WTSVirtualChannelPurgeInput$WTSVirtualChannelPurgeOutput$WTSVirtualChannelQuery$WTSVirtualChannelRead$WTSVirtualChannelWrite$WTSWaitSystemEvent$wtsapi32.dll
API String ID: 2238633743-2998606599
Opcode ID: 40ba1d25402693c171c20ccc463b59a98fa0526a63c0662a3f2cfcee21047735
Instruction ID: 7c260653fb41a7d153cf214c915ba5176f71f20683cd435b7bd325c16acf6d99
Opcode Fuzzy Hash: 40ba1d25402693c171c20ccc463b59a98fa0526a63c0662a3f2cfcee21047735
Instruction Fuzzy Hash: 18B135B4F88316AACB11DFF5AC4AC4F7EE1E7477797008A1AA808562F1E7754092DF90

Function 007AE4DD Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138
registrythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 007F6B05: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,00000000,00000000,00000000,?,007AE59B,00000001,00006060,00000010), ref: 007F6B3E

GetVersionExA.KERNEL32(?), ref: 007AE5CD
GetNativeSystemInfo.KERNEL32(?), ref: 007AE5E7
RegOpenKeyExA.ADVAPI32(80000002,Software\FreeRDP\FreeRDP\RemoteFX,00000000,00020119,?), ref: 007AE612
primitives_get.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE ref: 007AE6DC
CreateThreadpool.KERNEL32(00000000), ref: 007AE6E2

Strings

Software\FreeRDP\FreeRDP\RemoteFX, xrefs: 007AE605
com.freerdp.codec.rfx, xrefs: 007AE530
>z, xrefs: 007AE582

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: CountCreateCriticalInfoInitializeNativeOpenSectionSpinSystemThreadpoolVersionprimitives_get
String ID: >z$Software\FreeRDP\FreeRDP\RemoteFX$com.freerdp.codec.rfx
API String ID: 3882483829-3455824616
Opcode ID: 16636958e089adee8c8440e4af8ed4800266dedc155a86a6f57ca41edcd52585
Instruction ID: 9b4a4bf3b9cc0ed7992e23c8f82b4e3caa6669e6f6238995d5689d10a8d77e05
Opcode Fuzzy Hash: 16636958e089adee8c8440e4af8ed4800266dedc155a86a6f57ca41edcd52585
Instruction Fuzzy Hash: 7141BEB1A00709AFE7109F78DC85B5AB7F8FB45304F10453EE509D6242EB78E9458B51

Function 007EE437 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F43BE

Strings

EncryptMessage: %s (0x%08X), xrefs: 007F4401
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F440B, 007F444A
sspi_EncryptMessage, xrefs: 007F4406, 007F443E, 007F4443, 007F4449
[%s]: Security module does not provide an implementation, xrefs: 007F4444

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EncryptMessage: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EncryptMessage
API String ID: 689400697-3976766517
Opcode ID: 64a46c559e199907c02195c4679d43309a566c236d5dcadc160da4da3379da9e
Instruction ID: d6abab825a62018b4e599da48c2202c292ae364eeadc7add72b5aac7f1415ad4
Opcode Fuzzy Hash: 64a46c559e199907c02195c4679d43309a566c236d5dcadc160da4da3379da9e
Instruction Fuzzy Hash: A811CD72384349BBE722AE96EC07F7B3E6CEBC5B50F000054F604A62E1DA55DA119661

Function 007EE42E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F42FB

Strings

DecryptMessage: %s (0x%08X), xrefs: 007F433E
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F4348, 007F4387
[%s]: Security module does not provide an implementation, xrefs: 007F4381
sspi_DecryptMessage, xrefs: 007F4343, 007F437B, 007F4380, 007F4386

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$DecryptMessage: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_DecryptMessage
API String ID: 689400697-3301108232
Opcode ID: 3bbd3b89dba4f22ad097280874f6a6c45796d72cd84100265c0151ceddc7e366
Instruction ID: f4ab4cd4991d2b3aaac901bcd4218ad89e6ae47fb60127272fe0d5f6d39203a1
Opcode Fuzzy Hash: 3bbd3b89dba4f22ad097280874f6a6c45796d72cd84100265c0151ceddc7e366
Instruction Fuzzy Hash: A511A732384349BBDB226A96EC07E7F3E6CEBD6B50F000054F704A62E1DA55DA11D7A5

Function 00795E14 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

crypto_cert_fingerprint.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 00795E1C

Part of subcall function 0079576E: crypto_cert_fingerprint_by_hash.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,sha256), ref: 00795779

crypto_cert_issuer.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 00795E30
crypto_cert_subject.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?), ref: 00795E3A
certificate_data_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,00000000,00000000,00000000,?,?), ref: 00795E4A

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: certificate_data_newcrypto_cert_fingerprintcrypto_cert_fingerprint_by_hashcrypto_cert_issuercrypto_cert_subject
String ID:
API String ID: 1865246629-0
Opcode ID: b22f0af09afbb53f47c67a66392b01df666bde5d5b51faeba4ef9e6157e0229e
Instruction ID: dfba2aac5f8e1a2de3fcb35c334156730f9fc7e5834ab9da9b1225e8f5eb998d
Opcode Fuzzy Hash: b22f0af09afbb53f47c67a66392b01df666bde5d5b51faeba4ef9e6157e0229e
Instruction Fuzzy Hash: F4E0DF75100A18FFCF122F69EC09C9F3EADDF823E0B044224BD085A121DA36CE1097A0

Function 0083FCA9 Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,0083FDC9,0096C654), ref: 0083FCAE
UnhandledExceptionFilter.KERNEL32(0083FDC9,?,0083FDC9,0096C654), ref: 0083FCB7
GetCurrentProcess.KERNEL32(C0000409,?,0083FDC9,0096C654), ref: 0083FCC2
TerminateProcess.KERNEL32(00000000,?,0083FDC9,0096C654), ref: 0083FCC9

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: b3bcad15ea25aa6c2bf88c6bd91df669c57ef65f4eba505f4b167486abaf2241
Instruction ID: bf54cdf20056562a49fe8af5395dc08e91a360144af0760c838e912326677e7c
Opcode Fuzzy Hash: b3bcad15ea25aa6c2bf88c6bd91df669c57ef65f4eba505f4b167486abaf2241
Instruction Fuzzy Hash: F5D0123300620AABDB002BE8FD0CB493F2CFB0860AF052000F30A82062EB3154008BA9

Function 001F89A0 Relevance: 5.1, Strings: 4, Instructions: 137COMMON

Download Yara Rule

Strings

OPENSSL_ia32cap, xrefs: 0028C80B
Genu, xrefs: 0028C6BF
ineI, xrefs: 0028C6C7
ntel, xrefs: 0028C6CF

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID: Genu$OPENSSL_ia32cap$ineI$ntel
API String ID: 0-3767422159
Opcode ID: cbb1374127e3809aff62dda9e5f469ae9262ca9d031914e570445a1356890f85
Instruction ID: 30f69295aebb3cac46d13495428e9cd10a472a127e59a3d181147ff6df4a09e4
Opcode Fuzzy Hash: cbb1374127e3809aff62dda9e5f469ae9262ca9d031914e570445a1356890f85
Instruction Fuzzy Hash: B4416F7AF2220647EF1CA97CEC5537EB589AB95320F34423FD516D22C0DB348D608BA1

Function 00795B39 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

crypto_cert_subject.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 00795B42
crypto_cert_issuer.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?), ref: 00795B4C
crypto_cert_fingerprint.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?), ref: 00795B56

Part of subcall function 0079576E: crypto_cert_fingerprint_by_hash.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,sha256), ref: 00795779

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: crypto_cert_fingerprintcrypto_cert_fingerprint_by_hashcrypto_cert_issuercrypto_cert_subject
String ID:
API String ID: 727492566-0
Opcode ID: e999151ca2a258f8ec9e3611efd7a008807b52a9402cdb300b59891d7fc350f0
Instruction ID: a9060c9e0ed3258fd2551d8968c361589c134492ec022f74248e3a5e8320bdbd
Opcode Fuzzy Hash: e999151ca2a258f8ec9e3611efd7a008807b52a9402cdb300b59891d7fc350f0
Instruction Fuzzy Hash: E6118E71704B2366EE26A676BC4AF1A26CC9F127A0F144419F804DA1C2EA2CED0187B5

Function 0079576E Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 5COMMON

Download Yara Rule

APIs

crypto_cert_fingerprint_by_hash.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,sha256), ref: 00795779

Part of subcall function 00795782: crypto_cert_hash.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?,0079577E,?,sha256), ref: 00795792

Strings

sha256, xrefs: 00795771

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: crypto_cert_fingerprint_by_hashcrypto_cert_hash
String ID: sha256
API String ID: 2885152359-1556616439
Opcode ID: 889d2e8ecf39fb40365f62341c8c7c29d8ef7623f33d70b2c851c37a759c9130
Instruction ID: ac326a15372fac845df4c8e3922a1a7a25d539717702a722112b642e98627202
Opcode Fuzzy Hash: 889d2e8ecf39fb40365f62341c8c7c29d8ef7623f33d70b2c851c37a759c9130
Instruction Fuzzy Hash: 1FA0222000832CFB8E023A83EC03C8A3E0C8B00B80B000020BB00000338BAAAB0202E2

Function 007A3F1C Relevance: 3.1, APIs: 2, Instructions: 85COMMON

Download Yara Rule

APIs

crypto_base64_encode.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(0098A688,00000000,00000000,00000000,00000000,?,00795E4F,?,?,00000000,00000000,00000000,?,?), ref: 007A3F7D

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: crypto_base64_encode
String ID:
API String ID: 2528031924-0
Opcode ID: 80e5d014e864ab07a5fee58adce61ff7d42269fe1a949e87458bb12fe66f65ed
Instruction ID: dfa18ac535d5d318e36f4b23d6a85d25e29d1a5cb9ee949bf068e9b4884b226d
Opcode Fuzzy Hash: 80e5d014e864ab07a5fee58adce61ff7d42269fe1a949e87458bb12fe66f65ed
Instruction Fuzzy Hash: 7421F172904B06AFDB306F69C80681BB7E8EF85310B144A2EB945C2542EE75D840CBA2

Function 007FEE20 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,?,?,?,007F6941,?,?,?,?,007F6A0A,?,?), ref: 007FEE73

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: DebuggerPresent
String ID:
API String ID: 1347740429-0
Opcode ID: d996821f587ba4950903b8b828c733771099adeeea8f7aa696b4bb7bb554a15a
Instruction ID: fa9eb7e993b6ac9d65922cf1d007ed3d2f965c567b02d61606077e3791b2d21e
Opcode Fuzzy Hash: d996821f587ba4950903b8b828c733771099adeeea8f7aa696b4bb7bb554a15a
Instruction Fuzzy Hash: A9F01DB1100FA48FE7708F05E448722BBF0FB00769F50082CE7824ABA1C7F9A449CB81

Function 00795782 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

crypto_cert_hash.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?,0079577E,?,sha256), ref: 00795792

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: crypto_cert_hash
String ID:
API String ID: 1547982073-0
Opcode ID: 7460d84a63f73ef57bb7a90a7cbc953c30664581771c6989db31222eff5a1bf8
Instruction ID: beb4dd9b3c5348081c88b4bcebe0fb6f7870feab6e9a4d3010f817920185ad0b
Opcode Fuzzy Hash: 7460d84a63f73ef57bb7a90a7cbc953c30664581771c6989db31222eff5a1bf8
Instruction Fuzzy Hash: ABC048B601010CBFAF06AB85CC8ACAA7B6DEA04250B008225BA0445021E6B2AE10ABA4

Function 00795ABB Relevance: 1.3, Strings: 1, Instructions: 38COMMON

Download Yara Rule

Strings

@, xrefs: 00795AC5

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 6f2c8adfc3a7746f7bcc21c7e8ebdf9c9b635e5e3cb3ad753f3208d9ff8683b7
Instruction ID: 684022a4a524664bdc898a924546a59311b9b2eea46495cdd6d68fcbd8bfb1f2
Opcode Fuzzy Hash: 6f2c8adfc3a7746f7bcc21c7e8ebdf9c9b635e5e3cb3ad753f3208d9ff8683b7
Instruction Fuzzy Hash: 63F0E272220628BFEF22DAD4EC42F9F7BADDB417A0F100026F9045A140D6759E00C7A0

Function 007A7B3F Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e7750f2180f91e63ef4f51337fa7831f43164307252468bb3087ada03e53b4
Instruction ID: 4643d7c04910baf70239e962244558d13f9bc84ed0c5a4110810f05611de3402
Opcode Fuzzy Hash: 06e7750f2180f91e63ef4f51337fa7831f43164307252468bb3087ada03e53b4
Instruction Fuzzy Hash: 7831E0B360C6D04ED7198B2888616657FE69BAA110B1D85DEE8E9CF343E025DA06DB31

Function 001CB080 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2a393e18e96e22232b1a8b6bc9d7aa5108758d654bbf380689cd5f10572be9e
Instruction ID: 3fdbfe2e982dec523beb8f098eb33c2a9e764432e81ac6e269534acf7aaad7bf
Opcode Fuzzy Hash: c2a393e18e96e22232b1a8b6bc9d7aa5108758d654bbf380689cd5f10572be9e
Instruction Fuzzy Hash: C6516371C20F8587E2619B31CC05397B7A1BFA5304F24972EE4DA21162FBB175E88A82

Function 001EA30D Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f477ecbd8c86e18464dd12c1106ff108f6fe7e53e3396059e243e6e9527724
Instruction ID: 3e4aa2ddb2d8e81c8354a7a9abd9c0855dd406e35942f766b766150b3b172115
Opcode Fuzzy Hash: 51f477ecbd8c86e18464dd12c1106ff108f6fe7e53e3396059e243e6e9527724
Instruction Fuzzy Hash: DD1151D9C2AF7A06E713633B5D42242DA105EF7989550D347FCB439D61F701B5C17210

Function 00872165 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ByteCharMultiWide
String ID:
API String ID: 626452242-0
Opcode ID: d0743f76c2c376117f3fc76b87035878c952d77a74e7cde8af460c8adba0530c
Instruction ID: 1243c9e08c701c033762e8aa2832d1ce1a03e50a49a27bd976df660df4bfc849
Opcode Fuzzy Hash: d0743f76c2c376117f3fc76b87035878c952d77a74e7cde8af460c8adba0530c
Instruction Fuzzy Hash: 28011675A0010DAFDB08DF59DC51DFEB7B9EBC8720F108129E515D7291E6749905CBA0

Function 0079590A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ad74d63f2319e97ff94bd00f447820ca05bb9721a5808471e77665e4c40aa4
Instruction ID: 336c0571d4c97326a360cc3365ac824d001fdafcf9bf1c08b7f61c5604ebb51a
Opcode Fuzzy Hash: 64ad74d63f2319e97ff94bd00f447820ca05bb9721a5808471e77665e4c40aa4
Instruction Fuzzy Hash: 76F09672904128EFEF05F7E4EC0A8BE77BCEF04364F100569F81197152EA74AA148751

Function 00795732 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 202264b495aea57bf335de0fcf60fb4b08f6b7c1e9d1d4bceccd79822d03eebf
Instruction ID: 2fcb903fe30c69901e4022750555351656005055032c0436892ab8145b35880d
Opcode Fuzzy Hash: 202264b495aea57bf335de0fcf60fb4b08f6b7c1e9d1d4bceccd79822d03eebf
Instruction Fuzzy Hash: 37E09B32001E2DE7CF131F49F8415AE3B55EFC1371F140025F904570414B35B9418B92

Function 00872620 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd3501ae8cc7d54b5b6039e73c4159469e4ee806065cc444d8108c8b9717388
Instruction ID: d2d011fc004f1e3fdcca6fd3fdb4a78204e6cd71821a33efa7d4782f9f07c833
Opcode Fuzzy Hash: cfd3501ae8cc7d54b5b6039e73c4159469e4ee806065cc444d8108c8b9717388
Instruction Fuzzy Hash: 26E08C3671221A9F8B15CE69C800AAA73E5FF59B04B54C46AEC8DDB308D330ED028B80

Function 00797321 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c920fcbb8b362c6c414a7613c8428d6942e7fb65bc5c0d3cec4812cbf3b80f8
Instruction ID: c6c30f1c358fce17d4e510e98ee1dc239d0cc03a69c9884f6eb3b249e7c3036c
Opcode Fuzzy Hash: 4c920fcbb8b362c6c414a7613c8428d6942e7fb65bc5c0d3cec4812cbf3b80f8
Instruction Fuzzy Hash: 87D05E3266424D6BDF0C9EE4BC05D7A379DEF44614B084498FD1C87910E23AD870EA40

Function 00795ED1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92904718c7774d80baf37b01db223b482aa12a3400e7c889efefc14f73fae5f7
Instruction ID: 0ea048cda2968f6a1db257baf2bee7b971fda9bcf60582e0110c4bdc1814cbfe
Opcode Fuzzy Hash: 92904718c7774d80baf37b01db223b482aa12a3400e7c889efefc14f73fae5f7
Instruction Fuzzy Hash: 6BE0C22A5096B78787224A5D60004A7FFA9ADD9694324C5AADEE45F3068020EA4143F0

Function 00795DA5 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a5700dd9c090860e746394635df8148f9f381a8a4f8febb47ad15a4feb3c59
Instruction ID: 14fdf28440a4aa5a5208947208ef4f8004108f418493d58e0a892b69e7734314
Opcode Fuzzy Hash: b4a5700dd9c090860e746394635df8148f9f381a8a4f8febb47ad15a4feb3c59
Instruction Fuzzy Hash: 15D0123252D93536D9212669AC03F8B394DCB42BB0F100355BC21692D5EAC5DE1145E4

Function 0079612F Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020cacdd8480cb7acb5a33face7ae5f67d8364c27b2bc5f228b0cde8383a0b65
Instruction ID: c36de98a6aee4a9da1d6c4f66c899bcdb36868b079c0ba4391c6d24b5014d8bd
Opcode Fuzzy Hash: 020cacdd8480cb7acb5a33face7ae5f67d8364c27b2bc5f228b0cde8383a0b65
Instruction Fuzzy Hash: B3D0923204420DBBCF022EC5EC02DAA3F6AAB08760F848050FF1809532D677D571ABD5

Function 00795D58 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30dfdb52a031c33f5b6ff18ce6fdc34d666fe2e24e1da43cb5323fbbde7ce49a
Instruction ID: 0f5a9efde7ed57719fa618640cbd13a3974a23460da6ef84d5dca63eef381da4
Opcode Fuzzy Hash: 30dfdb52a031c33f5b6ff18ce6fdc34d666fe2e24e1da43cb5323fbbde7ce49a
Instruction Fuzzy Hash: 6ED02232101A2E37EA2026D8A802FEE3B0CDB10BB4F004022FE0C9E281CD60880403E2

Function 00796105 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a874a97c1a0f1350a0a091136a2aa511b6a6aa38adc0722bbc87292597935bc
Instruction ID: ab2c79070d24f26fc4678fd6c98c9ae940e73600a659318d77f3b47475c2aa4a
Opcode Fuzzy Hash: 0a874a97c1a0f1350a0a091136a2aa511b6a6aa38adc0722bbc87292597935bc
Instruction Fuzzy Hash: 47D0613600420EBB8F026E85EC02CAA3F6AAB08290B408010FE20050228A37E931AB91

Function 0079584E Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f50a0c2c459c39fdc94ca11e4ca1cf9b91adb04cdf75c924b0489fafd5ce781
Instruction ID: a8439c566db62d683c827d786a4e0a9c90790f09c94d4ad3ed37ee971de11814
Opcode Fuzzy Hash: 2f50a0c2c459c39fdc94ca11e4ca1cf9b91adb04cdf75c924b0489fafd5ce781
Instruction Fuzzy Hash: 43C0126044021CBAEF00F7E4DC0FDBF7A6CAB00740F800510791055092E778D51546A0

Function 00795831 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00697b1b55a066e8f6e82ecc9971366dd5c01e2c0e8b86d5be220022d81dff43
Instruction ID: cc4f629544cbbc765e4fabb9de29630ea1cfa3ee2c337df493c11f8867a0c173
Opcode Fuzzy Hash: 00697b1b55a066e8f6e82ecc9971366dd5c01e2c0e8b86d5be220022d81dff43
Instruction Fuzzy Hash: 4FC09B32501638674E117D45E401D99BB5C9D11BA17054465FD48771154663AC5057D4

Function 007A7B24 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b7a3ce230df7e31ab3e725e1e43306e95fe06bef9b56ac6c445c84563359095
Instruction ID: 904d3605e403eec3b753ba3efedff365562021f4752d4f28dec166f11a17ea74
Opcode Fuzzy Hash: 4b7a3ce230df7e31ab3e725e1e43306e95fe06bef9b56ac6c445c84563359095
Instruction Fuzzy Hash: E6C0027104820DABCF069F95EC0289A3B6AEF85364B004065FD180A221D733A931DB95

Function 00795D82 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f213a4fa0332fa88bc39a926fb07c1300ecb502a4f432fd2e01db9a1bb9e3ce3
Instruction ID: 909f8edf5d3c708760d1f32a6030f289525408c19d261dbf9dfc3751391639c0
Opcode Fuzzy Hash: f213a4fa0332fa88bc39a926fb07c1300ecb502a4f432fd2e01db9a1bb9e3ce3
Instruction Fuzzy Hash: DBB0123200CB1C7A9D0536E1FC07D4A3B8DD960AB0710101AF80C09192AE6BF55115DC

Function 00795966 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c058d809a171879c7d2e6b30af2b691a972df3c75a096c5f2351ff0c006427d
Instruction ID: 3e002fca66736210fde6266aa9b9836de84dc7c56b4c380afcfa5f52abd294b4
Opcode Fuzzy Hash: 5c058d809a171879c7d2e6b30af2b691a972df3c75a096c5f2351ff0c006427d
Instruction Fuzzy Hash: 73B09231004228BB47226A9A8809D8B7FACEB16AA07000004BD08471118A64A9019AE9

Function 00795A65 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a503f68feaf53306e5e090325c103b21fd0aafa9d66652788954b5afafb2aef
Instruction ID: de4dca3dda5291e408b64daefebb06e26692fa54da2375de1eec47e9bc249123
Opcode Fuzzy Hash: 4a503f68feaf53306e5e090325c103b21fd0aafa9d66652788954b5afafb2aef
Instruction Fuzzy Hash: 57C09B64809318AACA00F7F5950F89F7AEC5F01700F454554698052143DA789554C7B3

Function 00795B24 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1147995217c392e36dfc48353d2d3a4c789210a0bcddb43d26d5ef8e713f020
Instruction ID: 510ca7abcc2322a9312e76641e1e394255d65cb5ce78d837b5e57682031dfa55
Opcode Fuzzy Hash: c1147995217c392e36dfc48353d2d3a4c789210a0bcddb43d26d5ef8e713f020
Instruction Fuzzy Hash: DCA011B0000A28B38E023AA2EC0BC0A3A8C8A022C0B000020B8000A0228A2ABA2202A8

Function 00795D97 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a308af3d19b287379fcfdac4b35ebea863e8ea0d915d34481b303974fcc68d7
Instruction ID: fbebcc062591fc3cf132c3297113a4df8d327d31678276478593f17e91d15b2e
Opcode Fuzzy Hash: 1a308af3d19b287379fcfdac4b35ebea863e8ea0d915d34481b303974fcc68d7
Instruction Fuzzy Hash:

Function 00795A61 Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c1af10e55f65fcf33e1f61e2858dedc3d93677e06f0a9ee18408edf0f16553e
Instruction ID: f9d93bb6050abece768ba640a33519d1f25643404e4c276bdb386cb4d050c773
Opcode Fuzzy Hash: 3c1af10e55f65fcf33e1f61e2858dedc3d93677e06f0a9ee18408edf0f16553e
Instruction Fuzzy Hash:

Function 007E14E3 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 194
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

freerdp_error_info.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?,007E14DF,?,00000000), ref: 007E1519
freerdp_get_error_info_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,?,?,?,?,?,?,007E14DF,?,00000000), ref: 007E155D
freerdp_reconnect.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?,007E14DF,?,00000000), ref: 007E1601
freerdp_get_last_error.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?,007E14DF,?,00000000), ref: 007E1611
Sleep.KERNEL32(0000000A,?,?,?,?,?,?,007E14DF,?,00000000), ref: 007E167E

Strings

client_auto_reconnect_ex, xrefs: 007E1568, 007E15DF, 007E1646, 007E16BC, 007E1715
C:\Project\agent-windows\freerdp\FreeRDP\client\common\client.c, xrefs: 007E156D, 007E15E4, 007E164B, 007E16C1, 007E171A
Network disconnect!, xrefs: 007E1710
Attempting reconnect (%u of %u), xrefs: 007E15DA
Maximum reconnect retries exceeded, xrefs: 007E16B7
com.freerdp.client.common, xrefs: 007E153E, 007E1589, 007E15BC, 007E1627, 007E169D, 007E16E9, 007E16F2
Disconnected by server hitting a bug or resource limit [%s], xrefs: 007E1563
Autoreconnect aborted by user, xrefs: 007E1641

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Sleepfreerdp_error_infofreerdp_get_error_info_stringfreerdp_get_last_errorfreerdp_reconnect
String ID: Attempting reconnect (%u of %u)$Autoreconnect aborted by user$C:\Project\agent-windows\freerdp\FreeRDP\client\common\client.c$Disconnected by server hitting a bug or resource limit [%s]$Maximum reconnect retries exceeded$Network disconnect!$client_auto_reconnect_ex$com.freerdp.client.common
API String ID: 968149013-2963753137
Opcode ID: cb2e67f9e6c65976ce67db458ac9e5d7d7f2fd034e10745fec362bd9c67b5903
Instruction ID: 7dea4445066ef38ad555c36af6f0997452fbd32bb1412132735dee7a8cb400a0
Opcode Fuzzy Hash: cb2e67f9e6c65976ce67db458ac9e5d7d7f2fd034e10745fec362bd9c67b5903
Instruction Fuzzy Hash: 9A514B31B41342BBEB21AF36EC4BF6E37A89B59B54F184429F500EA1D2EF7C99414E14

Function 007AA89E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gdi_get_pixel_format.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,007AA899,?,?,00000000,00000000,Function_006DAA7A), ref: 007AA8B3
gdi_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,007AA899,?,?,00000000,00000000,Function_006DAA7A), ref: 007AAA40

Strings

gdi_init_ex, xrefs: 007AAA72
failed to initialize gdi, xrefs: 007AAA6D
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\gdi\gdi.c, xrefs: 007AAA77
com.freerdp.gdi, xrefs: 007AA8D7, 007AAA4F

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: gdi_freegdi_get_pixel_format
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\gdi\gdi.c$com.freerdp.gdi$failed to initialize gdi$gdi_init_ex
API String ID: 1251975138-534786182
Opcode ID: 62320fbca3054b669afda2dc7fea6ab77e2e65dc883e5b9ee58629182385a432
Instruction ID: 71f4e5a1fd9afc01c19d1f66685e2aaf3b261f2bf1d5256b3efe1839bac23196
Opcode Fuzzy Hash: 62320fbca3054b669afda2dc7fea6ab77e2e65dc883e5b9ee58629182385a432
Instruction Fuzzy Hash: 4D41D075600B02FFDB14AF34DC46B6A77E1BF85310F148529F5588B2A2EF39A851CB61

Function 00770E1F Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00770F64
RtlLeaveCriticalSection.NTDLL(?), ref: 00770F79

Strings

error: too many channels, xrefs: 00770E5F
com.freerdp.core.client, xrefs: 00770E3D, 00770E9A, 00770F9B
freerdp_channels_client_load_ex, xrefs: 00770E64, 00770EBD, 00770FBE
error: channel export function call failed, xrefs: 00770FB9
PDRF, xrefs: 00770F4B
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c, xrefs: 00770E69, 00770EC2, 00770FC3
Skipping, channel already loaded, xrefs: 00770EB8
,, xrefs: 00770F23

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: ,$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c$PDRF$Skipping, channel already loaded$com.freerdp.core.client$error: channel export function call failed$error: too many channels$freerdp_channels_client_load_ex
API String ID: 3168844106-1571615648
Opcode ID: 9f4f86c510523e32daa7c75466da6a8aa122000b2eee724804714a007c1d8d20
Instruction ID: aaf6a01bd63a42e54895ceb9789f1234fbcb84f5b632e51713a61ebf4d2410ee
Opcode Fuzzy Hash: 9f4f86c510523e32daa7c75466da6a8aa122000b2eee724804714a007c1d8d20
Instruction Fuzzy Hash: 4041E271A44306EFDB14EF68EC46B9D77F4EB09718F108419F618EB2D4D7B8A8218B94

Function 007E6C86 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

freerdp_device_collection_add.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?), ref: 007E6D79
freerdp_device_collection_add.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000000), ref: 007E6E1D
freerdp_device_collection_add.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000000), ref: 007E6F6F
freerdp_device_collection_add.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000000), ref: 007E7044

Strings

parallel, xrefs: 007E6FAF
printer, xrefs: 007E6CDF
serial, xrefs: 007E6E3D
drive, xrefs: 007E6C95
smartcard, xrefs: 007E6DA3

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: freerdp_device_collection_add
String ID: drive$parallel$printer$serial$smartcard
API String ID: 2538329621-807955808
Opcode ID: 98c44394dd455b56cad5c806e228b8463edc7de9885b949d55a919656834fe0e
Instruction ID: 06e486079c21d32a73f67c221f7d4da573729047c76d19b15aac02bb294ba916
Opcode Fuzzy Hash: 98c44394dd455b56cad5c806e228b8463edc7de9885b949d55a919656834fe0e
Instruction Fuzzy Hash: EAB1F1726096469BDF14AF1DDC4195E7BA1FF18350B1480AAF8049F253EF36ED15CB82

Function 00770C4D Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00770D92
RtlLeaveCriticalSection.NTDLL(?), ref: 00770DB2

Strings

error: too many channels, xrefs: 00770C8E
com.freerdp.core.client, xrefs: 00770C6C, 00770CCA, 00770DD3
error: channel export function call failed, xrefs: 00770DF1
freerdp_channels_client_load, xrefs: 00770C93, 00770CED, 00770DF6
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c, xrefs: 00770C98, 00770CF2, 00770DFB
Skipping, channel already loaded, xrefs: 00770CE8
PDRF, xrefs: 00770D76

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c$PDRF$Skipping, channel already loaded$com.freerdp.core.client$error: channel export function call failed$error: too many channels$freerdp_channels_client_load
API String ID: 3168844106-4217659166
Opcode ID: a176f56e71b6eec37717d8aed89684a89c7930c016d1fcf98b43f030bdebc50f
Instruction ID: a36518c31d04798e8b3eb825a8a90a87d9491c03706e52d1a22a8419508dbf8a
Opcode Fuzzy Hash: a176f56e71b6eec37717d8aed89684a89c7930c016d1fcf98b43f030bdebc50f
Instruction Fuzzy Hash: 7D51E371A00305EFDB10EF69EC46F5D77B4EB49B54F108429FA08AB2D1E7B8A9108B94

Function 00873B76 Relevance: 15.1, APIs: 10, Instructions: 134COMMON

Download Yara Rule

APIs

freerdp_settings_set_bool.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000400,00000001), ref: 00873B87
freerdp_settings_set_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000401,00000000), ref: 00873BB7
freerdp_settings_set_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000404,?), ref: 00873BDB
freerdp_settings_set_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000402,00000000), ref: 00873BFA
freerdp_settings_set_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000014,?), ref: 00873C12
freerdp_settings_set_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,000006C1,?), ref: 00873C2B
freerdp_settings_set_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000403,?), ref: 00873C44
freerdp_settings_set_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000015,00000000), ref: 00873C60
freerdp_settings_set_uint32.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000013,?), ref: 00873C82
freerdp_target_net_addresses_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 00873C93

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: freerdp_settings_set_string$freerdp_settings_set_boolfreerdp_settings_set_uint32freerdp_target_net_addresses_free
String ID:
API String ID: 949014189-0
Opcode ID: 12f87a41451c66bc5c8156e90c5a793ed94ff3185f274a213cefdbc36b09d4f7
Instruction ID: 1cae7a3514ca481c0e2f8e1c7ea9ff30f0806eee68f25e4caf8e7e7c58ed0348
Opcode Fuzzy Hash: 12f87a41451c66bc5c8156e90c5a793ed94ff3185f274a213cefdbc36b09d4f7
Instruction Fuzzy Hash: 2A41C271640A0ABBE7315F34CC49F9A7794FF05310F048024EA09E6596EB7AEAA0D797

Function 00821612 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 007F5CD5: InitializeCriticalSectionAndSpinCount.KERNEL32(00000004,00000FA0,?,00000000,?,00821701,00000001), ref: 007F5CF9

zgfx_context_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000), ref: 00821874

Part of subcall function 0087693A: zgfx_context_reset.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,00000000,00000000,?,00821879,00000000), ref: 00876964

Strings

com.freerdp.channels.rdpgfx.client, xrefs: 00821635, 0082167A, 0082167F, 008216A0, 008216BE, 00821719, 008217ED, 00821898
Failed to acquire reference to WLog %s, xrefs: 008216BF
rdpgfx_client_context_new, xrefs: 0082165C, 008216C4, 0082173C, 00821810, 008218B7
C:\Project\agent-windows\freerdp\FreeRDP\channels\rdpgfx\client\rdpgfx_main.c, xrefs: 00821661, 008216C9, 00821741, 00821815, 008218BC
calloc failed!, xrefs: 00821657, 0082180B
HashTable_New failed!, xrefs: 00821737
zgfx_context_new failed!, xrefs: 008218B2

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpinzgfx_context_newzgfx_context_reset
String ID: C:\Project\agent-windows\freerdp\FreeRDP\channels\rdpgfx\client\rdpgfx_main.c$Failed to acquire reference to WLog %s$HashTable_New failed!$calloc failed!$com.freerdp.channels.rdpgfx.client$rdpgfx_client_context_new$zgfx_context_new failed!
API String ID: 3732774510-3243565116
Opcode ID: a86634996eb8bf21463ba68963dad05c63fa9b9b946b9351cba10ff7debc8a20
Instruction ID: 5a0c95f15a1adfe5a53272a40ae0afe325d8e17d2f4445b71315d9c4abfc7fbb
Opcode Fuzzy Hash: a86634996eb8bf21463ba68963dad05c63fa9b9b946b9351cba10ff7debc8a20
Instruction Fuzzy Hash: 23711A70684712AFD7149B36EC4AB1977D4FB64728F200539F605DBAD2DFB4A880CB89

Function 007EE889 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 106COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(WLOG_APPENDER,00000000,00000000), ref: 007EE8B2
GetEnvironmentVariableA.KERNEL32(WLOG_APPENDER,00000000,00000000), ref: 007EE8D6

Strings

%s environment variable modified in my back, xrefs: 007EE8E8
UDP, xrefs: 007EE94E
FILE, xrefs: 007EE922
BINARY, xrefs: 007EE938
CONSOLE, xrefs: 007EE911
WLOG_APPENDER, xrefs: 007EE8A6, 007EE8D1, 007EE8E3

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: EnvironmentVariable
String ID: %s environment variable modified in my back$BINARY$CONSOLE$FILE$UDP$WLOG_APPENDER
API String ID: 1431749950-225596728
Opcode ID: fa1d498efb25a38156930a0962724f47053a77be4385ff1c3f5b89d799f2309a
Instruction ID: 9c8704e5f679b37c8624033f987d58a50e364a86b19185464192f4d8b29d196d
Opcode Fuzzy Hash: fa1d498efb25a38156930a0962724f47053a77be4385ff1c3f5b89d799f2309a
Instruction Fuzzy Hash: E121FB7324679B29A654776A7C4BE3F1798EB8777C720082EF405E50C3EE98A84146A3

Function 00763971 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

freerdp_set_last_error_ex.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,rdp_set_error_info,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c,0000015B), ref: 007748D9
freerdp_set_last_error_ex.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000000,rdp_set_error_info,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c,0000016A), ref: 0077498F

Strings

freerdp, xrefs: 00774919
ErrorInfo, xrefs: 0077490B
rdp_set_error_info, xrefs: 007748CC, 00774953, 00774958, 0077495E, 00774987
com.freerdp.core.rdp, xrefs: 00774933
%s missing context=%p, xrefs: 00774959
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c, xrefs: 007748C7, 0077495F, 00774982

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: freerdp_set_last_error_ex
String ID: %s missing context=%p$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c$ErrorInfo$com.freerdp.core.rdp$freerdp$rdp_set_error_info
API String ID: 270715978-29603548
Opcode ID: e52ba6d3cfd256522299b194a5cfacedd63e5415e167a55a35489f0a552fd564
Instruction ID: d5ca6bca910d0945e61a5bd786766457b71194782c262cc23f7669af4013c0d4
Opcode Fuzzy Hash: e52ba6d3cfd256522299b194a5cfacedd63e5415e167a55a35489f0a552fd564
Instruction Fuzzy Hash: DD213B72A41314BADB106B58DC06FEB7B6CAB85B54F108056FE086A1C6E7B4A640CFA1

Function 008758B8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

audio_format_get_tag_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,?,?,00875425,?,?,?,?,00000000,?), ref: 008758FA
audio_format_get_tag_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000001,00000000,?,?,00875425,?,?,?,?,00000000,?), ref: 00875902
audio_format_compatible.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00875425,?,?,?,?,00875425,?,?,?,?,00000000,?), ref: 0087594D

Strings

freerdp_dsp_resample, xrefs: 00875909, 0087590E, 00875914, 00875989
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\dsp.c, xrefs: 00875915, 0087598E
com.freerdp.dsp, xrefs: 008758D4, 00875966
Missing resample support, recompile -DWITH_SOXR=ON or -DWITH_DSP_FFMPEG=ON, xrefs: 00875984
%s requires %s for sample input, got %s, xrefs: 0087590F

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: audio_format_get_tag_string$audio_format_compatible
String ID: %s requires %s for sample input, got %s$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\dsp.c$Missing resample support, recompile -DWITH_SOXR=ON or -DWITH_DSP_FFMPEG=ON$com.freerdp.dsp$freerdp_dsp_resample
API String ID: 204136587-155179076
Opcode ID: 92c84429c54b57240f0b53382a9aad5b1ebe7be5a170b50ab2ba7774dbb3d200
Instruction ID: 05b26e35ec478439205e0962bf757614058c34a0993e8966d055b96539927822
Opcode Fuzzy Hash: 92c84429c54b57240f0b53382a9aad5b1ebe7be5a170b50ab2ba7774dbb3d200
Instruction Fuzzy Hash: 69210AA1744300AAE710AB75BC43F6B33D8EB44B28F10441AF74CEE2D5E9E0D84183A9

Function 007F4B0C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(secur32.dll,?,007F4AEC), ref: 007F4B18
LoadLibraryA.KERNEL32(security.dll,?,007F4AEC), ref: 007F4B28
GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceW), ref: 007F4B42
GetProcAddress.KERNEL32(InitSecurityInterfaceA), ref: 007F4B51

Strings

InitSecurityInterfaceA, xrefs: 007F4B44
security.dll, xrefs: 007F4B23
InitSecurityInterfaceW, xrefs: 007F4B3C
secur32.dll, xrefs: 007F4B13

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InitSecurityInterfaceA$InitSecurityInterfaceW$secur32.dll$security.dll
API String ID: 2574300362-4081094439
Opcode ID: 020a08ceb542cc53e58a8fcd8b5c4282da0667e40c94dd29e62df811d610d49d
Instruction ID: 87410051b0b53a96122a079444d4d25e2ff4225c62979bf05f3009a40a5074a0
Opcode Fuzzy Hash: 020a08ceb542cc53e58a8fcd8b5c4282da0667e40c94dd29e62df811d610d49d
Instruction Fuzzy Hash: 77F03EB3D5832B979712DBFDBC04D6B6AE8AAC57543070167E900D3355E774C8024F90

Function 007A42E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 181fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 007A4320
GetFileSize.KERNEL32(00000000,?), ref: 007A433A

Strings

%s %hu %s %s %s, xrefs: 007A4610

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: File$CreateSize
String ID: %s %hu %s %s %s
API String ID: 2791376181-2916857029
Opcode ID: 1a8b0f0f50f881439f16813f2756cb4ab64e2170ee9b1091c8db9a1bb83d5b5d
Instruction ID: e9665d67b0d44b60f998efa99a2ebfb2f3fbc31bfbda558b3a8a5768a75c36bd
Opcode Fuzzy Hash: 1a8b0f0f50f881439f16813f2756cb4ab64e2170ee9b1091c8db9a1bb83d5b5d
Instruction Fuzzy Hash: E55163B1D00219AFEB109BB4DC45ABF77FCEF86720F10422AF901E6151EB759D008B65

Function 0078501B Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

ber_read_universal_tag.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000002,00000000), ref: 0078502A
ber_read_length.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?), ref: 0078503F

Strings

C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\crypto\ber.c, xrefs: 00785132, 00785182
com.freerdp.crypto, xrefs: 0078510A, 00785159
ber_read_integer, xrefs: 0078512D, 0078517D
should implement reading an integer with length=%d, xrefs: 00785178
should implement reading an 8 bytes integer, xrefs: 00785128

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ber_read_lengthber_read_universal_tag
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\crypto\ber.c$ber_read_integer$com.freerdp.crypto$should implement reading an 8 bytes integer$should implement reading an integer with length=%d
API String ID: 3186670568-2454464461
Opcode ID: 41192975dbd99f45a5df46c2c088d9152343d856fdb37884a73efa66c84eceae
Instruction ID: a1055c60e7e1f7e4e5e78a03cddbfa78975d918313d8f3b940fb489a2d878e47
Opcode Fuzzy Hash: 41192975dbd99f45a5df46c2c088d9152343d856fdb37884a73efa66c84eceae
Instruction Fuzzy Hash: 4B4178B1B84B519FDB20AF34CC86B2A37E6AB96724F144169F4548A2C9E63CD900CB64

Function 007C9C5D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 109COMMON

Download Yara Rule

APIs

region16_rects.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?), ref: 007C9C6E

Strings

C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\region.c, xrefs: 007C9CAC, 007C9D0E, 007C9D6E
(%hu,%hu-%hu,%hu), xrefs: 007C9D64
com.freerdp.codec, xrefs: 007C9C80, 007C9CE5, 007C9D33
nrects=%u, xrefs: 007C9CA2
region16_print, xrefs: 007C9CA7, 007C9D09, 007C9D69
band %d: , xrefs: 007C9D04

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: region16_rects
String ID: (%hu,%hu-%hu,%hu)$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\region.c$band %d: $com.freerdp.codec$nrects=%u$region16_print
API String ID: 844131241-2640574824
Opcode ID: 8a4df1942a464bbaac5eb96080e66c3e13711a462fb0e911f83b50213a39a58b
Instruction ID: 1415d2537631401e4ad4b6afc53070a696ec11d3e76b446b51fa1583421a2d2a
Opcode Fuzzy Hash: 8a4df1942a464bbaac5eb96080e66c3e13711a462fb0e911f83b50213a39a58b
Instruction Fuzzy Hash: CB31B472BC0302B9E620A7A5AC8BFB633D8DB59B15F14041DFA54E61D0FBA99D408A70

Function 00762BCF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

freerdp_set_last_error_ex.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00762C14
clearChannelError.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00762C1B

Part of subcall function 007626E1: ResetEvent.KERNEL32(?), ref: 0076270A

Part of subcall function 00778142: ResetEvent.KERNEL32(?,?,00762C27,?,?,?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 0077814E

Strings

freerdp, xrefs: 00763062
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c, xrefs: 00762BFC
freerdp_connect, xrefs: 00762C01
ConnectionResult, xrefs: 00763077

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: EventReset$ChannelErrorclearfreerdp_set_last_error_ex
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c$ConnectionResult$freerdp$freerdp_connect
API String ID: 3632380314-3564821047
Opcode ID: 5be61532eb88321d0702f61a0498a2ebeb18c859f5ac220250d4118a8ac875d2
Instruction ID: 257bd66cd115d8c9b3e29c9a953eed7eee70048912802a145be0484699ec03f3
Opcode Fuzzy Hash: 5be61532eb88321d0702f61a0498a2ebeb18c859f5ac220250d4118a8ac875d2
Instruction Fuzzy Hash: 8531AD70A00609AFEB10DF79D889BEAB7E5BF08340F140029F809D7292EB799D54CB50

Function 007853FD Relevance: 12.1, APIs: 8, Instructions: 80COMMON

Download Yara Rule

APIs

ber_write_universal_tag.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000002,00000000), ref: 00785415
ber_write_length.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000001,?,00000002,00000000), ref: 0078541D
ber_write_universal_tag.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000002,00000000), ref: 00785440
ber_write_length.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000002,?,00000002,00000000), ref: 00785448

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ber_write_lengthber_write_universal_tag
String ID:
API String ID: 1889070510-0
Opcode ID: 18ef3f9f5ae11241768caf1c4dc31a824dec3e3bd5586f49f269dacf6024e569
Instruction ID: b6e6ddec0cd907bbc316be1c5da96cd4995f62c255af1f3a9948e757bd802a0d
Opcode Fuzzy Hash: 18ef3f9f5ae11241768caf1c4dc31a824dec3e3bd5586f49f269dacf6024e569
Instruction Fuzzy Hash: A521DA31185F80EFDB127B05CD46B5A77A5EF11B11F008459F94E1F783C269AE51CBA1

Function 0078CB5F Relevance: 12.1, APIs: 8, Instructions: 65COMMON

Download Yara Rule

APIs

glyph_cache_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 0078CB79
brush_cache_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 0078CB86
pointer_cache_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 0078CB94
bitmap_cache_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 0078CBA2
offscreen_cache_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 0078CBB0
palette_cache_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 0078CBBE
nine_grid_cache_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 0078CBCC
cache_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000), ref: 0078CBDE

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: bitmap_cache_newbrush_cache_newcache_freeglyph_cache_newnine_grid_cache_newoffscreen_cache_newpalette_cache_newpointer_cache_new
String ID:
API String ID: 2332728789-0
Opcode ID: 42906154869710506a0c67ebba1e6bbb42983877cc0118c6e46d3c0bd67e0258
Instruction ID: 506ada4656b1f44ccc2f939bf61ce5a4cdd56b76d99e58edfc297982b4b2f876
Opcode Fuzzy Hash: 42906154869710506a0c67ebba1e6bbb42983877cc0118c6e46d3c0bd67e0258
Instruction Fuzzy Hash: AE0161761C8F07AAE3267B75984AD2B6BE88F42B60710443EE584D6981EF3CD40187B1

Function 007AEFD0 Relevance: 10.7, APIs: 7, Instructions: 160COMMON

Download Yara Rule

APIs

region16_init.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 007AF58A

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: region16_init
String ID:
API String ID: 4140821900-0
Opcode ID: 3e8d829aa97f6b1ed1f2f2cf94f42bc771981313d169c183af5fd76dbc63c424
Instruction ID: 71e971c51fee3adbe2569c8222f32b469f2b71f776d9112859e9573fd60e27c0
Opcode Fuzzy Hash: 3e8d829aa97f6b1ed1f2f2cf94f42bc771981313d169c183af5fd76dbc63c424
Instruction Fuzzy Hash: ED513AB2D00219DBCB18DFE5C885AEEBBF9EF48304F10462EF519A7241E7399955CB60

Function 007AAA9A Relevance: 10.6, APIs: 7, Instructions: 147windowCOMMON

Download Yara Rule

APIs

gdi_CreateCompatibleDC.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000000,?,?,?,007AA9C7,00000000,?,?,?,?,?,?,?,?,007AA899), ref: 007AAAE7
gdi_CreateCompatibleBitmap.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,00000000,?,?,?,007AA9C7,00000000,?,?,?,?), ref: 007AAB0E
gdi_CreateBitmapEx.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,00000000,?,?,?,007AA9C7,00000000,?,?,?,?), ref: 007AAB2A
gdi_SelectObject.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?), ref: 007AAB60
gdi_CreateRectRgn.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,00000000,00000000,00000000), ref: 007AABA5
gdi_DeleteObject.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 007AAC39
gdi_DeleteDC.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 007AAC48

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: gdi_$Create$BitmapCompatibleDeleteObject$RectSelect
String ID:
API String ID: 412453062-0
Opcode ID: 63bcb7db3704573387d602035f9edcf4ce94fd8292c8b1d92a53da2faae9183a
Instruction ID: cab60adb787178e35e3f88ca3ca000be09ba3381d287f73a214ff5a12f16cca9
Opcode Fuzzy Hash: 63bcb7db3704573387d602035f9edcf4ce94fd8292c8b1d92a53da2faae9183a
Instruction Fuzzy Hash: 72511575600B05AFDB25DF28C884EA6B7E1FF5C310B0545ADE88A8BB22E775E840CF51

Function 007FEA62 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_PATH,00000000,00000000,00000000,?,?,?,?,?,007F6939,?,?,?,?,007F6A0A,?), ref: 007FEABD
GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_PATH,00000000,?,?,?,?,007F6939,?,?,?,?,007F6A0A,?,?,00000000), ref: 007FEAE7
GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_NAME,00000000,00000000,?,?,?,007F6939,?,?,?,?,007F6A0A,?,?,00000000), ref: 007FEB14
GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_NAME,00000000,?,?,?,?,007F6939,?,?,?,?,007F6A0A,?,?,00000000), ref: 007FEB37

Strings

WLOG_FILEAPPENDER_OUTPUT_FILE_PATH, xrefs: 007FEA87, 007FEAE2
WLOG_FILEAPPENDER_OUTPUT_FILE_NAME, xrefs: 007FEB0F, 007FEB32

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: EnvironmentVariable
String ID: WLOG_FILEAPPENDER_OUTPUT_FILE_NAME$WLOG_FILEAPPENDER_OUTPUT_FILE_PATH
API String ID: 1431749950-2760771567
Opcode ID: 12327973ddfe5c4239153c67e79bd4ea30b009029c5d775b8ad8bf2b2d6f8111
Instruction ID: 52b183de139b3e4923aeee6a0616f6c40838e7f629c5f806cb368c38f39eb164
Opcode Fuzzy Hash: 12327973ddfe5c4239153c67e79bd4ea30b009029c5d775b8ad8bf2b2d6f8111
Instruction Fuzzy Hash: C831E5B2A05B1EBF87149B699C49D7E7B68FF407683100029FA01D3761DB789D14C7A2

Function 001E8EE0 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00A21278,Function_00068C90,001E8EC0,00000000), ref: 001E8F0A
GetLastError.KERNEL32 ref: 001E8F38
TlsGetValue.KERNEL32 ref: 001E8F46
SetLastError.KERNEL32(00000000), ref: 001E8F4F
RtlAcquireSRWLockExclusive.NTDLL(00A21284), ref: 001E8F61
RtlReleaseSRWLockExclusive.NTDLL(00A21284), ref: 001E8F73
TlsSetValue.KERNEL32(00000000,?,?,00000000,001CB080), ref: 001E8FB5

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ErrorExclusiveLastLockOnceValue$AcquireExecuteInitRelease
String ID:
API String ID: 389898287-0
Opcode ID: 34e0b497db372b8f9cad7a4976a42786fa13e8fc8c5fe107ed6d7e854f82f2db
Instruction ID: 243423edf7a75a5b9b191ac2b22a5b1df55d8ba439579a3fe31ef4e285848942
Opcode Fuzzy Hash: 34e0b497db372b8f9cad7a4976a42786fa13e8fc8c5fe107ed6d7e854f82f2db
Instruction Fuzzy Hash: 6D21D13260025AAFDB109FADEC49BAE3BA5FB05700F050030F909D6291EF719C01CBA2

Function 007FF61C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 007FF673
GetEnvironmentVariableA.KERNEL32(WLOG_UDP_TARGET,00000000,00000000,?,007F6921,?,?,?,?,007F6A0A,?,?,00000000,?,007EE976,00000000), ref: 007FF68A
GetEnvironmentVariableA.KERNEL32(WLOG_UDP_TARGET,00000000,00000000,?,007F6921,?,?,?,?,007F6A0A,?,?,00000000,?,007EE976,00000000), ref: 007FF6AB
closesocket.WS2_32(?), ref: 007FF6E6

Strings

127.0.0.1:20000, xrefs: 007FF6CB
WLOG_UDP_TARGET, xrefs: 007FF685, 007FF6A6

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: EnvironmentVariable$closesocketsocket
String ID: 127.0.0.1:20000$WLOG_UDP_TARGET
API String ID: 65193492-3368084233
Opcode ID: 3b381d343965406e2d2cb15cbc726c888795dbfa4612787569488a08fbfe3d0d
Instruction ID: 1915e5b9430844ad33090c7815247fedb522b4ba8c14a6321423b2b46e727636
Opcode Fuzzy Hash: 3b381d343965406e2d2cb15cbc726c888795dbfa4612787569488a08fbfe3d0d
Instruction Fuzzy Hash: AA21BE72145B0AABD3205F699C09B2B7BE4FF40758F20043EF642DA7A2EFB5A8058755

Function 0080001B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(winsta.dll,?,007F78D9,00AA7120), ref: 00800023
GetProcAddress.KERNEL32(00000000,WinStationVirtualOpen), ref: 0080003C
GetProcAddress.KERNEL32(WinStationVirtualOpenEx), ref: 00800052

Strings

WinStationVirtualOpen, xrefs: 00800036
WinStationVirtualOpenEx, xrefs: 00800042
winsta.dll, xrefs: 0080001E

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: WinStationVirtualOpen$WinStationVirtualOpenEx$winsta.dll
API String ID: 2238633743-2382846951
Opcode ID: cb5c6330b9262c103bc1a4ae0c2b730feb20a67e9d046b0483fc72d841e57ef1
Instruction ID: 444d4b9acacb248a5f5b00bd89b2fe8fc1486896fd732b2be1e6eee91fb950c0
Opcode Fuzzy Hash: cb5c6330b9262c103bc1a4ae0c2b730feb20a67e9d046b0483fc72d841e57ef1
Instruction Fuzzy Hash: 640113B06057058FC7809FF1AC0DB663AE4FB44359F0541B9AA0DDB2A2EBB09408CF14

Function 0078CB11 Relevance: 10.5, APIs: 7, Instructions: 26COMMON

Download Yara Rule

APIs

glyph_cache_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 0078CB1E
brush_cache_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?), ref: 0078CB26
pointer_cache_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?), ref: 0078CB2E
bitmap_cache_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?), ref: 0078CB36
offscreen_cache_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?), ref: 0078CB3E
palette_cache_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?), ref: 0078CB46
nine_grid_cache_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?), ref: 0078CB4E

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: bitmap_cache_freebrush_cache_freeglyph_cache_freenine_grid_cache_freeoffscreen_cache_freepalette_cache_freepointer_cache_free
String ID:
API String ID: 637575458-0
Opcode ID: 7ad28be861358ee9bde9c91c788d2f392276a4a1cd27f1ec8984fa40b200d7dc
Instruction ID: f8800c16964cb57de2398b76152ef266d9955698333d94e58e784234f4008a97
Opcode Fuzzy Hash: 7ad28be861358ee9bde9c91c788d2f392276a4a1cd27f1ec8984fa40b200d7dc
Instruction Fuzzy Hash: 99E0ED31441A14EBCA323F61DC07C5ABBAABF017517044529F59A61473CB2AAC60AB91

Function 007CDFDE Relevance: 9.2, APIs: 6, Instructions: 160COMMON

Download Yara Rule

APIs

gdi_CRgnToRect.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 007CE040
gdi_RgnToRect.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?), ref: 007CE04F
gdi_CRgnToRect.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 007CE062
gdi_RgnToRect.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?), ref: 007CE0A3
gdi_CRgnToRect.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?,?,?,?), ref: 007CE0C8
gdi_RectToCRgn.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 007CE147

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Rectgdi_
String ID:
API String ID: 2404991910-0
Opcode ID: b3ebec80151d146a4d55317548aa9d759914aa3bd9ef31cf303d2260113535e5
Instruction ID: a272ddb90eba3319031f8f229ba7a5c9ae9ad5d00b2a8254259d3941e82c9dd4
Opcode Fuzzy Hash: b3ebec80151d146a4d55317548aa9d759914aa3bd9ef31cf303d2260113535e5
Instruction Fuzzy Hash: 6951CEB2E0121DEFCF14CF98C9859EEBBB9FF48310B24402EE515A7250D774AA51CBA0

Function 007A1D8F Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

freerdp_settings_set_uint32.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,000007C0,?), ref: 007A1DA2
freerdp_settings_set_bool.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,000007C8,00000001), ref: 007A1DCC
freerdp_settings_set_bool.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,000007C8,00000000), ref: 007A1DE8
freerdp_settings_set_bool.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,000007C9,00000000), ref: 007A1DFC
freerdp_settings_set_bool.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,000007C8,00000000), ref: 007A1E19
freerdp_settings_set_bool.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,000007C9,00000000), ref: 007A1E2D

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: freerdp_settings_set_bool$freerdp_settings_set_uint32
String ID:
API String ID: 4272850885-0
Opcode ID: 3ea0a0162d7e9506aea58fcc0c8a3655e8c344f224c799a42870156a752d33d1
Instruction ID: 380530734a130c1322374be869cfb1fbaf4209a5dd2f1a1ca510b79f97e1e45c
Opcode Fuzzy Hash: 3ea0a0162d7e9506aea58fcc0c8a3655e8c344f224c799a42870156a752d33d1
Instruction Fuzzy Hash: F311A166FCE212B5F96420644C82F6B129C4FF3F56FA40225FE09E51C1E99DEA00C5B6

Function 007C8AF6 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

freerdp_image_copy.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?,?,08008000,00000000,00000000,00000000,?,00000001,?,?), ref: 007C8C2B

Strings

1bpp and 4bpp icons are not supported, xrefs: 007C8DB5
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c, xrefs: 007C8DBF
com.freerdp.color, xrefs: 007C8D98
freerdp_image_copy_from_icon_data, xrefs: 007C8DBA

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: freerdp_image_copy
String ID: 1bpp and 4bpp icons are not supported$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c$com.freerdp.color$freerdp_image_copy_from_icon_data
API String ID: 1523062921-332027372
Opcode ID: 45629e7483034de7635126396a75cfff0654141ae8840b18ad571ce510969aca
Instruction ID: f0095e5b6b50dd04905fe1ebb387ea49701149b2452d535cea1344705c246309
Opcode Fuzzy Hash: 45629e7483034de7635126396a75cfff0654141ae8840b18ad571ce510969aca
Instruction Fuzzy Hash: E051A4B2A0021DAADF649F14CC41FFA77B8EB58304F0481ADF919A61C1DB749E81CF65

Function 007E8423 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

Strings

kbd-lang-list, xrefs: 007E84D3
kbd-list, xrefs: 007E84F5
monitor-list, xrefs: 007E85E3

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID: kbd-lang-list$kbd-list$monitor-list
API String ID: 0-1393584692
Opcode ID: 888be11f3bb187b2ba04c23e095e5b08763123514e00a8625a5462a8a7f1fedd
Instruction ID: d2a84186109cdbf0e614e2a224239e93174a2e366e0f810ecdc4c34ec8fd24e1
Opcode Fuzzy Hash: 888be11f3bb187b2ba04c23e095e5b08763123514e00a8625a5462a8a7f1fedd
Instruction Fuzzy Hash: 5E31F83290225CABCB60DB6DDD46DDBB7A8EB48324F0445A5FD1CE31D2DA74DA40CAD2

Function 007B9962 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\interleaved.c, xrefs: 007B9AFA
interleaved_compress, xrefs: 007B9AF5
interleaved_compress: width (%u) or height (%u) is greater than 64, xrefs: 007B9AF0
com.freerdp.codec, xrefs: 007B9AD0

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\interleaved.c$com.freerdp.codec$interleaved_compress$interleaved_compress: width (%u) or height (%u) is greater than 64
API String ID: 0-4054760794
Opcode ID: 4e1664556de511b19e845d00fca83b5f5c22c9ed92945ed8212fbd82af9d9cad
Instruction ID: 72468af483400667488867cb69d0ba0f1fcc65c2ca8a60f28d62406773cbbb50
Opcode Fuzzy Hash: 4e1664556de511b19e845d00fca83b5f5c22c9ed92945ed8212fbd82af9d9cad
Instruction Fuzzy Hash: F921D0B2300205FBEF219E96DC46FEB3B59EB04754F084118FB24961A0E779EC50CB50

Function 007EE492 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3CC8

Strings

InitializeSecurityContextW: %s (0x%08X), xrefs: 007F3D23
sspi_InitializeSecurityContextW, xrefs: 007F3D28, 007F3D60, 007F3D65, 007F3D6B
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3D2D, 007F3D6C
[%s]: Security module does not provide an implementation, xrefs: 007F3D66

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$InitializeSecurityContextW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_InitializeSecurityContextW
API String ID: 689400697-743139187
Opcode ID: fbfb016f1adf6c981a85eae800cc71154e905fca2dfb194e5a5c4b815e377531
Instruction ID: 9fc8eb24b85888c345d624aed981fc02b04b355118f663469836fb94490871d3
Opcode Fuzzy Hash: fbfb016f1adf6c981a85eae800cc71154e905fca2dfb194e5a5c4b815e377531
Instruction Fuzzy Hash: 6921D532384249BBEF125F96DC06EAF3F69EB99B54F000054FB04661E1DA66DA20D7A0

Function 007EE489 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3DA3

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3E08, 007F3E47
sspi_InitializeSecurityContextA, xrefs: 007F3E03, 007F3E3B, 007F3E40, 007F3E46
[%s]: Security module does not provide an implementation, xrefs: 007F3E41
InitializeSecurityContextA: %s (0x%08X), xrefs: 007F3DFE

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$InitializeSecurityContextA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_InitializeSecurityContextA
API String ID: 689400697-1744466472
Opcode ID: bc251477990981516e47593d767caa7d035b5f68f4b9faea69fe86cf2c275838
Instruction ID: c756bdcec116504f0307e8d14f9b85531d91f3bab9126ae8530fb2efeb83e344
Opcode Fuzzy Hash: bc251477990981516e47593d767caa7d035b5f68f4b9faea69fe86cf2c275838
Instruction Fuzzy Hash: 5A219332344209BBDF125E96EC06EAF3F69EB99B14F000054FB04651E1D666DA61D7A0

Function 007EE413 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3227

Strings

sspi_AcquireCredentialsHandleW, xrefs: 007F327E, 007F32B6, 007F32BB, 007F32C1
AcquireCredentialsHandleW: %s (0x%08X), xrefs: 007F3279
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3283, 007F32C2
[%s]: Security module does not provide an implementation, xrefs: 007F32BC

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: AcquireCredentialsHandleW: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcquireCredentialsHandleW
API String ID: 689400697-2657764935
Opcode ID: e38d38fc13202c358a2274989bf96ba6a5676dfde5ca6fb0560bc232d61ef714
Instruction ID: 906ca5bc2a92127425d9ea50d088279ce2a656d801a7dbd1c9a02c96f574749d
Opcode Fuzzy Hash: e38d38fc13202c358a2274989bf96ba6a5676dfde5ca6fb0560bc232d61ef714
Instruction Fuzzy Hash: 3D119A32348209BBDF125E96EC07EBB3F69FB95724F004094FB04552E1D766CA21D7A1

Function 007EE40A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F32F9

Strings

sspi_AcquireCredentialsHandleA, xrefs: 007F3350, 007F3388, 007F338D, 007F3393
AcquireCredentialsHandleA: %s (0x%08X), xrefs: 007F334B
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3355, 007F3394
[%s]: Security module does not provide an implementation, xrefs: 007F338E

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: AcquireCredentialsHandleA: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcquireCredentialsHandleA
API String ID: 689400697-1172745827
Opcode ID: 7a09340849726ddab4e2b77d7c26f8caf4e38ed768a2def9a80cb7083ae3d0e5
Instruction ID: d77bb3eb72265d71fed6cbbabb4e0c47fcf738345631ba27ffa5544cb4997d37
Opcode Fuzzy Hash: 7a09340849726ddab4e2b77d7c26f8caf4e38ed768a2def9a80cb7083ae3d0e5
Instruction Fuzzy Hash: 8411DA32348209BBDF129E96DC07EAF3F69EF86720F000054FB04652E1DB66D960D7A4

Function 007EE401 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F384E

Strings

AcceptSecurityContext: %s (0x%08X), xrefs: 007F38A0
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F38AA, 007F38E9
sspi_AcceptSecurityContext, xrefs: 007F38A5, 007F38DD, 007F38E2, 007F38E8
[%s]: Security module does not provide an implementation, xrefs: 007F38E3

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: AcceptSecurityContext: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcceptSecurityContext
API String ID: 689400697-2008077614
Opcode ID: b80f1f3afa0f0d18970427d3048e5f70c2b06e6d1161d1db3c3bb8e42374c98e
Instruction ID: eb00089aa8ae5cbb30b7bc98795b0de9f027fd0f7de7bc04e561d954d3e0e503
Opcode Fuzzy Hash: b80f1f3afa0f0d18970427d3048e5f70c2b06e6d1161d1db3c3bb8e42374c98e
Instruction Fuzzy Hash: 3C112C72344309BBDF129E96EC07E7F3F69EB85B54F000055FB04652E1D6A9DA21D7A0

Function 007EE476 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3548

Strings

sspi_ImportSecurityContextW, xrefs: 007F3590, 007F35C8, 007F35CD, 007F35D3
ImportSecurityContextW: %s (0x%08X), xrefs: 007F358B
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3595, 007F35D4
[%s]: Security module does not provide an implementation, xrefs: 007F35CE

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImportSecurityContextW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImportSecurityContextW
API String ID: 689400697-3257054040
Opcode ID: 7cad2ff6a1975969e3de3e8daec8439f499c62a58817a588dac557aed7729b7a
Instruction ID: a182814d945691c45542146fe3b7b64df6c54ca08356ea6969f0606aa24f0f51
Opcode Fuzzy Hash: 7cad2ff6a1975969e3de3e8daec8439f499c62a58817a588dac557aed7729b7a
Instruction Fuzzy Hash: 73110A323843097BEB215AA6AC0BF7F3B6CEBC1B14F000054FA00972E1DE55DA2097A1

Function 007EE46D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F360B

Strings

sspi_ImportSecurityContextA, xrefs: 007F3653, 007F368B, 007F3690, 007F3696
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3658, 007F3697
ImportSecurityContextA: %s (0x%08X), xrefs: 007F364E
[%s]: Security module does not provide an implementation, xrefs: 007F3691

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImportSecurityContextA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImportSecurityContextA
API String ID: 689400697-848437295
Opcode ID: d25ecdb7906a2e09e2f813d5e3c56ebbef7f9967fac97af01735fc3aca3591e6
Instruction ID: dee5c046fb70f7f5b3e5ef51189c041d2b39a34cce35ce6b85df44a9ab49c983
Opcode Fuzzy Hash: d25ecdb7906a2e09e2f813d5e3c56ebbef7f9967fac97af01735fc3aca3591e6
Instruction Fuzzy Hash: 81110D323883097BDB219A56AC07E3F3B6CDB96B24F000055FA04A63E1DE55CA1197A4

Function 007EE452 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F33CB

Strings

sspi_ExportSecurityContext, xrefs: 007F3413, 007F344B, 007F3450, 007F3456
ExportSecurityContext: %s (0x%08X), xrefs: 007F340E
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3418, 007F3457
[%s]: Security module does not provide an implementation, xrefs: 007F3451

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ExportSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ExportSecurityContext
API String ID: 689400697-3640258815
Opcode ID: 2a395dd6f95325d929aeeb4c5b1251234bf8adabcdba854a76b79652e21102f9
Instruction ID: a4a71a657cb8204819f001215911d454306e3e6300aad72c4c53caf5a86db795
Opcode Fuzzy Hash: 2a395dd6f95325d929aeeb4c5b1251234bf8adabcdba854a76b79652e21102f9
Instruction Fuzzy Hash: 831120323843497BDB225B96EC07F7F3B5CEB92B54F000054FB00A62E1DA5ACA119774

Function 007EE4FE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F4544

Strings

VerifySignature: %s (0x%08X), xrefs: 007F4587
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F4591, 007F45D0
sspi_VerifySignature, xrefs: 007F458C, 007F45C4, 007F45C9, 007F45CF
[%s]: Security module does not provide an implementation, xrefs: 007F45CA

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$VerifySignature: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_VerifySignature
API String ID: 689400697-1495805676
Opcode ID: 59db40a82ffa29b6f47f643c80b8334205034f2adc8446dfb8f5b9c5cd16f415
Instruction ID: c26b3c0c460d574f752e4e4868f748b1a78dcaa02666a3c442f49acbd6e4c2be
Opcode Fuzzy Hash: 59db40a82ffa29b6f47f643c80b8334205034f2adc8446dfb8f5b9c5cd16f415
Instruction Fuzzy Hash: 40110D723843497BDB11AA96AC07E7B3B9CE786B24F000054FB00972E1DA55C9219665

Function 007EE4F5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F40BB

Strings

sspi_SetContextAttributesW, xrefs: 007F4103, 007F413B, 007F4140, 007F4146
SetContextAttributesW: %s (0x%08X), xrefs: 007F40FE
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F4108, 007F4147
[%s]: Security module does not provide an implementation, xrefs: 007F4141

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$SetContextAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_SetContextAttributesW
API String ID: 689400697-247170817
Opcode ID: 3bcf66b405b26c3f0c1b71bb355f4acb18d8e199d717a4112d055ec1bc897e44
Instruction ID: 11fb41da5a4ecd9b3728cd8b2c6274db9ab61a5fe3c88cdf0b5cbec8b178d893
Opcode Fuzzy Hash: 3bcf66b405b26c3f0c1b71bb355f4acb18d8e199d717a4112d055ec1bc897e44
Instruction Fuzzy Hash: FF11CD3238430DBBDB226A56EC07E7F3A5CE796B20F004454FB00962E1DA59CE509771

Function 007EE4EC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F417E

Strings

SetContextAttributesA: %s (0x%08X), xrefs: 007F41C1
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F41CB, 007F420A
sspi_SetContextAttributesA, xrefs: 007F41C6, 007F41FE, 007F4203, 007F4209
[%s]: Security module does not provide an implementation, xrefs: 007F4204

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$SetContextAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_SetContextAttributesA
API String ID: 689400697-1164902870
Opcode ID: 1cea59ef2714f7f263424fc5199dc5eabf237963b443f262ff1fff6760689f5a
Instruction ID: b2e64d43513bf8cb8fcfbf05a867a096e1ddec869a0225b837fefc4a10029712
Opcode Fuzzy Hash: 1cea59ef2714f7f263424fc5199dc5eabf237963b443f262ff1fff6760689f5a
Instruction Fuzzy Hash: 2E11E03638430D7BE7229A96AC07E7F3E6CE795B10F000054FB00952E1DB55DA51D775

Function 007EE49B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F4481

Strings

sspi_MakeSignature, xrefs: 007F44C9, 007F4501, 007F4506, 007F450C
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F44CE, 007F450D
MakeSignature: %s (0x%08X), xrefs: 007F44C4
[%s]: Security module does not provide an implementation, xrefs: 007F4507

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$MakeSignature: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_MakeSignature
API String ID: 689400697-3834539683
Opcode ID: 4f7b3a7502cf82d8df8e21a8ae65ac44e8219f768ef9a180e588ed8341f7b3c4
Instruction ID: 54184abdf51ca91f3d4ba519a123df4d5e2395d1fc91a521834f300992f8ff1e
Opcode Fuzzy Hash: 4f7b3a7502cf82d8df8e21a8ae65ac44e8219f768ef9a180e588ed8341f7b3c4
Instruction Fuzzy Hash: CE11EB72384349BBD7216B96AC07F7B3B68E781B10F004054FB00A62E1DA95CE10D665

Function 007C1A7D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

ncrush_context_reset.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,00000000), ref: 007C1B36

Strings

C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\ncrush.c, xrefs: 007C1B19
com.freerdp.codec, xrefs: 007C1AF1
ncrush_context_new: failed to initialize tables, xrefs: 007C1B0F
ncrush_context_new, xrefs: 007C1B14

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ncrush_context_reset
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\ncrush.c$com.freerdp.codec$ncrush_context_new$ncrush_context_new: failed to initialize tables
API String ID: 2838332675-904927664
Opcode ID: d43aa9d442d0727155c58f67b75515689db6decb5baab5b1a2a75099d5dce7b7
Instruction ID: a3db79263a7d0878566cef651d7be8b16f3614322011785dfd98f7b3fec14ab0
Opcode Fuzzy Hash: d43aa9d442d0727155c58f67b75515689db6decb5baab5b1a2a75099d5dce7b7
Instruction Fuzzy Hash: 881138F22007067AE304AF55AC42F96B7A8EB41754F40412DF108A66C2EFB5AD518FA1

Function 007EE4BF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F36CE

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3718, 007F3757
sspi_QueryCredentialsAttributesW, xrefs: 007F3713, 007F374B, 007F3750, 007F3756
QueryCredentialsAttributesW: %s (0x%08X), xrefs: 007F370E
[%s]: Security module does not provide an implementation, xrefs: 007F3751

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryCredentialsAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryCredentialsAttributesW
API String ID: 689400697-3413647607
Opcode ID: 95204173faba25f484337e3134626ea5b4aa7823160f5779d6b8a2bf0cec04d4
Instruction ID: 6dbd96fef31070a31416fe4a9d02d51d81d1467a8ca268f1d003474b487d5f91
Opcode Fuzzy Hash: 95204173faba25f484337e3134626ea5b4aa7823160f5779d6b8a2bf0cec04d4
Instruction Fuzzy Hash: 7011ECB23883457BE7216756EC47E3F3B9CEB96B14F000055FA04AA2E1DA55CA11D671

Function 007EE4B6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F378E

Strings

sspi_QueryCredentialsAttributesA, xrefs: 007F37D3, 007F380B, 007F3810, 007F3816
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F37D8, 007F3817
QueryCredentialsAttributesA: %s (0x%08X), xrefs: 007F37CE
[%s]: Security module does not provide an implementation, xrefs: 007F3811

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryCredentialsAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryCredentialsAttributesA
API String ID: 689400697-3754301720
Opcode ID: 734747a967c5a372421678cbe2db95f6ee94e86db2798421d7cdb5b8fa914903
Instruction ID: f2392431cb5ec29a8533307537c353638ae09f0507dd369e844294074b901e72
Opcode Fuzzy Hash: 734747a967c5a372421678cbe2db95f6ee94e86db2798421d7cdb5b8fa914903
Instruction Fuzzy Hash: 8D115CB23883497BE7216756EC4BE3F3B9CE796B60F000054FB04962E1DA59CA11D7B0

Function 007EE4AD Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3E7E

Strings

QueryContextAttributesW: %s (0x%08X), xrefs: 007F3EBE
sspi_QueryContextAttributesW, xrefs: 007F3EC3, 007F3EFB, 007F3F00, 007F3F06
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3EC8, 007F3F07
[%s]: Security module does not provide an implementation, xrefs: 007F3F01

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryContextAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryContextAttributesW
API String ID: 689400697-2578917824
Opcode ID: ddb0181ea27ab2c81b61b4bacf3a9d0557ef9b75cf2b85d578a9d6dbca93bd93
Instruction ID: ce0f634fcd490ccb394d69fac11c172bb7adaed3f2ab857b5e36c4b93583a5e3
Opcode Fuzzy Hash: ddb0181ea27ab2c81b61b4bacf3a9d0557ef9b75cf2b85d578a9d6dbca93bd93
Instruction Fuzzy Hash: F711EC72388305BBDB229B56AC07E3F3AACEB96F24F000155F604962E1DA56DA518761

Function 007EE4A4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3F3E

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3F88, 007F3FC7
sspi_QueryContextAttributesA, xrefs: 007F3F83, 007F3FBB, 007F3FC0, 007F3FC6
QueryContextAttributesA: %s (0x%08X), xrefs: 007F3F7E
[%s]: Security module does not provide an implementation, xrefs: 007F3FC1

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryContextAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryContextAttributesA
API String ID: 689400697-3211427146
Opcode ID: 38e856b125b691d9f6cb172beeefbc067684655f26eec96b43df06f1ce93a8b8
Instruction ID: d755e6fa1e4d546d25f6042d0fd640054b9c2124fb063a2f2e7d6ff6ae7acffc
Opcode Fuzzy Hash: 38e856b125b691d9f6cb172beeefbc067684655f26eec96b43df06f1ce93a8b8
Instruction Fuzzy Hash: FF11EC32388349BBDB226756EC07E3F3FADEB96B60F004154F604962E1DA95CA108761

Function 007EE449 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F2F33

Strings

EnumerateSecurityPackagesW: %s (0x%08X), xrefs: 007F2F70
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F2F7A, 007F2FB9
[%s]: Security module does not provide an implementation, xrefs: 007F2FB3
sspi_EnumerateSecurityPackagesW, xrefs: 007F2F75, 007F2FAD, 007F2FB2, 007F2FB8

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EnumerateSecurityPackagesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EnumerateSecurityPackagesW
API String ID: 689400697-255015424
Opcode ID: 12a12ab79b38cd45e7d4506beb40dd4c806ad8d97c355526b274d0fbfd9a4929
Instruction ID: 5efb14c88b9dc6e0d9e619145176a973a1e813f84babf2268ed45768ff2d34cf
Opcode Fuzzy Hash: 12a12ab79b38cd45e7d4506beb40dd4c806ad8d97c355526b274d0fbfd9a4929
Instruction Fuzzy Hash: 1511EC713883097BD6216697AC07E7B3FECE796B20F000055FA04AA2E2D755CD1286A1

Function 007EE440 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F2FF0

Strings

EnumerateSecurityPackagesA: %s (0x%08X), xrefs: 007F302D
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3037, 007F3076
sspi_EnumerateSecurityPackagesA, xrefs: 007F3032, 007F306A, 007F306F, 007F3075
[%s]: Security module does not provide an implementation, xrefs: 007F3070

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EnumerateSecurityPackagesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EnumerateSecurityPackagesA
API String ID: 689400697-1149382491
Opcode ID: 4de7f7394397a5e7a9b848a69e662966ffce784b3130189c11479111507ca3e2
Instruction ID: 685f8abdd719fb7859ea9605c0a15bd83b05502d516ada94ddf3fcdfef1b610f
Opcode Fuzzy Hash: 4de7f7394397a5e7a9b848a69e662966ffce784b3130189c11479111507ca3e2
Instruction Fuzzy Hash: 7B110C323883497BE7315696EC0BE7F3FADDB82B64F000095FB04A62E1DB55CE1182A0

Function 007EE425 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F39DD

Strings

CompleteAuthToken: %s (0x%08X), xrefs: 007F3A1A
sspi_CompleteAuthToken, xrefs: 007F3A1F, 007F3A57, 007F3A5C, 007F3A62
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3A24, 007F3A63
[%s]: Security module does not provide an implementation, xrefs: 007F3A5D

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$CompleteAuthToken: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_CompleteAuthToken
API String ID: 689400697-1972714555
Opcode ID: aab0a8e75e6d1b727e82e05850096b1f55cce9df72951b202f347d79c65b0ee4
Instruction ID: af77e56ba21917058eac92df97fdc403173fce8904f5c97ceb4437c52f0e9d7e
Opcode Fuzzy Hash: aab0a8e75e6d1b727e82e05850096b1f55cce9df72951b202f347d79c65b0ee4
Instruction Fuzzy Hash: 8F11C07138434577E6219657EC07E3B3F9CEBD1F54F004054F604962E1DA95DB1186A5

Function 007EE41C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3920

Strings

ApplyControlToken: %s (0x%08X), xrefs: 007F395D
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3967, 007F39A6
sspi_ApplyControlToken, xrefs: 007F3962, 007F399A, 007F399F, 007F39A5
[%s]: Security module does not provide an implementation, xrefs: 007F39A0

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: ApplyControlToken: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_ApplyControlToken
API String ID: 689400697-2845897268
Opcode ID: 0ad636eacc568951372688fd5076d76ea07069d65eba7da09a6eb89d6242e7f3
Instruction ID: 4dd59be5b191ce9206f41f6697e5a34582875b86541c5379b77bd61d17ed1f50
Opcode Fuzzy Hash: 0ad636eacc568951372688fd5076d76ea07069d65eba7da09a6eb89d6242e7f3
Instruction Fuzzy Hash: 0F11C07138434977E6219657AC07E3F3A9CE7D5BA4F000054F604962E1DAD5DE1186A5

Function 007EE4DA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F30AD

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F30F4, 007F3133
QuerySecurityPackageInfoW: %s (0x%08X), xrefs: 007F30EA
sspi_QuerySecurityPackageInfoW, xrefs: 007F30EF, 007F3127, 007F312C, 007F3132
[%s]: Security module does not provide an implementation, xrefs: 007F312D

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityPackageInfoW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityPackageInfoW
API String ID: 689400697-2261828479
Opcode ID: a0790411be8ee2fe7c13e9f61a81ca70581285f86e852015ba97964b64c54f34
Instruction ID: 12ef1b9ead9045436422de8e93cb83dac7264d9a48d35ad66504050b2e83d8e2
Opcode Fuzzy Hash: a0790411be8ee2fe7c13e9f61a81ca70581285f86e852015ba97964b64c54f34
Instruction Fuzzy Hash: A411EC7138830D77E6215697EC07E7B3AACD796B24F000095F604962D1DB95DA1082B0

Function 007EE4D1 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F316A

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F31B1, 007F31F0
sspi_QuerySecurityPackageInfoA, xrefs: 007F31AC, 007F31E4, 007F31E9, 007F31EF
QuerySecurityPackageInfoA: %s (0x%08X), xrefs: 007F31A7
[%s]: Security module does not provide an implementation, xrefs: 007F31EA

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityPackageInfoA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityPackageInfoA
API String ID: 689400697-3351603741
Opcode ID: 8dfac1197b04e895c168effad476f8b9f782b9f3365285408d642e06f710b1d5
Instruction ID: 9552c3be1850b3ee867d75a8d59915e4a1c072e2e97abbe0ed4b16a257fd96b7
Opcode Fuzzy Hash: 8dfac1197b04e895c168effad476f8b9f782b9f3365285408d642e06f710b1d5
Instruction Fuzzy Hash: 6A11003138830D77E6216796AC07E7B3E5CE792B20F000094FB04963D2D755DA15C660

Function 007EE4C8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3FFE

Strings

QuerySecurityContextToken: %s (0x%08X), xrefs: 007F403B
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F4045, 007F4084
sspi_QuerySecurityContextToken, xrefs: 007F4040, 007F4078, 007F407D, 007F4083
[%s]: Security module does not provide an implementation, xrefs: 007F407E

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityContextToken: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityContextToken
API String ID: 689400697-2156878011
Opcode ID: 847178f67d7e438ad2bd342109a67946cea162d5d21d9568b083c22e43acc55b
Instruction ID: e29b64be4f513513d7a07da768ba911a3122e83c636b1a15529abd8d0f94e8c0
Opcode Fuzzy Hash: 847178f67d7e438ad2bd342109a67946cea162d5d21d9568b083c22e43acc55b
Instruction Fuzzy Hash: 58110032384309BBE7216657EC07F3B3A5CD7C1B14F004094F704962E1DE95D95082B5

Function 007C954D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

freerdp_image_copy.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 007C95B5

Strings

SmartScaling requested but compiled without libcairo support!, xrefs: 007C95E6
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c, xrefs: 007C95F0
freerdp_image_scale, xrefs: 007C95EB
com.freerdp.color, xrefs: 007C95C8

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: freerdp_image_copy
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c$SmartScaling requested but compiled without libcairo support!$com.freerdp.color$freerdp_image_scale
API String ID: 1523062921-212429655
Opcode ID: 3d072491735d5a45f0a30d2a0802a6c1bd347be3c031f2f674e5602bd0ef4547
Instruction ID: 2d3867f2bba8b34c76116260b682d15f0bed4055b6f49062366d90396cc7f774
Opcode Fuzzy Hash: 3d072491735d5a45f0a30d2a0802a6c1bd347be3c031f2f674e5602bd0ef4547
Instruction Fuzzy Hash: 35219A7228020AABDF55DF54DC02FAE3BA9EB58704F04810DFE189A1D0E775E9219F80

Function 007EE464 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3C0E

Strings

sspi_ImpersonateSecurityContext, xrefs: 007F3C4D, 007F3C85, 007F3C8A, 007F3C90
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3C52, 007F3C91
ImpersonateSecurityContext: %s (0x%08X), xrefs: 007F3C48
[%s]: Security module does not provide an implementation, xrefs: 007F3C8B

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImpersonateSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImpersonateSecurityContext
API String ID: 689400697-4242683877
Opcode ID: 49886af16ccd86f30b912e3af65e2b73fe23a0e5bc6e06106ddfbd3dedcee2dc
Instruction ID: 496d5d5d8e958d7d68e0883f8ea3f0fa1e1a99a4d8636eb50cbcbbfd6dd3454b
Opcode Fuzzy Hash: 49886af16ccd86f30b912e3af65e2b73fe23a0e5bc6e06106ddfbd3dedcee2dc
Instruction Fuzzy Hash: A111CC713843057BE6216657AC0BE7F3A5CD7D2F54F000055FA04A62E1DA95DB11C2B5

Function 007EE45B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3B54

Strings

FreeContextBuffer: %s (0x%08X), xrefs: 007F3B8E
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3B98, 007F3BD7
sspi_FreeContextBuffer, xrefs: 007F3B93, 007F3BCB, 007F3BD0, 007F3BD6
[%s]: Security module does not provide an implementation, xrefs: 007F3BD1

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$FreeContextBuffer: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_FreeContextBuffer
API String ID: 689400697-1791514552
Opcode ID: d78aa13d68907ac4d12e1826cba75d71805fd9bdf7b78eb271ea3f6c338a11f3
Instruction ID: 368231aa75f9a9be642f0cf35fb9f32d333ac80d5ffc896841b250b3fdbc0459
Opcode Fuzzy Hash: d78aa13d68907ac4d12e1826cba75d71805fd9bdf7b78eb271ea3f6c338a11f3
Instruction Fuzzy Hash: 2A11DF7138834577E6215697EC07E3F3E9CE7D6B54F000094F604AA2D1DE95DE1187B5

Function 007EE4E3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F4241

Strings

RevertSecurityContext: %s (0x%08X), xrefs: 007F427B
sspi_RevertSecurityContext, xrefs: 007F4280, 007F42B8, 007F42BD, 007F42C3
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F4285, 007F42C4
[%s]: Security module does not provide an implementation, xrefs: 007F42BE

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$RevertSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_RevertSecurityContext
API String ID: 689400697-954186549
Opcode ID: daf08d3b5552e43e6ffe60ccda37819948d56369d66702e2fc08a56f4bfdb5dd
Instruction ID: 12fbefbd4ddd69c6e0d3d45415504009c5f36fc045d602535ed7b7b2c1a0a73b
Opcode Fuzzy Hash: daf08d3b5552e43e6ffe60ccda37819948d56369d66702e2fc08a56f4bfdb5dd
Instruction Fuzzy Hash: 43112F723843097BF6216697FC07F3B3A6CE7D2B60F0000A5FB00A62D1DA95DE5086B5

Function 007EE510 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F348E

Strings

sspi_FreeCredentialsHandle, xrefs: 007F34CD, 007F3505, 007F350A, 007F3510
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F34D2, 007F3511
[%s]: Security module does not provide an implementation, xrefs: 007F350B
FreeCredentialsHandle: %s (0x%08X), xrefs: 007F34C8

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$FreeCredentialsHandle: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_FreeCredentialsHandle
API String ID: 689400697-3116451197
Opcode ID: bab3f677e1510312369b3f3526f4f2c6df3fac5bce83f144a487fd89e2e27cc2
Instruction ID: 1b680d059dfb699058ea08f5c58e412823dd868780202b4fcfeedd5b06de21c7
Opcode Fuzzy Hash: bab3f677e1510312369b3f3526f4f2c6df3fac5bce83f144a487fd89e2e27cc2
Instruction Fuzzy Hash: 6F110C713883457BE6226666AC0BF7B3A5CD7D2B10F004054F704972D1DA55DE5182B5

Function 007EE507 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00AA70C8,007F4AA1,00000000,00000000), ref: 007F3A9A

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 007F3ADE, 007F3B1D
DeleteSecurityContext: %s (0x%08X), xrefs: 007F3AD4
sspi_DeleteSecurityContext, xrefs: 007F3AD9, 007F3B11, 007F3B16, 007F3B1C
[%s]: Security module does not provide an implementation, xrefs: 007F3B17

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$DeleteSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_DeleteSecurityContext
API String ID: 689400697-4185332897
Opcode ID: bcf0a8333f4783a4ecbdf29bb0765506fdf099c4bb4d6710c9e2e65b4b5bc6f3
Instruction ID: a6f441c38fd2dcf72ab78b40cb0e502c4042d0f1dc764e67184be71416c1a9b6
Opcode Fuzzy Hash: bcf0a8333f4783a4ecbdf29bb0765506fdf099c4bb4d6710c9e2e65b4b5bc6f3
Instruction Fuzzy Hash: EA110C713843497BE6229697AC07E3B3A9CD7D2B54F000065F604A62E1DE99DA1186B5

Function 008765C5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

primitives_get.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE ref: 008765CB

Strings

yuv_process_work_callback, xrefs: 0087662E
com.freerdp.codec, xrefs: 0087660B
error when decoding lines, xrefs: 00876629
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\yuv.c, xrefs: 00876633

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: primitives_get
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\yuv.c$com.freerdp.codec$error when decoding lines$yuv_process_work_callback
API String ID: 2017034601-2620645302
Opcode ID: 59a151fbf8e5e34d8ea8a5be94f723e37c482df023f70d05e26942845a91e0ee
Instruction ID: 85eccbcde70e06f40f1be6142091c75dc28cc9fca3814a85ab24e30203b4097c
Opcode Fuzzy Hash: 59a151fbf8e5e34d8ea8a5be94f723e37c482df023f70d05e26942845a91e0ee
Instruction Fuzzy Hash: F00196B1640306AFD704EF54DC02F5A7BA8FF08714F004559F908DA392E675E9508B94

Function 007C9EF7 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

region16_extents.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 007C9F06
region16_extents.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?), ref: 007C9F12
region16_n_rects.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?), ref: 007C9F1D
region16_n_rects.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 007C9F7D

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: region16_extentsregion16_n_rects
String ID:
API String ID: 2062899502-0
Opcode ID: a777aa3e440b79e1151d2e5a78892d79e860e14bb9abc1479bfd8844a7d2d6d9
Instruction ID: 496b7fe06861355da477e616963c7de60900e26a32ea3fabed9bffca113b7886
Opcode Fuzzy Hash: a777aa3e440b79e1151d2e5a78892d79e860e14bb9abc1479bfd8844a7d2d6d9
Instruction Fuzzy Hash: CD514A75D0012AEFCB14DF99C8449AEF7F5FF18310B15816AE859E7250E338AE40CBA1

Function 001E8E40 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00A21278,001E8C90,001E8EC0,00000000), ref: 001E8E6A
GetLastError.KERNEL32 ref: 001E8E7F
TlsGetValue.KERNEL32 ref: 001E8E8D
SetLastError.KERNEL32(00000000), ref: 001E8E96
TlsAlloc.KERNEL32 ref: 001E8EC3

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ErrorLastOnce$AllocExecuteInitValue
String ID:
API String ID: 2822033501-0
Opcode ID: f98747e91f1510d3c03e024b37d88cda8134ab2202a4742807b10f2bc918ec66
Instruction ID: 735345a804b7d0938d4c81e37330222edb03a7aeec646b77d291fe655904f0f1
Opcode Fuzzy Hash: f98747e91f1510d3c03e024b37d88cda8134ab2202a4742807b10f2bc918ec66
Instruction Fuzzy Hash: EA01A1366002099FCB109FBDEC49ABE77A8FB49720B501235F819D3250EB3098028BA1

Function 008749E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

audio_format_print.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?), ref: 00874A72

Strings

AUDIO_FORMATS (%hu) ={, xrefs: 00874A12
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c, xrefs: 00874A1C, 00874A59, 00874A9A
audio_formats_print, xrefs: 00874A17, 00874A54, 00874A95

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: audio_format_print
String ID: AUDIO_FORMATS (%hu) ={$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c$audio_formats_print
API String ID: 2744001552-3527835062
Opcode ID: edfe0f5daff5fdba378d8889fb5591fefcf67def4f86d5fd4d4c009e02eddb66
Instruction ID: 57a9e6273701c1a356fe17d6c375173db90836541b62b1a6998b8c8157d78dca
Opcode Fuzzy Hash: edfe0f5daff5fdba378d8889fb5591fefcf67def4f86d5fd4d4c009e02eddb66
Instruction Fuzzy Hash: F611367228131573CA11BD165C46FAF2B9CEFA6B28F004006F908A92C6E7B5D600C3BA

Function 007711D7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

getChannelError.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 00771248

Strings

ChannelDetached, xrefs: 0077127F
freerdp, xrefs: 00771278
(, xrefs: 00771295

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ChannelError
String ID: ($ChannelDetached$freerdp
API String ID: 1163697128-436519898
Opcode ID: 3d704b52ecb8622e8688ef1d243d6a6cfec9328e200d13e50cae8b6fc501ce95
Instruction ID: c734f4c03f86056d3c86e0bbd8d116337bb7d79a3691938737f4ebbccc2c40cb
Opcode Fuzzy Hash: 3d704b52ecb8622e8688ef1d243d6a6cfec9328e200d13e50cae8b6fc501ce95
Instruction Fuzzy Hash: 16212C71A00209EFDF14DF98C885FAEBBF5FF08344F508469E948E7252D775AA509BA0

Function 00770B41 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

getChannelError.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 00770BB2

Strings

ChannelAttached, xrefs: 00770BE9
(, xrefs: 00770BFF
freerdp, xrefs: 00770BE2

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ChannelError
String ID: ($ChannelAttached$freerdp
API String ID: 1163697128-2646891115
Opcode ID: 75e34950488e4f2d9666e63669657ac7f54e31fe96c050234b09f63d81a3c437
Instruction ID: 4127bc44995f827e5f6cda5d30103edee919a2e5d3bcee8529b2b413990300c9
Opcode Fuzzy Hash: 75e34950488e4f2d9666e63669657ac7f54e31fe96c050234b09f63d81a3c437
Instruction Fuzzy Hash: AE212CB1A00209EFDF15DF98C885FAEBBF4FF08344F104569E948E7252D775AA509BA0

Function 007E783A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

rdpsnd, xrefs: 007E78CA
audin, xrefs: 007E78F8

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID: audin$rdpsnd
API String ID: 0-930729200
Opcode ID: 3caee06e747dd293a702594acf066384abb4627a07701392cde9461aa5302ee5
Instruction ID: 40dd9569096369059681c02856a32e1b3c2d4b64e35a8d7c6a14190f960e5b46
Opcode Fuzzy Hash: 3caee06e747dd293a702594acf066384abb4627a07701392cde9461aa5302ee5
Instruction Fuzzy Hash: BB118631A0AA96EBD728CF26C88079AF3A5FF08B51F15832AE45457141D7347D50CBD1

Function 007EF7BD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 007EF7D2
RtlLeaveCriticalSection.NTDLL(?), ref: 007EF819

Strings

U)v, xrefs: 007EF7C1, 007EF805
U)v, xrefs: 007EF7C0

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: U)v$U)v
API String ID: 3168844106-45598511
Opcode ID: 27a5e4e312016fe8d4166c70fb4649dcd19cc725d8097cb7abcbfb4b9dcbba84
Instruction ID: c499d3fa4eaa7a78f644aaa26322edc7ee44b500b85a587b398846d916cfbf44
Opcode Fuzzy Hash: 27a5e4e312016fe8d4166c70fb4649dcd19cc725d8097cb7abcbfb4b9dcbba84
Instruction Fuzzy Hash: 6C014F32101606AFD7209F6AD880B56B7E8FF88761B25852AF455D3A00EB35FC508B90

Function 00874701 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

audio_format_get_tag_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,?,?,?,?), ref: 00874737

Strings

%s: wFormatTag: 0x%04hX nChannels: %hu nSamplesPerSec: %u nAvgBytesPerSec: %u nBlockAlign: %hu wBitsPerSample: %hu cbSize: %hu, xrefs: 0087473E
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c, xrefs: 00874748
audio_format_print, xrefs: 00874743

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: audio_format_get_tag_string
String ID: %s: wFormatTag: 0x%04hX nChannels: %hu nSamplesPerSec: %u nAvgBytesPerSec: %u nBlockAlign: %hu wBitsPerSample: %hu cbSize: %hu$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c$audio_format_print
API String ID: 2866491501-3564663344
Opcode ID: c105370c52dac6d54cf9b663c52215eaf9e6e5d838fc6a41ee890fa12c497e49
Instruction ID: 8b931e811926bfbb3666b339df61b4da2955cdc0c2ad2ee7b9fcf91a1320e94a
Opcode Fuzzy Hash: c105370c52dac6d54cf9b663c52215eaf9e6e5d838fc6a41ee890fa12c497e49
Instruction Fuzzy Hash: 81F030B6140308BADB455F51CC02E76776DEB48B18F24C049FD5C8C192E77BD9A2E764

Function 007F6F82 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 007F6F93
RtlLeaveCriticalSection.NTDLL(?), ref: 007F6FC0

Strings

Gz, xrefs: 007F6F86
Gz, xrefs: 007F6F85

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: Gz$Gz
API String ID: 3168844106-392219598
Opcode ID: 1d9f5c2f3ffe7bed2a6c9aa40dbfbb92d1131925b3db44029a1c92b382424d43
Instruction ID: d3d36b3d70f330734b952efbb3c36b5924f2ba2a652ac988be4f7ea5ab8d1d83
Opcode Fuzzy Hash: 1d9f5c2f3ffe7bed2a6c9aa40dbfbb92d1131925b3db44029a1c92b382424d43
Instruction Fuzzy Hash: 8BF05E3500460ACFC724DF5DE848AA6F3E8FF44320B51481DE69683A60DB38F984CB80

Function 00762713 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

freerdp_get_last_error.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 00762725
freerdp_set_last_error_ex.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,0002000B,freerdp_abort_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,0000013A), ref: 00762745

Strings

freerdp_abort_connect, xrefs: 00762739
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c, xrefs: 00762734

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: freerdp_get_last_errorfreerdp_set_last_error_ex
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c$freerdp_abort_connect
API String ID: 3690923134-629580617
Opcode ID: 30c5351e16852ba503292ac56756dc1a8bf1691606d7753d5b57f1b42aff017d
Instruction ID: 7c35e761b263184de4f7ec045c315ca1aaa32ea6c299d8721eae0716d9d629fa
Opcode Fuzzy Hash: 30c5351e16852ba503292ac56756dc1a8bf1691606d7753d5b57f1b42aff017d
Instruction Fuzzy Hash: 6AE02031341714EBDB712D20DC06F55F7949F00BE4F104419FEC675093EE695D51D581

Function 0087632D Relevance: 6.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

primitives_get.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE ref: 0087633F
primitives_flags.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000), ref: 00876353
TpWaitForWork.NTDLL(00000000,00000000), ref: 008764A9
TpReleaseWork.NTDLL(00000000), ref: 008764B2

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Work$ReleaseWaitprimitives_flagsprimitives_get
String ID:
API String ID: 704174238-0
Opcode ID: 3e800bc09e636d8345bf3c83b65673becb7412501e50ed56a27415f55b9e0b6a
Instruction ID: 5ac4cde3219f0aa4856494124ef4b643342b25e79f7b4ee1e4b5892a5d0cabae
Opcode Fuzzy Hash: 3e800bc09e636d8345bf3c83b65673becb7412501e50ed56a27415f55b9e0b6a
Instruction Fuzzy Hash: 4C611AB5A0060ADFCB04CF68C98199EBBF5FF48310B14856AE819E7351E730E951CF94

Function 007CC297 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

gdi_SetRgn.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?,?,00000000,00000001,?,?), ref: 007CC324

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: gdi_
String ID:
API String ID: 2273374161-0
Opcode ID: 2ead09a44aba127efa6001147bae376ec00e50ab3ae76740fbfd5d3136eef1b6
Instruction ID: 5ec0b5d8a0cd5b6503eed68f3c51818b7226ee504baec2b35a80064e75f85e38
Opcode Fuzzy Hash: 2ead09a44aba127efa6001147bae376ec00e50ab3ae76740fbfd5d3136eef1b6
Instruction Fuzzy Hash: 8A31C771900209EFCB11DF98C985EAEB7F9FF48310F14806EE905A7211D334E945CBA1

Function 007F5C02 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 007F5C16
RtlLeaveCriticalSection.NTDLL(?), ref: 007F5C34
RtlLeaveCriticalSection.NTDLL(?), ref: 007F5C54
RtlLeaveCriticalSection.NTDLL(?), ref: 007F5C9A

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 08ce8725a9482028900a372ed086de678e1a6573a7eb23dcb1b0cb7b8fd8dc4a
Instruction ID: ef167e8c515dbf8ed6aab41101f0912c396c58aa3e1c34c220e366578ec096f6
Opcode Fuzzy Hash: 08ce8725a9482028900a372ed086de678e1a6573a7eb23dcb1b0cb7b8fd8dc4a
Instruction Fuzzy Hash: 27216A35600B0AEFDB248F18C984A79B7F4FB45321F114569EA83A7350D778AD81CB60

Function 007C9BBD Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

region16_rects.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000000), ref: 007C9BDC
region16_extents.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 007C9BEC
rectangles_intersects.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,?), ref: 007C9BF7

Part of subcall function 007C97FD: rectangles_intersection.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,?,?), ref: 007C980C

rectangles_intersects.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,?), ref: 007C9C1A

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: rectangles_intersects$rectangles_intersectionregion16_extentsregion16_rects
String ID:
API String ID: 3854534691-0
Opcode ID: 3ae0e6e2282d69f6a29daa640538588f82f3507cb970e478017c8bd43d05d967
Instruction ID: ce89577c72441b2c0599e5d4d9c3108dcc4cbb03422a855bfabc415ce0a7b14f
Opcode Fuzzy Hash: 3ae0e6e2282d69f6a29daa640538588f82f3507cb970e478017c8bd43d05d967
Instruction Fuzzy Hash: 9A01C433124619E99B749A75D889FFB73DCEB40760F14401EFA1896040EB3DEC81C1B4

Function 007E1F3D Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

freerdp_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE ref: 007E1F56
freerdp_context_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,00000000,?,?), ref: 007E1FA4
freerdp_register_addin_provider.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000000), ref: 007E1FC7

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: freerdp_context_newfreerdp_newfreerdp_register_addin_provider
String ID:
API String ID: 3731710698-0
Opcode ID: 76e78b209a268a36a8604e64c44b7bffd7f9f0d3f5820bb9a24bc5dd9b8c3c65
Instruction ID: c3c56def2568ee28b79d30aef26cda4512f6deed5c5abcb46006e349eb0e7342
Opcode Fuzzy Hash: 76e78b209a268a36a8604e64c44b7bffd7f9f0d3f5820bb9a24bc5dd9b8c3c65
Instruction Fuzzy Hash: 8E11A371606B069BC724AF77D802B96B7A9FF58320F50441DF869C7241EB78F851CA91

Function 00776AF2 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

freerdp_settings_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000), ref: 00777326

Part of subcall function 00777F9B: GetComputerNameExA.KERNEL32(00000000,?,?,00000000), ref: 00777FCC
Part of subcall function 00777F9B: freerdp_settings_set_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?,00000680,?), ref: 00777FFC

freerdp_settings_set_string.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000,00000086,?), ref: 00776D8C

Strings

C:\Windows\System32\mstscax.dll, xrefs: 00776F3F

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: freerdp_settings_set_string$ComputerNamefreerdp_settings_free
String ID: C:\Windows\System32\mstscax.dll
API String ID: 2334115954-183970058
Opcode ID: 943d34f3437fe61c7cdb8bd9359812f9a42e4b3f724ed513c94d0be7a4c75dc0
Instruction ID: ad2e709e5b1aefc54312f7330df0287405794410f42757cdc55fa218e3252c3b
Opcode Fuzzy Hash: 943d34f3437fe61c7cdb8bd9359812f9a42e4b3f724ed513c94d0be7a4c75dc0
Instruction Fuzzy Hash: E0E1D4B0514F009EE324DF38D885A97BBE4FF08311F50992EE5AEC7291DBB5A584CB49

Function 007CD99D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

, xrefs: 007CD9E7

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: Rectgdi_
String ID:
API String ID: 2404991910-3916222277
Opcode ID: 8ba7598446483d01aacccd95e18fab9370839817ab0e812389b110f6684f8608
Instruction ID: ea2c884a4edb03c4b10f0515ffd607bc09cf742c6b9becdac1344c938e80bfed
Opcode Fuzzy Hash: 8ba7598446483d01aacccd95e18fab9370839817ab0e812389b110f6684f8608
Instruction Fuzzy Hash: 7D51A6B3000149BBCF12DE90CD45EEB7BADBF48354B06416EFE19A1021E736ED259BA1

Function 007F68CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,?,007F6A0A,?,?,00000000,?,007EE976,00000000), ref: 007F697B

Strings

%s: unknown handler type %u, xrefs: 007F6903
WLog_Appender_New, xrefs: 007F68FE

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: %s: unknown handler type %u$WLog_Appender_New
API String ID: 2593887523-3466059274
Opcode ID: 17444c81fbd6cec80df9cf919f4837692342291d2b9403ac440041c37710c643
Instruction ID: c8cb14378b65676d77b9266efa4a57ee69c630c5e918837c3878745db7f90c13
Opcode Fuzzy Hash: 17444c81fbd6cec80df9cf919f4837692342291d2b9403ac440041c37710c643
Instruction Fuzzy Hash: A811063650C20DA69522FA386C4ED3F5668DF42B30B24401DF705A6351DEBDF8016162

Function 00763FD6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

%s%s-client.%s, xrefs: 0076415A
DeviceServiceEntry, xrefs: 0076419C

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID:
String ID: %s%s-client.%s$DeviceServiceEntry
API String ID: 0-2733899524
Opcode ID: f67ea96066d1bfbfcad1d51a7b0fbd9ad1d7f21ec125cf2f46bdf37a3bee9ee9
Instruction ID: 07526d8f23136dc3fbe9cd182dc6aaba0ee0c69c8b9d211ea7971bf642567a0b
Opcode Fuzzy Hash: f67ea96066d1bfbfcad1d51a7b0fbd9ad1d7f21ec125cf2f46bdf37a3bee9ee9
Instruction Fuzzy Hash: 9811C172A0021DABAB159E99CC81AAF7BACEF81B54F08005AFD11D7241D778CE418B91

Function 007A4029 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 007A4060
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 007A4076

Strings

%s %hu %s %s %s, xrefs: 007A40FC

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: File$CreatePointer
String ID: %s %hu %s %s %s
API String ID: 2024441833-2916857029
Opcode ID: 8d20399ca0c45e9d9822cf7c71a5e7941afc738dccdfec787f62a1a92b8aa047
Instruction ID: 26fcedef6f748499e5fe3393cb5c66566a753cc1af630be753ba9f2f043259a7
Opcode Fuzzy Hash: 8d20399ca0c45e9d9822cf7c71a5e7941afc738dccdfec787f62a1a92b8aa047
Instruction Fuzzy Hash: 8801F232101110BBDB212B66DC4EEAB7F29EF86374F248214FA18890E2D722C812D7A0

Function 007EEBD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(WLOG_FILTER,00000000,00000000,00000000,?,007EE987), ref: 007EEBF6
GetEnvironmentVariableA.KERNEL32(WLOG_FILTER,00000000,00000000,?,?,007EE987), ref: 007EEC1A

Strings

WLOG_FILTER, xrefs: 007EEBE5, 007EEC15

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: EnvironmentVariable
String ID: WLOG_FILTER
API String ID: 1431749950-2006202657
Opcode ID: 92bb2880164ab661e9fbf61bce6bab45cae69df785c92ac70754306bcb380346
Instruction ID: d1fff254e23f84f47931a0d4bc344c1cb185ba47d7df6f3e78d4e204d44e62ca
Opcode Fuzzy Hash: 92bb2880164ab661e9fbf61bce6bab45cae69df785c92ac70754306bcb380346
Instruction Fuzzy Hash: BCF021332166592F46106769BD49D1F7F6DF6CB7A8320041EF008C3151FF255C0686B6

Function 007F4BC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(WINPR_NATIVE_SSPI,00000000,00000000,?,?,007F4AE3), ref: 007F4BCC
GetEnvironmentVariableA.KERNEL32(WINPR_NATIVE_SSPI,00000000,00000000,?,?,007F4AE3), ref: 007F4BEC

Strings

WINPR_NATIVE_SSPI, xrefs: 007F4BC7, 007F4BE7

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: EnvironmentVariable
String ID: WINPR_NATIVE_SSPI
API String ID: 1431749950-1020623567
Opcode ID: e547949b80c8c402ec809d8ef0557747b94870318b26ae0d93880c337ee28459
Instruction ID: d0c754d33172aaf4144525f0327f31a2057f90ced78fe600af85efeb9b79cebf
Opcode Fuzzy Hash: e547949b80c8c402ec809d8ef0557747b94870318b26ae0d93880c337ee28459
Instruction Fuzzy Hash: A3F0E23329B13A27D12522AC6C05F3F5A74DBC2F35B201119FA01D7286DE44480682E6

Function 007BA2AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

rfx_context_new.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 007BA2ED

Part of subcall function 007AE4DD: GetVersionExA.KERNEL32(?), ref: 007AE5CD
Part of subcall function 007AE4DD: GetNativeSystemInfo.KERNEL32(?), ref: 007AE5E7
Part of subcall function 007AE4DD: RegOpenKeyExA.ADVAPI32(80000002,Software\FreeRDP\FreeRDP\RemoteFX,00000000,00020119,?), ref: 007AE612

progressive_context_free.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000), ref: 007BA36D

Strings

com.freerdp.codec.progressive, xrefs: 007BA2CA

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: InfoNativeOpenSystemVersionprogressive_context_freerfx_context_new
String ID: com.freerdp.codec.progressive
API String ID: 2699998398-3622116780
Opcode ID: 4450860c4dceb2cc06cf1ca9c7db71ffe648d673ab45068a4d77fe3062e9c727
Instruction ID: cdbcf44b96910a2a03b17d5ceff7562e2a413a9137076db395aa4538fa615acd
Opcode Fuzzy Hash: 4450860c4dceb2cc06cf1ca9c7db71ffe648d673ab45068a4d77fe3062e9c727
Instruction Fuzzy Hash: EFF0E03290574276D32077759805F8F77D8EF83770F14002EF104D7582DA7494018662

Function 007A1ED8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

freerdp_settings_get_key_for_name.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(?), ref: 007A1EEF
freerdp_settings_get_type_for_key.RZRCQGSPMQRYVPNWUPFFNBZPJFYGZJN-ELEVATE(00000000), ref: 007A1F51

Strings

TRUE, xrefs: 007A1F65

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: freerdp_settings_get_key_for_namefreerdp_settings_get_type_for_key
String ID: TRUE
API String ID: 1888880752-3412697401
Opcode ID: 231b486e670cfe313e123580e2e4ba522f399f20955bbfd74b43cf5704b67bb3
Instruction ID: 70cca9cf94898cacc37b23f098202c2ac0c477e1c4a548490270b53dd5fbdb25
Opcode Fuzzy Hash: 231b486e670cfe313e123580e2e4ba522f399f20955bbfd74b43cf5704b67bb3
Instruction Fuzzy Hash: A2E0E532301358AEEA156AAEEC86D9B321DEBC7B71F018235F90496141E768D90045A1

Function 007F717D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(WTSAPI_LIBRARY,00000000,00000000,?,007F7163), ref: 007F7190
GetEnvironmentVariableA.KERNEL32(WTSAPI_LIBRARY,00000000,00000000,?,?,007F7163), ref: 007F71B1

Part of subcall function 007F7310: LoadLibraryA.KERNEL32(?,?,007F71C4,00000000,?,?,007F7163), ref: 007F7316
Part of subcall function 007F7310: GetProcAddress.KERNEL32(00000000,InitWtsApi), ref: 007F732B

Strings

WTSAPI_LIBRARY, xrefs: 007F718B, 007F71AC

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: EnvironmentVariable$AddressLibraryLoadProc
String ID: WTSAPI_LIBRARY
API String ID: 3590464466-1122459656
Opcode ID: e6a28ea178b7aedf89d368af85a344db40fb79ff616cc21df4d1ed351c9a85f2
Instruction ID: 62f20839c1284e3bd6b1c3129f1b4e04d5acb5ef5e44469efa25ceeb4687a0f5
Opcode Fuzzy Hash: e6a28ea178b7aedf89d368af85a344db40fb79ff616cc21df4d1ed351c9a85f2
Instruction Fuzzy Hash: 5CE09B3214B51F6AD139235CBC0AFFF1A14EFC2B65F600119F500D62C5AF545C09C5A7

Function 007F7310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,007F71C4,00000000,?,?,007F7163), ref: 007F7316
GetProcAddress.KERNEL32(00000000,InitWtsApi), ref: 007F732B

Strings

InitWtsApi, xrefs: 007F7325

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InitWtsApi
API String ID: 2574300362-3428673357
Opcode ID: dc3314db77f09897bc88f88bac5404011fa4a7b0df908c3643c0bf3950d84e49
Instruction ID: fb9c77097050ece7ee1bf50de4d6c627483ebe8811f9e0385502518a59f9f145
Opcode Fuzzy Hash: dc3314db77f09897bc88f88bac5404011fa4a7b0df908c3643c0bf3950d84e49
Instruction Fuzzy Hash: DED0173264C70AAB9B04EFF6BC0692B3BECAB416443045965A819C22A1EB75C911D7A0

Function 0085F42C Relevance: 5.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0084B650,009A0388,0000000C), ref: 0085F430
SetLastError.KERNEL32(00000000), ref: 0085F4D2
GetLastError.KERNEL32(00000000,?,00845FDD,0085F0E3,?,?,007EF77A,0000000C,?,?,?,?,007627D2,?,?,?), ref: 0085F581
SetLastError.KERNEL32(00000000,00000006), ref: 0085F623

Part of subcall function 0085F066: HeapFree.KERNEL32(00000000,00000000,?,00845F2D,?,?,?,007EFA9A,?,?,?,?,?,0076293F,?,?), ref: 0085F07C
Part of subcall function 0085F066: GetLastError.KERNEL32(?,?,00845F2D,?,?,?,007EFA9A,?,?,?,?,?,0076293F,?,?), ref: 0085F087

Memory Dump Source

Source File: 00000005.00000002.119525888556.0000000000181000.00000040.00000001.01000000.00000006.sdmp, Offset: 00180000, based on PE: true

Associated: 00000005.00000002.119525857261.0000000000180000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000904000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000090C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009AB000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000009CF000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000A1C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000AB8000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.0000000000CA1000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000016A3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.000000000180A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119525888556.00000000018AD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.119528171078.00000000018D3000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_180000_rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.jbxd

Similarity

API ID: ErrorLast$FreeHeap
String ID:
API String ID: 3197834085-0
Opcode ID: a1bcf325222e0540daee0d0a03e3bdf98c6104b7499a45e1481b694adc4786b2
Instruction ID: d92161059f910dd6c07f853165b6c1d9283f3a3d5b1c670779db7aecd9531bed
Opcode Fuzzy Hash: a1bcf325222e0540daee0d0a03e3bdf98c6104b7499a45e1481b694adc4786b2
Instruction Fuzzy Hash: 4141D5356192156EDA207BBCAD8AD2B328CFF45376B190771FF10DA1E3EB148C0A9152

Analysis Process: getscreen-120727697-x86.exePID: 4320, Parent PID: 6380COMMON

Execution Graph

Execution Coverage:	0.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	77
Total number of Limit Nodes:	6

Executed Functions

Function 01DD29E0 Relevance: 7.7, APIs: 5, Instructions: 212
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 01DD2B13
GetProcAddress.KERNELBASE(?,01DACFF9), ref: 01DD2B31
ExitProcess.KERNEL32(?,01DACFF9), ref: 01DD2B42
VirtualProtect.KERNELBASE(00680000,00001000,00000004,?,00000000), ref: 01DD2B90
VirtualProtect.KERNELBASE(00680000,00001000), ref: 01DD2BA5

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: d25980001777dfc6044998a454149cabf163e22abd185095b6074dfe0b37d89b
Instruction ID: 4f472fed30cf2d8cfe854a0649669370f7576a47e51c2d11d81c15fd17aebb45
Opcode Fuzzy Hash: d25980001777dfc6044998a454149cabf163e22abd185095b6074dfe0b37d89b
Instruction Fuzzy Hash: D1516A726507124BD7318EBCCCC0676BBA4EB453347190738DAE2DB3C6E7E0980A8362

Function 00D4B6E0 Relevance: 6.1, APIs: 4, Instructions: 66
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D5F42C: GetLastError.KERNEL32(00000000,?,00D45FDD,00D5F0E3,?,?,00CEF77A,0000000C,?,?,?,?,00C627D2,?,?,?), ref: 00D5F581
Part of subcall function 00D5F42C: SetLastError.KERNEL32(00000000,00000006), ref: 00D5F623

CloseHandle.KERNEL32(?,?,?,00D4B817,?,?,00D4B689,00000000), ref: 00D4B711
FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,00D4B817,?,?,00D4B689,00000000), ref: 00D4B727
RtlExitUserThread.NTDLL(?,?,?,00D4B817,?,?,00D4B689,00000000), ref: 00D4B730
GetModuleHandleExW.KERNEL32(00000004,?,0000000C), ref: 00D4B76E

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ErrorExitHandleLastThread$CloseFreeLibraryModuleUser
String ID:
API String ID: 1062721995-0
Opcode ID: c2c247b5d2256c89098385337b304bb1cd5178ca7d273ac7eb5c1091459e57c0
Instruction ID: 1901a29a9b26463173847d1e35f50852d7d0182d91b4bc448c4d92d2837f9087
Opcode Fuzzy Hash: c2c247b5d2256c89098385337b304bb1cd5178ca7d273ac7eb5c1091459e57c0
Instruction Fuzzy Hash: BF1190B1500304ABCB249B65DC09E9A7BA8DF90770F188126FD55CB2A1DB70ED05C7B0

Function 00D4B62B Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetLastError.KERNEL32(00EA0388,0000000C), ref: 00D4B63E
RtlExitUserThread.NTDLL(00000000), ref: 00D4B645

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ErrorExitLastThreadUser
String ID:
API String ID: 1750398979-0
Opcode ID: cda9a85d4d7c8acf69fc2c152970044da1c3661237ab6a933ea152b34a3ecdd4
Instruction ID: f99965073187bc59fd35d495c0f4d0c875eedf507719632cb0d77c4936883a0f
Opcode Fuzzy Hash: cda9a85d4d7c8acf69fc2c152970044da1c3661237ab6a933ea152b34a3ecdd4
Instruction Fuzzy Hash: EEF0CD75900305AFDF00AFB0D80AB6E7B74EF40721F250149F802EB2A2CB70A941CBB5

Non-executed Functions

Function 00CEE42E Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF42FB

Strings

DecryptMessage: %s (0x%08X), xrefs: 00CF433E
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF4348, 00CF4387
[%s]: Security module does not provide an implementation, xrefs: 00CF4381
sspi_DecryptMessage, xrefs: 00CF4343, 00CF437B, 00CF4380, 00CF4386

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$DecryptMessage: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_DecryptMessage
API String ID: 689400697-3301108232
Opcode ID: ce41969bf1fd8b2e6582ddd557d665c540deed592ca7a7f001640069ce9aafd6
Instruction ID: 639598cf6f32c8d5dd03b243bf3419939b4b610a771410b9f54d5fd6b9ac89ba
Opcode Fuzzy Hash: ce41969bf1fd8b2e6582ddd557d665c540deed592ca7a7f001640069ce9aafd6
Instruction Fuzzy Hash: 3111A7713883497BDA153A56FC03E7B3E6CEB96B60F004054F704A51E1DA51DA10E6A6

Function 00CEE437 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF43BE

Strings

EncryptMessage: %s (0x%08X), xrefs: 00CF4401
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF440B, 00CF444A
sspi_EncryptMessage, xrefs: 00CF4406, 00CF443E, 00CF4443, 00CF4449
[%s]: Security module does not provide an implementation, xrefs: 00CF4444

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EncryptMessage: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EncryptMessage
API String ID: 689400697-3976766517
Opcode ID: aa021050d2298062e3f6b051fab0adc7bd5995524c0398ece1a226dea12042fd
Instruction ID: 0dfaf17075a534ef71bc29a989c8314e163cacf7d5e1b69d01cfc367870f028b
Opcode Fuzzy Hash: aa021050d2298062e3f6b051fab0adc7bd5995524c0398ece1a226dea12042fd
Instruction Fuzzy Hash: F611A7713843497BEB257E56FC03F7B3E6CDB82B50F004064FA04B51E1DA51DB10A6A2

Function 00C95E14 Relevance: 6.0, APIs: 4, Instructions: 28COMMON

Download Yara Rule

APIs

crypto_cert_fingerprint.GETSCREEN-120727697-X86(?), ref: 00C95E1C

Part of subcall function 00C9576E: crypto_cert_fingerprint_by_hash.GETSCREEN-120727697-X86(?,sha256), ref: 00C95779

crypto_cert_issuer.GETSCREEN-120727697-X86(?), ref: 00C95E30
crypto_cert_subject.GETSCREEN-120727697-X86(?,?), ref: 00C95E3A
certificate_data_new.GETSCREEN-120727697-X86(?,?,00000000,00000000,00000000,?,?), ref: 00C95E4A

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: certificate_data_newcrypto_cert_fingerprintcrypto_cert_fingerprint_by_hashcrypto_cert_issuercrypto_cert_subject
String ID:
API String ID: 1865246629-0
Opcode ID: b22f0af09afbb53f47c67a66392b01df666bde5d5b51faeba4ef9e6157e0229e
Instruction ID: babd9a273ab1f3c4f4b3132f77013e2a149710300b52863b10c3681beb46f56b
Opcode Fuzzy Hash: b22f0af09afbb53f47c67a66392b01df666bde5d5b51faeba4ef9e6157e0229e
Instruction Fuzzy Hash: 9AE0DF36000608BF8F122F69CC09C9F3EADDF823E4B044124BD0856121DA32CE10A7A0

Function 00D3FCA9 Relevance: 6.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00D3FDC9,00E6C654), ref: 00D3FCAE
UnhandledExceptionFilter.KERNEL32(00D3FDC9,?,00D3FDC9,00E6C654), ref: 00D3FCB7
GetCurrentProcess.KERNEL32(C0000409,?,00D3FDC9,00E6C654), ref: 00D3FCC2
TerminateProcess.KERNEL32(00000000,?,00D3FDC9,00E6C654), ref: 00D3FCC9

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
String ID:
API String ID: 3231755760-0
Opcode ID: 4954addfa3c3919c9ae6164e5accc27cf7f12ad21cffe9e3c64a01f8dc05b85b
Instruction ID: 13dfcfb339175bd5513f8b6df33bbe56db74e9e77133bff8ebd6fd8f75025957
Opcode Fuzzy Hash: 4954addfa3c3919c9ae6164e5accc27cf7f12ad21cffe9e3c64a01f8dc05b85b
Instruction Fuzzy Hash: 4DD0123202430ABBDB002BE9FE0CB493F2CFB08A1AF050000F30AC2262EBB144008B75

Function 00CF7449 Relevance: 224.3, APIs: 64, Strings: 64, Instructions: 269
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(wtsapi32.dll,00CF7168), ref: 00CF744E
GetProcAddress.KERNEL32(00000000,WTSStopRemoteControlSession), ref: 00CF746B
GetProcAddress.KERNEL32(WTSStartRemoteControlSessionW), ref: 00CF747D
GetProcAddress.KERNEL32(WTSStartRemoteControlSessionA), ref: 00CF748F
GetProcAddress.KERNEL32(WTSConnectSessionW), ref: 00CF74A1
GetProcAddress.KERNEL32(WTSConnectSessionA), ref: 00CF74B3
GetProcAddress.KERNEL32(WTSEnumerateServersW), ref: 00CF74C5
GetProcAddress.KERNEL32(WTSEnumerateServersA), ref: 00CF74D7
GetProcAddress.KERNEL32(WTSOpenServerW), ref: 00CF74E9
GetProcAddress.KERNEL32(WTSOpenServerA), ref: 00CF74FB
GetProcAddress.KERNEL32(WTSOpenServerExW), ref: 00CF750D
GetProcAddress.KERNEL32(WTSOpenServerExA), ref: 00CF751F
GetProcAddress.KERNEL32(WTSCloseServer), ref: 00CF7531
GetProcAddress.KERNEL32(WTSEnumerateSessionsW), ref: 00CF7543
GetProcAddress.KERNEL32(WTSEnumerateSessionsA), ref: 00CF7555
GetProcAddress.KERNEL32(WTSEnumerateSessionsExW), ref: 00CF7567
GetProcAddress.KERNEL32(WTSEnumerateSessionsExA), ref: 00CF7579
GetProcAddress.KERNEL32(WTSEnumerateProcessesW), ref: 00CF758B
GetProcAddress.KERNEL32(WTSEnumerateProcessesA), ref: 00CF759D
GetProcAddress.KERNEL32(WTSTerminateProcess), ref: 00CF75AF
GetProcAddress.KERNEL32(WTSQuerySessionInformationW), ref: 00CF75C1
GetProcAddress.KERNEL32(WTSQuerySessionInformationA), ref: 00CF75D3
GetProcAddress.KERNEL32(WTSQueryUserConfigW), ref: 00CF75E5
GetProcAddress.KERNEL32(WTSQueryUserConfigA), ref: 00CF75F7
GetProcAddress.KERNEL32(WTSSetUserConfigW), ref: 00CF7609

Strings

WTSEnumerateProcessesW, xrefs: 00CF757B
WTSFreeMemoryExA, xrefs: 00CF7797
WTSVirtualChannelWrite, xrefs: 00CF76D1
WTSEnumerateSessionsExA, xrefs: 00CF7569
WTSQueryUserConfigW, xrefs: 00CF75D5
WTSEnumerateServersW, xrefs: 00CF74B5
WTSEnumerateListenersW, xrefs: 00CF77CD
WTSQuerySessionInformationA, xrefs: 00CF75C3
WTSLogoffSession, xrefs: 00CF7653
WTSStopRemoteControlSession, xrefs: 00CF7465
WTSCreateListenerW, xrefs: 00CF7815
wtsapi32.dll, xrefs: 00CF7449
WTSRegisterSessionNotification, xrefs: 00CF7730
WTSVirtualChannelPurgeOutput, xrefs: 00CF76F5
WTSUnRegisterSessionNotification, xrefs: 00CF773D
WTSFreeMemoryExW, xrefs: 00CF7785
WTSGetListenerSecurityA, xrefs: 00CF786F
WTSEnumerateSessionsExW, xrefs: 00CF7557
WTSVirtualChannelOpen, xrefs: 00CF7689
WTSSendMessageA, xrefs: 00CF762F
WTSEnumerateProcessesExA, xrefs: 00CF77BB
WTSSetUserConfigA, xrefs: 00CF760B
WTSOpenServerExA, xrefs: 00CF750F
WTSOpenServerExW, xrefs: 00CF74FD
WTSSetListenerSecurityW, xrefs: 00CF7839
WTSOpenServerW, xrefs: 00CF74D9
WTSQueryUserToken, xrefs: 00CF7773
WTSSendMessageW, xrefs: 00CF761D
WTSDisconnectSession, xrefs: 00CF7641
WTSUnRegisterSessionNotificationEx, xrefs: 00CF7761
WTSShutdownSystem, xrefs: 00CF7665
WTSEnableChildSessions, xrefs: 00CF7881
WTSVirtualChannelQuery, xrefs: 00CF7707
WTSFreeMemory, xrefs: 00CF7719
WTSStartRemoteControlSessionW, xrefs: 00CF746D
WTSEnumerateProcessesExW, xrefs: 00CF77A9
WTSEnumerateListenersA, xrefs: 00CF77DF
WTSIsChildSessionsEnabled, xrefs: 00CF7898
WTSVirtualChannelRead, xrefs: 00CF76BF
WTSEnumerateServersA, xrefs: 00CF74C7
WTSQuerySessionInformationW, xrefs: 00CF75B1
WTSSetListenerSecurityA, xrefs: 00CF784B
WTSQueryUserConfigA, xrefs: 00CF75E7
WTSEnumerateSessionsW, xrefs: 00CF7533
WTSEnumerateSessionsA, xrefs: 00CF7545
WTSRegisterSessionNotificationEx, xrefs: 00CF774F
WTSEnumerateProcessesA, xrefs: 00CF758D
WTSTerminateProcess, xrefs: 00CF759F
WTSQueryListenerConfigW, xrefs: 00CF77F1
WTSGetChildSessionId, xrefs: 00CF78A5
WTSOpenServerA, xrefs: 00CF74EB
WTSStartRemoteControlSessionA, xrefs: 00CF747F
WTSConnectSessionW, xrefs: 00CF7491
WTSConnectSessionA, xrefs: 00CF74A3
WTSSetUserConfigW, xrefs: 00CF75F9
WTSGetActiveConsoleSessionId, xrefs: 00CF78B7
WTSCreateListenerA, xrefs: 00CF7827
WTSQueryListenerConfigA, xrefs: 00CF7803
WTSVirtualChannelPurgeInput, xrefs: 00CF76E3
WTSVirtualChannelClose, xrefs: 00CF76AD
WTSVirtualChannelOpenEx, xrefs: 00CF769B
WTSWaitSystemEvent, xrefs: 00CF7677
WTSGetListenerSecurityW, xrefs: 00CF785D
WTSCloseServer, xrefs: 00CF7521

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: WTSCloseServer$WTSConnectSessionA$WTSConnectSessionW$WTSCreateListenerA$WTSCreateListenerW$WTSDisconnectSession$WTSEnableChildSessions$WTSEnumerateListenersA$WTSEnumerateListenersW$WTSEnumerateProcessesA$WTSEnumerateProcessesExA$WTSEnumerateProcessesExW$WTSEnumerateProcessesW$WTSEnumerateServersA$WTSEnumerateServersW$WTSEnumerateSessionsA$WTSEnumerateSessionsExA$WTSEnumerateSessionsExW$WTSEnumerateSessionsW$WTSFreeMemory$WTSFreeMemoryExA$WTSFreeMemoryExW$WTSGetActiveConsoleSessionId$WTSGetChildSessionId$WTSGetListenerSecurityA$WTSGetListenerSecurityW$WTSIsChildSessionsEnabled$WTSLogoffSession$WTSOpenServerA$WTSOpenServerExA$WTSOpenServerExW$WTSOpenServerW$WTSQueryListenerConfigA$WTSQueryListenerConfigW$WTSQuerySessionInformationA$WTSQuerySessionInformationW$WTSQueryUserConfigA$WTSQueryUserConfigW$WTSQueryUserToken$WTSRegisterSessionNotification$WTSRegisterSessionNotificationEx$WTSSendMessageA$WTSSendMessageW$WTSSetListenerSecurityA$WTSSetListenerSecurityW$WTSSetUserConfigA$WTSSetUserConfigW$WTSShutdownSystem$WTSStartRemoteControlSessionA$WTSStartRemoteControlSessionW$WTSStopRemoteControlSession$WTSTerminateProcess$WTSUnRegisterSessionNotification$WTSUnRegisterSessionNotificationEx$WTSVirtualChannelClose$WTSVirtualChannelOpen$WTSVirtualChannelOpenEx$WTSVirtualChannelPurgeInput$WTSVirtualChannelPurgeOutput$WTSVirtualChannelQuery$WTSVirtualChannelRead$WTSVirtualChannelWrite$WTSWaitSystemEvent$wtsapi32.dll
API String ID: 2238633743-2998606599
Opcode ID: 93855af530ffa46304fdf0a014763f85ce5d89dc3df6f377d2933f107e3af863
Instruction ID: 17cd246979dc7ef1172f99d6086bceb9d82a5887c21ab5f1d19246d0048c3e09
Opcode Fuzzy Hash: 93855af530ffa46304fdf0a014763f85ce5d89dc3df6f377d2933f107e3af863
Instruction Fuzzy Hash: FBB125F4E8831CAACB11BF72BC4AC477EE1EB4A770700991AA804B6272D7755051FF94

Function 00CE14E3 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 194
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

freerdp_error_info.GETSCREEN-120727697-X86(?,?,?,?,?,?,?,00CE14DF,?,00000000), ref: 00CE1519
freerdp_get_error_info_string.GETSCREEN-120727697-X86(00000000,?,?,?,?,?,?,00CE14DF,?,00000000), ref: 00CE155D
freerdp_reconnect.GETSCREEN-120727697-X86(?,?,?,?,?,?,?,00CE14DF,?,00000000), ref: 00CE1601
freerdp_get_last_error.GETSCREEN-120727697-X86(?,?,?,?,?,?,?,00CE14DF,?,00000000), ref: 00CE1611
Sleep.KERNEL32(0000000A,?,?,?,?,?,?,00CE14DF,?,00000000), ref: 00CE167E

Strings

com.freerdp.client.common, xrefs: 00CE153E, 00CE1589, 00CE15BC, 00CE1627, 00CE169D, 00CE16E9, 00CE16F2
Maximum reconnect retries exceeded, xrefs: 00CE16B7
C:\Project\agent-windows\freerdp\FreeRDP\client\common\client.c, xrefs: 00CE156D, 00CE15E4, 00CE164B, 00CE16C1, 00CE171A
Attempting reconnect (%u of %u), xrefs: 00CE15DA
client_auto_reconnect_ex, xrefs: 00CE1568, 00CE15DF, 00CE1646, 00CE16BC, 00CE1715
Disconnected by server hitting a bug or resource limit [%s], xrefs: 00CE1563
Autoreconnect aborted by user, xrefs: 00CE1641
Network disconnect!, xrefs: 00CE1710

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Sleepfreerdp_error_infofreerdp_get_error_info_stringfreerdp_get_last_errorfreerdp_reconnect
String ID: Attempting reconnect (%u of %u)$Autoreconnect aborted by user$C:\Project\agent-windows\freerdp\FreeRDP\client\common\client.c$Disconnected by server hitting a bug or resource limit [%s]$Maximum reconnect retries exceeded$Network disconnect!$client_auto_reconnect_ex$com.freerdp.client.common
API String ID: 968149013-2963753137
Opcode ID: 2db74af42ba7d09e6422547e4c0c60948b76629a901cc09558f694d09c854aa0
Instruction ID: e00c10f74add01c5291ffdc1148519a15b0b1c7a199d2ae5325660955b7f486e
Opcode Fuzzy Hash: 2db74af42ba7d09e6422547e4c0c60948b76629a901cc09558f694d09c854aa0
Instruction Fuzzy Hash: 7D510B72B4038577EB207B27EC47FAA3BA8DB55B90F1C4025F924FA1C1DB748B519614

Function 00CAA89E Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 127
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

gdi_get_pixel_format.GETSCREEN-120727697-X86(?,?,?,?,?,00CAA899,?,?,00000000,00000000,Function_006DAA7A), ref: 00CAA8B3
gdi_free.GETSCREEN-120727697-X86(?,?,?,?,?,00CAA899,?,?,00000000,00000000,Function_006DAA7A), ref: 00CAAA40

Strings

C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\gdi\gdi.c, xrefs: 00CAAA77
failed to initialize gdi, xrefs: 00CAAA6D
gdi_init_ex, xrefs: 00CAAA72
com.freerdp.gdi, xrefs: 00CAA8D7, 00CAAA4F

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: gdi_freegdi_get_pixel_format
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\gdi\gdi.c$com.freerdp.gdi$failed to initialize gdi$gdi_init_ex
API String ID: 1251975138-534786182
Opcode ID: 0091b0b157fc0b0954c5b8adc3f09047e0f29e9a227f404a2fe4f3a1c9701522
Instruction ID: 87a6df2ccc1f027b6c55f30ffb9aa4963d177229a6c8ece7acb9c9ebf6d059b1
Opcode Fuzzy Hash: 0091b0b157fc0b0954c5b8adc3f09047e0f29e9a227f404a2fe4f3a1c9701522
Instruction Fuzzy Hash: 6F4181B5200702AFD714AF34DC42B6A77E1FF05318F148429F5689B292EF31AD50EB55

Function 00C70E1F Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00C70F64
RtlLeaveCriticalSection.NTDLL(?), ref: 00C70F79

Strings

Skipping, channel already loaded, xrefs: 00C70EB8
com.freerdp.core.client, xrefs: 00C70E3D, 00C70E9A, 00C70F9B
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c, xrefs: 00C70E69, 00C70EC2, 00C70FC3
,, xrefs: 00C70F23
error: too many channels, xrefs: 00C70E5F
freerdp_channels_client_load_ex, xrefs: 00C70E64, 00C70EBD, 00C70FBE
error: channel export function call failed, xrefs: 00C70FB9
PDRF, xrefs: 00C70F4B

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: ,$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c$PDRF$Skipping, channel already loaded$com.freerdp.core.client$error: channel export function call failed$error: too many channels$freerdp_channels_client_load_ex
API String ID: 3168844106-1571615648
Opcode ID: b297c6c2bc6d501db443eba0f3b87a48e47863f41fc384ca9f4511b42e4621d8
Instruction ID: ec7421b13f304d3ff33e1c6d34312d7db8c5bea546959db2535638ff7aa7c8dc
Opcode Fuzzy Hash: b297c6c2bc6d501db443eba0f3b87a48e47863f41fc384ca9f4511b42e4621d8
Instruction Fuzzy Hash: 6441A2B1B4430AAFDB14DF69EC42B9D77F4EB09714F208019F618FB291D774A9009B58

Function 00CE6C86 Relevance: 16.1, APIs: 4, Strings: 5, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

freerdp_device_collection_add.GETSCREEN-120727697-X86(?,?), ref: 00CE6D79
freerdp_device_collection_add.GETSCREEN-120727697-X86(?,00000000), ref: 00CE6E1D
freerdp_device_collection_add.GETSCREEN-120727697-X86(?,00000000), ref: 00CE6F6F
freerdp_device_collection_add.GETSCREEN-120727697-X86(?,00000000), ref: 00CE7044

Strings

serial, xrefs: 00CE6E3D
smartcard, xrefs: 00CE6DA3
drive, xrefs: 00CE6C95
parallel, xrefs: 00CE6FAF
printer, xrefs: 00CE6CDF

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: freerdp_device_collection_add
String ID: drive$parallel$printer$serial$smartcard
API String ID: 2538329621-807955808
Opcode ID: d7b85528f3cdceabad5dd029c6ac1c0a4f507cc103017fb6132aee0f53206de4
Instruction ID: 51b9b5c3edebc135498255d68e9d4b9fd6df0563954057e1172776fe64510a74
Opcode Fuzzy Hash: d7b85528f3cdceabad5dd029c6ac1c0a4f507cc103017fb6132aee0f53206de4
Instruction Fuzzy Hash: ECB114326186429FCF14AF1AEC4195E7BB1FF14354B14806AF8149F257EF32EE158BA1

Function 00C70C4D Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 145
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00C70D92
RtlLeaveCriticalSection.NTDLL(?), ref: 00C70DB2

Strings

Skipping, channel already loaded, xrefs: 00C70CE8
com.freerdp.core.client, xrefs: 00C70C6C, 00C70CCA, 00C70DD3
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c, xrefs: 00C70C98, 00C70CF2, 00C70DFB
PDRF, xrefs: 00C70D76
freerdp_channels_client_load, xrefs: 00C70C93, 00C70CED, 00C70DF6
error: too many channels, xrefs: 00C70C8E
error: channel export function call failed, xrefs: 00C70DF1

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\client.c$PDRF$Skipping, channel already loaded$com.freerdp.core.client$error: channel export function call failed$error: too many channels$freerdp_channels_client_load
API String ID: 3168844106-4217659166
Opcode ID: 10095d0ba63845ab02e80f5422bd42c6f29093905e48d174e1a326022a0d6e1a
Instruction ID: b6fcdaad7f3b30823b81f38545544b94067e5faae89d8797907c1f92a3ad9c6c
Opcode Fuzzy Hash: 10095d0ba63845ab02e80f5422bd42c6f29093905e48d174e1a326022a0d6e1a
Instruction Fuzzy Hash: 105182B1B40315EFDB10DF69EC46F5977B8FB05754F208019FA18BB291E7B4A9009B58

Function 00D73B76 Relevance: 15.1, APIs: 10, Instructions: 134
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

freerdp_settings_set_bool.GETSCREEN-120727697-X86(?,00000400,00000001), ref: 00D73B87
freerdp_settings_set_string.GETSCREEN-120727697-X86(?,00000401,00000000), ref: 00D73BB7
freerdp_settings_set_string.GETSCREEN-120727697-X86(?,00000404,?), ref: 00D73BDB
freerdp_settings_set_string.GETSCREEN-120727697-X86(?,00000402,00000000), ref: 00D73BFA
freerdp_settings_set_string.GETSCREEN-120727697-X86(?,00000014,?), ref: 00D73C12
freerdp_settings_set_string.GETSCREEN-120727697-X86(?,000006C1,?), ref: 00D73C2B
freerdp_settings_set_string.GETSCREEN-120727697-X86(?,00000403,?), ref: 00D73C44
freerdp_settings_set_string.GETSCREEN-120727697-X86(?,00000015,00000000), ref: 00D73C60
freerdp_settings_set_uint32.GETSCREEN-120727697-X86(?,00000013,?), ref: 00D73C82
freerdp_target_net_addresses_free.GETSCREEN-120727697-X86(?), ref: 00D73C93

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: freerdp_settings_set_string$freerdp_settings_set_boolfreerdp_settings_set_uint32freerdp_target_net_addresses_free
String ID:
API String ID: 949014189-0
Opcode ID: 12f87a41451c66bc5c8156e90c5a793ed94ff3185f274a213cefdbc36b09d4f7
Instruction ID: fbbd6145addeac5081b1dd49de341b447b65a5da3ab097938798ce112510d006
Opcode Fuzzy Hash: 12f87a41451c66bc5c8156e90c5a793ed94ff3185f274a213cefdbc36b09d4f7
Instruction Fuzzy Hash: 1D41D571600A16BBE7315F34DC45F9673A4BF05304F088024FA09969D2F772EA64E7A6

Function 00D21612 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00CF5CD5: InitializeCriticalSectionAndSpinCount.KERNEL32(00000004,00000FA0,?,00000000,?,00D21701,00000001), ref: 00CF5CF9

zgfx_context_new.GETSCREEN-120727697-X86(00000000), ref: 00D21874

Part of subcall function 00D7693A: zgfx_context_reset.GETSCREEN-120727697-X86(00000000,00000000,00000000,?,00D21879,00000000), ref: 00D76964

Strings

calloc failed!, xrefs: 00D21657, 00D2180B
Failed to acquire reference to WLog %s, xrefs: 00D216BF
rdpgfx_client_context_new, xrefs: 00D2165C, 00D216C4, 00D2173C, 00D21810, 00D218B7
HashTable_New failed!, xrefs: 00D21737
com.freerdp.channels.rdpgfx.client, xrefs: 00D21635, 00D2167A, 00D2167F, 00D216A0, 00D216BE, 00D21719, 00D217ED, 00D21898
zgfx_context_new failed!, xrefs: 00D218B2
C:\Project\agent-windows\freerdp\FreeRDP\channels\rdpgfx\client\rdpgfx_main.c, xrefs: 00D21661, 00D216C9, 00D21741, 00D21815, 00D218BC

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpinzgfx_context_newzgfx_context_reset
String ID: C:\Project\agent-windows\freerdp\FreeRDP\channels\rdpgfx\client\rdpgfx_main.c$Failed to acquire reference to WLog %s$HashTable_New failed!$calloc failed!$com.freerdp.channels.rdpgfx.client$rdpgfx_client_context_new$zgfx_context_new failed!
API String ID: 3732774510-3243565116
Opcode ID: 912225df5cb8962d173d901d4d6a44b9f3c2b391d4d19e08fcbec6be92dc1816
Instruction ID: a86130ae6df4db2af70910bed62500d2570962d8d3996644a65222aec575ff00
Opcode Fuzzy Hash: 912225df5cb8962d173d901d4d6a44b9f3c2b391d4d19e08fcbec6be92dc1816
Instruction Fuzzy Hash: 5D7107756847127BE310AB26FC82B5677E4FF75768F104229F505AB6C1DBB0E8008FA8

Function 00CAE4DD Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 138registrythreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00CF6B05: InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,00000000,00000000,00000000,?,00CAE59B,00000001,00006060,00000010), ref: 00CF6B3E

GetVersionExA.KERNEL32(?), ref: 00CAE5CD
GetNativeSystemInfo.KERNEL32(?), ref: 00CAE5E7
RegOpenKeyExA.ADVAPI32(80000002,Software\FreeRDP\FreeRDP\RemoteFX,00000000,00020119,?), ref: 00CAE612
primitives_get.GETSCREEN-120727697-X86 ref: 00CAE6DC
CreateThreadpool.KERNEL32(00000000), ref: 00CAE6E2

Strings

com.freerdp.codec.rfx, xrefs: 00CAE530
Software\FreeRDP\FreeRDP\RemoteFX, xrefs: 00CAE605

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: CountCreateCriticalInfoInitializeNativeOpenSectionSpinSystemThreadpoolVersionprimitives_get
String ID: Software\FreeRDP\FreeRDP\RemoteFX$com.freerdp.codec.rfx
API String ID: 3882483829-2530424157
Opcode ID: 8768aff9d7521d06a3b29629155c2e047ace5312022b6a3b228fedae53cbda38
Instruction ID: 8a90664448468cdc170025329b06a163fbb6b0c8c4029e94265cc66f2084f9e6
Opcode Fuzzy Hash: 8768aff9d7521d06a3b29629155c2e047ace5312022b6a3b228fedae53cbda38
Instruction Fuzzy Hash: 5E4191B1A0070AAFEB109F75DC85B6AB7F8FF45304F10442EE619D6242DB74E944CBA1

Function 00CEE889 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 106COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(WLOG_APPENDER,00000000,00000000), ref: 00CEE8B2
GetEnvironmentVariableA.KERNEL32(WLOG_APPENDER,00000000,00000000), ref: 00CEE8D6

Strings

WLOG_APPENDER, xrefs: 00CEE8A6, 00CEE8D1, 00CEE8E3
BINARY, xrefs: 00CEE938
CONSOLE, xrefs: 00CEE911
UDP, xrefs: 00CEE94E
%s environment variable modified in my back, xrefs: 00CEE8E8
FILE, xrefs: 00CEE922

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: EnvironmentVariable
String ID: %s environment variable modified in my back$BINARY$CONSOLE$FILE$UDP$WLOG_APPENDER
API String ID: 1431749950-225596728
Opcode ID: d98882023fed67a53fcedf7d6d955660fd8f1898a4c318fe9d90f41b143da71d
Instruction ID: 71e5936d9a7402b6c0cfe2f4c9e40f6697f80f3fc3590f59cbe8d0714cda0598
Opcode Fuzzy Hash: d98882023fed67a53fcedf7d6d955660fd8f1898a4c318fe9d90f41b143da71d
Instruction Fuzzy Hash: BE21F5322487973AB6547267BC8BE7B1B98CF93BB4724003AF415F50C3FE91894156B2

Function 00C63971 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

freerdp_set_last_error_ex.GETSCREEN-120727697-X86(?,?,rdp_set_error_info,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c,0000015B), ref: 00C748D9
freerdp_set_last_error_ex.GETSCREEN-120727697-X86(?,00000000,rdp_set_error_info,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c,0000016A), ref: 00C7498F

Strings

ErrorInfo, xrefs: 00C7490B
freerdp, xrefs: 00C74919
com.freerdp.core.rdp, xrefs: 00C74933
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c, xrefs: 00C748C7, 00C7495F, 00C74982
rdp_set_error_info, xrefs: 00C748CC, 00C74953, 00C74958, 00C7495E, 00C74987
%s missing context=%p, xrefs: 00C74959

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: freerdp_set_last_error_ex
String ID: %s missing context=%p$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\rdp.c$ErrorInfo$com.freerdp.core.rdp$freerdp$rdp_set_error_info
API String ID: 270715978-29603548
Opcode ID: 48abaf15e95dd73cf46592ae28540c641e2a8228f73f49bf1dbfb5f968e37ef8
Instruction ID: 603961e2ba534dd06f8e207bb9e5c0a193ebe28f6f1bfc4037d78a6a82eeff28
Opcode Fuzzy Hash: 48abaf15e95dd73cf46592ae28540c641e2a8228f73f49bf1dbfb5f968e37ef8
Instruction Fuzzy Hash: 4221DB72A40314BAD7146B59DC43FEB7B6CAB41B10F148059FB187A1C2E7F09740DAA5

Function 00D758B8 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 93COMMON

Download Yara Rule

APIs

audio_format_get_tag_string.GETSCREEN-120727697-X86(00000000,?,?,00D75425,?,?,?,?,00000000,?), ref: 00D758FA
audio_format_get_tag_string.GETSCREEN-120727697-X86(00000001,00000000,?,?,00D75425,?,?,?,?,00000000,?), ref: 00D75902
audio_format_compatible.GETSCREEN-120727697-X86(00D75425,?,?,?,?,00D75425,?,?,?,?,00000000,?), ref: 00D7594D

Strings

freerdp_dsp_resample, xrefs: 00D75909, 00D7590E, 00D75914, 00D75989
Missing resample support, recompile -DWITH_SOXR=ON or -DWITH_DSP_FFMPEG=ON, xrefs: 00D75984
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\dsp.c, xrefs: 00D75915, 00D7598E
%s requires %s for sample input, got %s, xrefs: 00D7590F
com.freerdp.dsp, xrefs: 00D758D4, 00D75966

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: audio_format_get_tag_string$audio_format_compatible
String ID: %s requires %s for sample input, got %s$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\dsp.c$Missing resample support, recompile -DWITH_SOXR=ON or -DWITH_DSP_FFMPEG=ON$com.freerdp.dsp$freerdp_dsp_resample
API String ID: 204136587-155179076
Opcode ID: c076730c2cdf2b43ec3bb8c24c112716b5399c4693ff42c8a4a7d9c982a2fc3f
Instruction ID: 440f3168609fc76a3f37b83ce6b4f6065edcd913afd8d9805caa4824121a844d
Opcode Fuzzy Hash: c076730c2cdf2b43ec3bb8c24c112716b5399c4693ff42c8a4a7d9c982a2fc3f
Instruction Fuzzy Hash: 1421C8A2744305AAE714AB65FC83F6A33989B00764F14401AF74CFA1C5FAE2984096B9

Function 00CF4B0C Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 37libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(secur32.dll,?,00CF4AEC), ref: 00CF4B18
LoadLibraryA.KERNEL32(security.dll,?,00CF4AEC), ref: 00CF4B28
GetProcAddress.KERNEL32(00000000,InitSecurityInterfaceW), ref: 00CF4B42
GetProcAddress.KERNEL32(InitSecurityInterfaceA), ref: 00CF4B51

Strings

InitSecurityInterfaceA, xrefs: 00CF4B44
security.dll, xrefs: 00CF4B23
InitSecurityInterfaceW, xrefs: 00CF4B3C
secur32.dll, xrefs: 00CF4B13

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InitSecurityInterfaceA$InitSecurityInterfaceW$secur32.dll$security.dll
API String ID: 2574300362-4081094439
Opcode ID: 7cf07f2a1c00b7227c4964872c79554979fff5e5e7f49fbea20852e1f1a96c8c
Instruction ID: 928ca7c1b7f8bfd67e40e022761ed9a7a7bc43c59b6aa5ab8c680a349ff3b660
Opcode Fuzzy Hash: 7cf07f2a1c00b7227c4964872c79554979fff5e5e7f49fbea20852e1f1a96c8c
Instruction Fuzzy Hash: F6F05EB3D5872B578715ABB9BC00D273AE8AA857503064163D910E3211EBB0C8015FA1

Function 00CA42E5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 181fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00CA4320
GetFileSize.KERNEL32(00000000,?), ref: 00CA433A

Strings

%s %hu %s %s %s, xrefs: 00CA4610

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: File$CreateSize
String ID: %s %hu %s %s %s
API String ID: 2791376181-2916857029
Opcode ID: 7bcf500b43e8a1a392c1e80a4c2fadfb0aac54fdd5e9a04d01e16d16290dff41
Instruction ID: d940685ea78d0ef2b93cec23b912d34a29b3578c8ef9ee52af97b01308f209fb
Opcode Fuzzy Hash: 7bcf500b43e8a1a392c1e80a4c2fadfb0aac54fdd5e9a04d01e16d16290dff41
Instruction Fuzzy Hash: 6E516FB1D00216AFEB149BA4EC45ABF77BCEF46764F10412AF911E6191EBB09A009B71

Function 00C8501B Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 140COMMON

Download Yara Rule

APIs

ber_read_universal_tag.GETSCREEN-120727697-X86(?,00000002,00000000), ref: 00C8502A
ber_read_length.GETSCREEN-120727697-X86(?,?), ref: 00C8503F

Strings

com.freerdp.crypto, xrefs: 00C8510A, 00C85159
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\crypto\ber.c, xrefs: 00C85132, 00C85182
should implement reading an integer with length=%d, xrefs: 00C85178
ber_read_integer, xrefs: 00C8512D, 00C8517D
should implement reading an 8 bytes integer, xrefs: 00C85128

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ber_read_lengthber_read_universal_tag
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\crypto\ber.c$ber_read_integer$com.freerdp.crypto$should implement reading an 8 bytes integer$should implement reading an integer with length=%d
API String ID: 3186670568-2454464461
Opcode ID: 7e621cbb67768c7c6eefa40bf0fe5427a48f8e8cd2f1690f194dba3abb5410dd
Instruction ID: 4fc8586d7bb1266cb171ba7d46761147f7898be202f0dd2e37985b3e580f6f60
Opcode Fuzzy Hash: 7e621cbb67768c7c6eefa40bf0fe5427a48f8e8cd2f1690f194dba3abb5410dd
Instruction Fuzzy Hash: 3441AAF2704B505FDB20AF25DC82B2D3BE1AB52718F144169F4649B2C5E7B4EA00DB68

Function 00CC9C5D Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 109COMMON

Download Yara Rule

APIs

region16_rects.GETSCREEN-120727697-X86(?,?), ref: 00CC9C6E

Strings

com.freerdp.codec, xrefs: 00CC9C80, 00CC9CE5, 00CC9D33
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\region.c, xrefs: 00CC9CAC, 00CC9D0E, 00CC9D6E
nrects=%u, xrefs: 00CC9CA2
band %d: , xrefs: 00CC9D04
region16_print, xrefs: 00CC9CA7, 00CC9D09, 00CC9D69
(%hu,%hu-%hu,%hu), xrefs: 00CC9D64

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: region16_rects
String ID: (%hu,%hu-%hu,%hu)$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\region.c$band %d: $com.freerdp.codec$nrects=%u$region16_print
API String ID: 844131241-2640574824
Opcode ID: 4a4c77dccc16862c815f0215d4d7134d197983da76292561cf302c879fd29bbf
Instruction ID: ee633ea685e382dbfb27cd9b4dacacc65bc2ca13a083d885a20902f24dba0440
Opcode Fuzzy Hash: 4a4c77dccc16862c815f0215d4d7134d197983da76292561cf302c879fd29bbf
Instruction Fuzzy Hash: C331D7B278030179F7206B65EC8BFB637D8DB95B95F140029F924F62D0FAB19E40E260

Function 00C62BCF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 102COMMON

Download Yara Rule

APIs

freerdp_set_last_error_ex.GETSCREEN-120727697-X86(?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00C62C14
clearChannelError.GETSCREEN-120727697-X86(?,?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00C62C1B

Part of subcall function 00C626E1: ResetEvent.KERNEL32(?), ref: 00C6270A

Part of subcall function 00C78142: ResetEvent.KERNEL32(?,?,00C62C27,?,?,?,00000000,freerdp_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,000000AA), ref: 00C7814E

Strings

freerdp_connect, xrefs: 00C62C01
ConnectionResult, xrefs: 00C63077
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c, xrefs: 00C62BFC
freerdp, xrefs: 00C63062

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: EventReset$ChannelErrorclearfreerdp_set_last_error_ex
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c$ConnectionResult$freerdp$freerdp_connect
API String ID: 3632380314-3564821047
Opcode ID: 007197a1ddb015358c8dbc30cca939814f98404058a5c2d07d02a474118715c1
Instruction ID: 4b0198320b0ec4fff5db6edade089d8e7ccf9a7d66ded18708bfe932dacf1f19
Opcode Fuzzy Hash: 007197a1ddb015358c8dbc30cca939814f98404058a5c2d07d02a474118715c1
Instruction Fuzzy Hash: 09316DB1A00605AFE720DF69D8C5BAAB7E4FF08350F140079F819E7292DB719A549B50

Function 00C853FD Relevance: 12.1, APIs: 8, Instructions: 80COMMON

Download Yara Rule

APIs

ber_write_universal_tag.GETSCREEN-120727697-X86(?,00000002,00000000), ref: 00C85415
ber_write_length.GETSCREEN-120727697-X86(?,00000001,?,00000002,00000000), ref: 00C8541D
ber_write_universal_tag.GETSCREEN-120727697-X86(?,00000002,00000000), ref: 00C85440
ber_write_length.GETSCREEN-120727697-X86(?,00000002,?,00000002,00000000), ref: 00C85448

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ber_write_lengthber_write_universal_tag
String ID:
API String ID: 1889070510-0
Opcode ID: 18ef3f9f5ae11241768caf1c4dc31a824dec3e3bd5586f49f269dacf6024e569
Instruction ID: 392db7234b777cdd2ad7c3022d27e273b90f0055aabffa371a39b55448c565d4
Opcode Fuzzy Hash: 18ef3f9f5ae11241768caf1c4dc31a824dec3e3bd5586f49f269dacf6024e569
Instruction Fuzzy Hash: 2B21DA35105F40AFDB127B05CD42B5A77A5EF51B06F018459F94A1F783C2B1AE41CBA9

Function 00C8CB5F Relevance: 12.1, APIs: 8, Instructions: 65COMMON

Download Yara Rule

APIs

glyph_cache_new.GETSCREEN-120727697-X86(?), ref: 00C8CB79
brush_cache_new.GETSCREEN-120727697-X86(?), ref: 00C8CB86
pointer_cache_new.GETSCREEN-120727697-X86(?), ref: 00C8CB94
bitmap_cache_new.GETSCREEN-120727697-X86(?), ref: 00C8CBA2
offscreen_cache_new.GETSCREEN-120727697-X86(?), ref: 00C8CBB0
palette_cache_new.GETSCREEN-120727697-X86(?), ref: 00C8CBBE
nine_grid_cache_new.GETSCREEN-120727697-X86(?), ref: 00C8CBCC
cache_free.GETSCREEN-120727697-X86(00000000), ref: 00C8CBDE

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: bitmap_cache_newbrush_cache_newcache_freeglyph_cache_newnine_grid_cache_newoffscreen_cache_newpalette_cache_newpointer_cache_new
String ID:
API String ID: 2332728789-0
Opcode ID: 42906154869710506a0c67ebba1e6bbb42983877cc0118c6e46d3c0bd67e0258
Instruction ID: ff20b8f4cde8f3d795764462a50ad085736e550ab270530d6e4efc7fef8768b1
Opcode Fuzzy Hash: 42906154869710506a0c67ebba1e6bbb42983877cc0118c6e46d3c0bd67e0258
Instruction Fuzzy Hash: E9018436148F075BE3257A759882D3B67E88F42B78710443EE594D6981EF30D501A779

Function 00CAEFD0 Relevance: 10.7, APIs: 7, Instructions: 160COMMON

Download Yara Rule

APIs

region16_init.GETSCREEN-120727697-X86(?), ref: 00CAF58A

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: region16_init
String ID:
API String ID: 4140821900-0
Opcode ID: 3e8d829aa97f6b1ed1f2f2cf94f42bc771981313d169c183af5fd76dbc63c424
Instruction ID: f06bb51283218ef4db889d232943de260f0760811043b0a95a4515087f6a0c45
Opcode Fuzzy Hash: 3e8d829aa97f6b1ed1f2f2cf94f42bc771981313d169c183af5fd76dbc63c424
Instruction Fuzzy Hash: 89514C72D0021A9BCB18DFE5C885AEEBBF9EF48304F10452EF519E7240E7359A46DB60

Function 00CAAA9A Relevance: 10.6, APIs: 7, Instructions: 147windowCOMMON

Download Yara Rule

APIs

gdi_CreateCompatibleDC.GETSCREEN-120727697-X86(?,00000000,?,?,?,00CAA9C7,00000000,?,?,?,?,?,?,?,?,00CAA899), ref: 00CAAAE7
gdi_CreateCompatibleBitmap.GETSCREEN-120727697-X86(?,?,?,00000000,?,?,?,00CAA9C7,00000000,?,?,?,?), ref: 00CAAB0E
gdi_CreateBitmapEx.GETSCREEN-120727697-X86(?,?,?,?,?,?,00000000,?,?,?,00CAA9C7,00000000,?,?,?,?), ref: 00CAAB2A
gdi_SelectObject.GETSCREEN-120727697-X86(?,?), ref: 00CAAB60
gdi_CreateRectRgn.GETSCREEN-120727697-X86(00000000,00000000,00000000,00000000), ref: 00CAABA5
gdi_DeleteObject.GETSCREEN-120727697-X86(?), ref: 00CAAC39
gdi_DeleteDC.GETSCREEN-120727697-X86(?), ref: 00CAAC48

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: gdi_$Create$BitmapCompatibleDeleteObject$RectSelect
String ID:
API String ID: 412453062-0
Opcode ID: 63bcb7db3704573387d602035f9edcf4ce94fd8292c8b1d92a53da2faae9183a
Instruction ID: eb37b047ffd0bcdf8500106a0980dc342ff418bb4e92b087b2455d987dc7f40c
Opcode Fuzzy Hash: 63bcb7db3704573387d602035f9edcf4ce94fd8292c8b1d92a53da2faae9183a
Instruction Fuzzy Hash: 06511475200B059FD725DF29D884EA6BBE0FF1C314B0545ADE89A8BB22E771E840DF51

Function 00CFEA62 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_PATH,00000000,00000000,00000000,?,?,?,?,?,00CF6939,?,?,?,?,00CF6A0A,?), ref: 00CFEABD
GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_PATH,00000000,?,?,?,?,00CF6939,?,?,?,?,00CF6A0A,?,?,00000000), ref: 00CFEAE7
GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_NAME,00000000,00000000,?,?,?,00CF6939,?,?,?,?,00CF6A0A,?,?,00000000), ref: 00CFEB14
GetEnvironmentVariableA.KERNEL32(WLOG_FILEAPPENDER_OUTPUT_FILE_NAME,00000000,?,?,?,?,00CF6939,?,?,?,?,00CF6A0A,?,?,00000000), ref: 00CFEB37

Strings

WLOG_FILEAPPENDER_OUTPUT_FILE_PATH, xrefs: 00CFEA87, 00CFEAE2
WLOG_FILEAPPENDER_OUTPUT_FILE_NAME, xrefs: 00CFEB0F, 00CFEB32

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: EnvironmentVariable
String ID: WLOG_FILEAPPENDER_OUTPUT_FILE_NAME$WLOG_FILEAPPENDER_OUTPUT_FILE_PATH
API String ID: 1431749950-2760771567
Opcode ID: ed83b8158fbb9768303932c71be0d97a5323e3b3edd6a4a77e446a3f41c19419
Instruction ID: 72f8a6a89ad3f27edc57dc7947a373d551bc533494a940a739f99d2f96602295
Opcode Fuzzy Hash: ed83b8158fbb9768303932c71be0d97a5323e3b3edd6a4a77e446a3f41c19419
Instruction Fuzzy Hash: C731F5B1901B1ABF8B545BA5AC49D7E7F78FF407643200019FA01A3665EB70AE14C7B7

Function 006E8EE0 Relevance: 10.6, APIs: 7, Instructions: 87COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00F21278,006E8C90,006E8EC0,00000000), ref: 006E8F0A
GetLastError.KERNEL32 ref: 006E8F38
TlsGetValue.KERNEL32 ref: 006E8F46
SetLastError.KERNEL32(00000000), ref: 006E8F4F
RtlAcquireSRWLockExclusive.NTDLL(00F21284), ref: 006E8F61
RtlReleaseSRWLockExclusive.NTDLL(00F21284), ref: 006E8F73
TlsSetValue.KERNEL32(00000000,?,?,00000000,006CB080), ref: 006E8FB5

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ErrorExclusiveLastLockOnceValue$AcquireExecuteInitRelease
String ID:
API String ID: 389898287-0
Opcode ID: 51f100eed5c1d39754759e97ffd3161dcd2e2c0304f633b456252645cb7ebb48
Instruction ID: 2fbd9024241c0ce87fb6349d256268dbfa24ee4745f32b8d6ecc847ddea9adb3
Opcode Fuzzy Hash: 51f100eed5c1d39754759e97ffd3161dcd2e2c0304f633b456252645cb7ebb48
Instruction Fuzzy Hash: BE21A17161034AAFDB106FA9EC49BAE3B66FF15741F050020F909D7391EB719C059BB2

Function 00CFF61C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000002,00000011), ref: 00CFF673
GetEnvironmentVariableA.KERNEL32(WLOG_UDP_TARGET,00000000,00000000,?,00CF6921,?,?,?,?,00CF6A0A,?,?,00000000,?,00CEE976,00000000), ref: 00CFF68A
GetEnvironmentVariableA.KERNEL32(WLOG_UDP_TARGET,00000000,00000000,?,00CF6921,?,?,?,?,00CF6A0A,?,?,00000000,?,00CEE976,00000000), ref: 00CFF6AB
closesocket.WS2_32(?), ref: 00CFF6E6

Strings

WLOG_UDP_TARGET, xrefs: 00CFF685, 00CFF6A6
127.0.0.1:20000, xrefs: 00CFF6CB

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: EnvironmentVariable$closesocketsocket
String ID: 127.0.0.1:20000$WLOG_UDP_TARGET
API String ID: 65193492-3368084233
Opcode ID: 734a9b35b39a53be4604349a7c4d5d4eb8dd0ba7fa9ac668911ac3a06a3216ec
Instruction ID: 0379af0537864dc6f9e342269cf543121c96b09ac98ee5633615ee696bcf78a0
Opcode Fuzzy Hash: 734a9b35b39a53be4604349a7c4d5d4eb8dd0ba7fa9ac668911ac3a06a3216ec
Instruction Fuzzy Hash: 3421C271114B0A6FD7705F65AC0AB277BE4EF41754F20042DF742DA6E2EFB1A4068B62

Function 00D0001B Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(winsta.dll,?,00CF78D9,00FA7120), ref: 00D00023
GetProcAddress.KERNEL32(00000000,WinStationVirtualOpen), ref: 00D0003C
GetProcAddress.KERNEL32(WinStationVirtualOpenEx), ref: 00D00052

Strings

winsta.dll, xrefs: 00D0001E
WinStationVirtualOpenEx, xrefs: 00D00042
WinStationVirtualOpen, xrefs: 00D00036

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: WinStationVirtualOpen$WinStationVirtualOpenEx$winsta.dll
API String ID: 2238633743-2382846951
Opcode ID: 4020b157a603948707b3010783599066aee4abd982669aa74958df0c00381207
Instruction ID: 52dbb324ec089464edb453aaae85fa06822642fee927653569d470af9d437122
Opcode Fuzzy Hash: 4020b157a603948707b3010783599066aee4abd982669aa74958df0c00381207
Instruction Fuzzy Hash: 4C0148B0555705AFC700AFB0AD4DB613EE4AB04359F0948B9A80DDB3A2EBB080449F34

Function 00C8CB11 Relevance: 10.5, APIs: 7, Instructions: 26COMMON

Download Yara Rule

APIs

glyph_cache_free.GETSCREEN-120727697-X86(?), ref: 00C8CB1E
brush_cache_free.GETSCREEN-120727697-X86(?,?), ref: 00C8CB26
pointer_cache_free.GETSCREEN-120727697-X86(?,?,?), ref: 00C8CB2E
bitmap_cache_free.GETSCREEN-120727697-X86(?,?,?,?), ref: 00C8CB36
offscreen_cache_free.GETSCREEN-120727697-X86(?,?,?,?,?), ref: 00C8CB3E
palette_cache_free.GETSCREEN-120727697-X86(?,?,?,?,?,?), ref: 00C8CB46
nine_grid_cache_free.GETSCREEN-120727697-X86(?,?,?,?,?,?,?), ref: 00C8CB4E

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: bitmap_cache_freebrush_cache_freeglyph_cache_freenine_grid_cache_freeoffscreen_cache_freepalette_cache_freepointer_cache_free
String ID:
API String ID: 637575458-0
Opcode ID: 7ad28be861358ee9bde9c91c788d2f392276a4a1cd27f1ec8984fa40b200d7dc
Instruction ID: d65425be388bf7dbb74103c8447edd91e004ad9b18073b161e8117bcec26cfb9
Opcode Fuzzy Hash: 7ad28be861358ee9bde9c91c788d2f392276a4a1cd27f1ec8984fa40b200d7dc
Instruction Fuzzy Hash: 1AE01231401E15ABCA323F61DC43C5ABBAAEF017557004539F59A214B3CB22BC60BFA9

Function 00CCDFDE Relevance: 9.2, APIs: 6, Instructions: 160COMMON

Download Yara Rule

APIs

gdi_CRgnToRect.GETSCREEN-120727697-X86(00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 00CCE040
gdi_RgnToRect.GETSCREEN-120727697-X86(?,?,?,?,?), ref: 00CCE04F
gdi_CRgnToRect.GETSCREEN-120727697-X86(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00CCE062
gdi_RgnToRect.GETSCREEN-120727697-X86(?,?,?,?,?), ref: 00CCE0A3
gdi_CRgnToRect.GETSCREEN-120727697-X86(?,?,?,?,?,?,?,?,?,?), ref: 00CCE0C8
gdi_RectToCRgn.GETSCREEN-120727697-X86(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00CCE147

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Rectgdi_
String ID:
API String ID: 2404991910-0
Opcode ID: 79efee6c317ac256d04135e92eb8dfbc1d7f37efa44d1c14cc4ecba054094389
Instruction ID: 5b3345c30c22b6c3cdd12f02daa0270dba1d4891024f418c4b397c1af85086f4
Opcode Fuzzy Hash: 79efee6c317ac256d04135e92eb8dfbc1d7f37efa44d1c14cc4ecba054094389
Instruction Fuzzy Hash: 3D51E0B6E01219AFCF14CFD8C881DEEBBB9FF49310B14402EE515A7251D770AA51DBA0

Function 00CA1D8F Relevance: 9.1, APIs: 6, Instructions: 75COMMON

Download Yara Rule

APIs

freerdp_settings_set_uint32.GETSCREEN-120727697-X86(?,000007C0,?), ref: 00CA1DA2
freerdp_settings_set_bool.GETSCREEN-120727697-X86(?,000007C8,00000001), ref: 00CA1DCC
freerdp_settings_set_bool.GETSCREEN-120727697-X86(?,000007C8,00000000), ref: 00CA1DE8
freerdp_settings_set_bool.GETSCREEN-120727697-X86(?,000007C9,00000000), ref: 00CA1DFC
freerdp_settings_set_bool.GETSCREEN-120727697-X86(?,000007C8,00000000), ref: 00CA1E19
freerdp_settings_set_bool.GETSCREEN-120727697-X86(?,000007C9,00000000), ref: 00CA1E2D

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: freerdp_settings_set_bool$freerdp_settings_set_uint32
String ID:
API String ID: 4272850885-0
Opcode ID: 3ea0a0162d7e9506aea58fcc0c8a3655e8c344f224c799a42870156a752d33d1
Instruction ID: 901a4ec8469dc3ff08a044c1fe3921b71a85026b70ca007329914b1c29fd5c06
Opcode Fuzzy Hash: 3ea0a0162d7e9506aea58fcc0c8a3655e8c344f224c799a42870156a752d33d1
Instruction Fuzzy Hash: 0711D666F8A25375FB6120654C86F6B129C4F73B5DF2C0025FE28E52C1F995EB0085FA

Function 00CC8AF6 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 154COMMON

Download Yara Rule

APIs

freerdp_image_copy.GETSCREEN-120727697-X86(?,?,?,?,?,?,?,?,08008000,00000000,00000000,00000000,?,00000001,?,?), ref: 00CC8C2B

Strings

com.freerdp.color, xrefs: 00CC8D98
freerdp_image_copy_from_icon_data, xrefs: 00CC8DBA
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c, xrefs: 00CC8DBF
1bpp and 4bpp icons are not supported, xrefs: 00CC8DB5

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: freerdp_image_copy
String ID: 1bpp and 4bpp icons are not supported$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c$com.freerdp.color$freerdp_image_copy_from_icon_data
API String ID: 1523062921-332027372
Opcode ID: ace75b5fad94d2d369a29ff600976bb71854165b6639328ef1cd74ffda25b7c4
Instruction ID: 3ad4ffd77cb03b51962746ae6bbbab5e9779a9c8ac10a1e74a017abf42b61c01
Opcode Fuzzy Hash: ace75b5fad94d2d369a29ff600976bb71854165b6639328ef1cd74ffda25b7c4
Instruction Fuzzy Hash: 2D51A4B2A0021DAADF149F15CC51FFB77A8EB14300F0481ADF919A62D1DB709E85DF64

Function 00CE8423 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

Strings

kbd-list, xrefs: 00CE84F5
monitor-list, xrefs: 00CE85E3
kbd-lang-list, xrefs: 00CE84D3

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID:
String ID: kbd-lang-list$kbd-list$monitor-list
API String ID: 0-1393584692
Opcode ID: 54341cd5d4313c24200ed75cfeb21af84d5d5538087aa3f2051cd1a6de2aa7bc
Instruction ID: 5c32e92a9d1d4c9edeeaa37608f846d13a749d8e3965302b136708c0eb75932a
Opcode Fuzzy Hash: 54341cd5d4313c24200ed75cfeb21af84d5d5538087aa3f2051cd1a6de2aa7bc
Instruction Fuzzy Hash: DC31D832901218ABCB20DB69DD46DDBB7ACEB44310F0405A5FE1CA71D2DA70DA44DAE1

Function 00CB9962 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 82COMMON

Download Yara Rule

Strings

com.freerdp.codec, xrefs: 00CB9AD0
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\interleaved.c, xrefs: 00CB9AFA
interleaved_compress: width (%u) or height (%u) is greater than 64, xrefs: 00CB9AF0
interleaved_compress, xrefs: 00CB9AF5

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID:
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\interleaved.c$com.freerdp.codec$interleaved_compress$interleaved_compress: width (%u) or height (%u) is greater than 64
API String ID: 0-4054760794
Opcode ID: 791668c3ca3a158378977368ca7bb680cf1dc57ebdaaa53947c985948995992c
Instruction ID: 71fe3b2d9d4eebaf698171565b04cb6f041de618c3c96217179903f18340d229
Opcode Fuzzy Hash: 791668c3ca3a158378977368ca7bb680cf1dc57ebdaaa53947c985948995992c
Instruction Fuzzy Hash: 522101B2340219BFEF215F56EC46FEB3B68EB04790F084118FA18A60A0E671ED50EB50

Function 00CEE489 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3DA3

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3E08, 00CF3E47
[%s]: Security module does not provide an implementation, xrefs: 00CF3E41
sspi_InitializeSecurityContextA, xrefs: 00CF3E03, 00CF3E3B, 00CF3E40, 00CF3E46
InitializeSecurityContextA: %s (0x%08X), xrefs: 00CF3DFE

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$InitializeSecurityContextA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_InitializeSecurityContextA
API String ID: 689400697-1744466472
Opcode ID: 10c9d246490c65246194f69d5347d3e89a3555f05e6dcde8adb727470ae09c82
Instruction ID: fef191fb21476ec5392d480298e1cc56cf0f521bf06a1092248cb357c5bc2b50
Opcode Fuzzy Hash: 10c9d246490c65246194f69d5347d3e89a3555f05e6dcde8adb727470ae09c82
Instruction Fuzzy Hash: 5621A572384348BBDF122E56FC02EAB3F69EF55B50F004054FB04651E1D762DA60E7A1

Function 00CEE492 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3CC8

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3D2D, 00CF3D6C
InitializeSecurityContextW: %s (0x%08X), xrefs: 00CF3D23
[%s]: Security module does not provide an implementation, xrefs: 00CF3D66
sspi_InitializeSecurityContextW, xrefs: 00CF3D28, 00CF3D60, 00CF3D65, 00CF3D6B

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$InitializeSecurityContextW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_InitializeSecurityContextW
API String ID: 689400697-743139187
Opcode ID: eb5b5ed6ec9661f8c279d6c6b903996f86ba492fb535b99431f5330e3d985542
Instruction ID: 99f577304f1961b2e380ed602d8e06817ba8d394ac9ca78eb5375a6a64f5ce81
Opcode Fuzzy Hash: eb5b5ed6ec9661f8c279d6c6b903996f86ba492fb535b99431f5330e3d985542
Instruction Fuzzy Hash: 8021D272284388BBDF522F56EC02EAB3F69EF55B50F004054FB04A50E1CA62DA20E7A1

Function 00CEE40A Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF32F9

Strings

sspi_AcquireCredentialsHandleA, xrefs: 00CF3350, 00CF3388, 00CF338D, 00CF3393
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3355, 00CF3394
[%s]: Security module does not provide an implementation, xrefs: 00CF338E
AcquireCredentialsHandleA: %s (0x%08X), xrefs: 00CF334B

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: AcquireCredentialsHandleA: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcquireCredentialsHandleA
API String ID: 689400697-1172745827
Opcode ID: 73e068990a8044f0f5b7c7f9be21feacb75554044632f12195c4dbfd1ca403d5
Instruction ID: bd195243c23d8906611c3e1cfb189bc52e1b80d8e8a8a7da831d35c10bb9c3f3
Opcode Fuzzy Hash: 73e068990a8044f0f5b7c7f9be21feacb75554044632f12195c4dbfd1ca403d5
Instruction Fuzzy Hash: 9F1106323483497BEF116E52EC07EAB3F69EF85B60F004054FB04A51E1DB62DA20E7A1

Function 00CEE401 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF384E

Strings

sspi_AcceptSecurityContext, xrefs: 00CF38A5, 00CF38DD, 00CF38E2, 00CF38E8
AcceptSecurityContext: %s (0x%08X), xrefs: 00CF38A0
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF38AA, 00CF38E9
[%s]: Security module does not provide an implementation, xrefs: 00CF38E3

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: AcceptSecurityContext: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcceptSecurityContext
API String ID: 689400697-2008077614
Opcode ID: 77f8feeb17139fe205bb708142c5fcab414f3fc912e77f51937fe9ed69e63a48
Instruction ID: 6445084b036924974b371f921172709337f7ae14b820b887ba3b06857674cb7b
Opcode Fuzzy Hash: 77f8feeb17139fe205bb708142c5fcab414f3fc912e77f51937fe9ed69e63a48
Instruction Fuzzy Hash: 4711B472244348BBDF512E56AC07EBB3F69EB95B90F004055FB04A51E1DAA6CA20A7A1

Function 00CEE413 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 77COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3227

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3283, 00CF32C2
[%s]: Security module does not provide an implementation, xrefs: 00CF32BC
AcquireCredentialsHandleW: %s (0x%08X), xrefs: 00CF3279
sspi_AcquireCredentialsHandleW, xrefs: 00CF327E, 00CF32B6, 00CF32BB, 00CF32C1

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: AcquireCredentialsHandleW: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_AcquireCredentialsHandleW
API String ID: 689400697-2657764935
Opcode ID: 77db8c7be7a92515962381cd00f7144c43a1db5bac6999a3cb66a581e1a7bcd4
Instruction ID: 78abe2757d99ff9a2ff0b3e8e55c1f3ceb31eaa0bd7d31dac1a93f5b7930dc41
Opcode Fuzzy Hash: 77db8c7be7a92515962381cd00f7144c43a1db5bac6999a3cb66a581e1a7bcd4
Instruction Fuzzy Hash: 791187723883497BDF152E56EC07EB73F69EB55750F004054FB04651E1D762CA20A7A1

Function 00CEE4EC Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF417E

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF41CB, 00CF420A
[%s]: Security module does not provide an implementation, xrefs: 00CF4204
SetContextAttributesA: %s (0x%08X), xrefs: 00CF41C1
sspi_SetContextAttributesA, xrefs: 00CF41C6, 00CF41FE, 00CF4203, 00CF4209

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$SetContextAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_SetContextAttributesA
API String ID: 689400697-1164902870
Opcode ID: 7e2698df54985618b19f4a63ef67ce6045684f42607d7b66d08c6a421ecafe0e
Instruction ID: d831b63cec5b4f2cbf809c4d7b2a86e4e44b982df38a8665738b66b8fbb71bc6
Opcode Fuzzy Hash: 7e2698df54985618b19f4a63ef67ce6045684f42607d7b66d08c6a421ecafe0e
Instruction Fuzzy Hash: 8911EB753843097BE6257E56BC03E7B3E6CDB91B50F004054FB00A51D1DA51DB50A6A2

Function 00CEE4FE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF4544

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF4591, 00CF45D0
[%s]: Security module does not provide an implementation, xrefs: 00CF45CA
VerifySignature: %s (0x%08X), xrefs: 00CF4587
sspi_VerifySignature, xrefs: 00CF458C, 00CF45C4, 00CF45C9, 00CF45CF

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$VerifySignature: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_VerifySignature
API String ID: 689400697-1495805676
Opcode ID: cd572da4416a40af2610e49e6c2314a6bae99643e4d51338114e8b95a6bf17d7
Instruction ID: 031560a242d83289fe46e80db4324ef35f4215f57813426e9df16ccb0fe968ef
Opcode Fuzzy Hash: cd572da4416a40af2610e49e6c2314a6bae99643e4d51338114e8b95a6bf17d7
Instruction Fuzzy Hash: 3A110A713883487BDB557A57BC07E7B3B6CDB82B60F004094FB00A51D1DA91CA10A6A6

Function 00CEE4F5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF40BB

Strings

SetContextAttributesW: %s (0x%08X), xrefs: 00CF40FE
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF4108, 00CF4147
sspi_SetContextAttributesW, xrefs: 00CF4103, 00CF413B, 00CF4140, 00CF4146
[%s]: Security module does not provide an implementation, xrefs: 00CF4141

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$SetContextAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_SetContextAttributesW
API String ID: 689400697-247170817
Opcode ID: f3a1f8f1e214bb3f3786c9c0c8c346b13768d0b484ac8cede27e09fb086a5a65
Instruction ID: eb3240321031b01f04de1529974511add67f372e1a67a6c6f4bc3e64db639ee0
Opcode Fuzzy Hash: f3a1f8f1e214bb3f3786c9c0c8c346b13768d0b484ac8cede27e09fb086a5a65
Instruction Fuzzy Hash: DE11A7723843097BEA653A56FC03E7B3A6CEB92B60F008054FA10E51D1DA51CA50A6A2

Function 00CEE49B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF4481

Strings

MakeSignature: %s (0x%08X), xrefs: 00CF44C4
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF44CE, 00CF450D
[%s]: Security module does not provide an implementation, xrefs: 00CF4507
sspi_MakeSignature, xrefs: 00CF44C9, 00CF4501, 00CF4506, 00CF450C

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$MakeSignature: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_MakeSignature
API String ID: 689400697-3834539683
Opcode ID: 69cf55472194734ab704a3de8b982ab1c3f4bf07a74c1ab9835db25e0c570509
Instruction ID: 1fad117634643f8e15afd6b24126986c9c3f2a1083e5dc487a834f4abd9366d4
Opcode Fuzzy Hash: 69cf55472194734ab704a3de8b982ab1c3f4bf07a74c1ab9835db25e0c570509
Instruction Fuzzy Hash: BA11A7713843097BDA653B56BD03F7B3F68EB82B50F008054FB00B51E2DA91DE50E6A6

Function 00CEE452 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF33CB

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3418, 00CF3457
ExportSecurityContext: %s (0x%08X), xrefs: 00CF340E
[%s]: Security module does not provide an implementation, xrefs: 00CF3451
sspi_ExportSecurityContext, xrefs: 00CF3413, 00CF344B, 00CF3450, 00CF3456

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ExportSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ExportSecurityContext
API String ID: 689400697-3640258815
Opcode ID: 74069cbdef5b8a3dbe84a2acc18ee86317a43fa97decac71cc5cddddce7bcedf
Instruction ID: 112ea93fc9d4194342f9b5358e7b5e622ccaed377def0a668563961735aeee24
Opcode Fuzzy Hash: 74069cbdef5b8a3dbe84a2acc18ee86317a43fa97decac71cc5cddddce7bcedf
Instruction Fuzzy Hash: 3E11AB713843487AEB612A57BC07E7B3E58DF92B50F004054FB04B61E1DA52DB10B6B6

Function 00CEE46D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF360B

Strings

sspi_ImportSecurityContextA, xrefs: 00CF3653, 00CF368B, 00CF3690, 00CF3696
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3658, 00CF3697
ImportSecurityContextA: %s (0x%08X), xrefs: 00CF364E
[%s]: Security module does not provide an implementation, xrefs: 00CF3691

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImportSecurityContextA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImportSecurityContextA
API String ID: 689400697-848437295
Opcode ID: d9afabd350c0d48cd4beb4d4a4540df449ef17b7900740c8252a7acc17660032
Instruction ID: 054de70bd76790a715a535bb3dd5f20c9fb95d33ac3007fc86697eebd06aaea2
Opcode Fuzzy Hash: d9afabd350c0d48cd4beb4d4a4540df449ef17b7900740c8252a7acc17660032
Instruction Fuzzy Hash: 191106713843487AEB616A56BC07E7B3B6CEB92B60F000055FA04F52E1DE91CB10A7A6

Function 00CEE476 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3548

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3595, 00CF35D4
[%s]: Security module does not provide an implementation, xrefs: 00CF35CE
sspi_ImportSecurityContextW, xrefs: 00CF3590, 00CF35C8, 00CF35CD, 00CF35D3
ImportSecurityContextW: %s (0x%08X), xrefs: 00CF358B

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImportSecurityContextW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImportSecurityContextW
API String ID: 689400697-3257054040
Opcode ID: 85caf3b47d4a3789b1f6712f9f8604d13176a8dd23da81cb82a124a96c9ef160
Instruction ID: d66131195b3326bf96537a089398a960aeadd5bc89bce57385a4a55d928e5adc
Opcode Fuzzy Hash: 85caf3b47d4a3789b1f6712f9f8604d13176a8dd23da81cb82a124a96c9ef160
Instruction Fuzzy Hash: D9110A713883497BEB653A56BC07F7B3A6CEB81B50F004054FA00A61D1DE51DB10A7A2

Function 00CC1A7D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

ncrush_context_reset.GETSCREEN-120727697-X86(00000000,00000000), ref: 00CC1B36

Strings

com.freerdp.codec, xrefs: 00CC1AF1
ncrush_context_new: failed to initialize tables, xrefs: 00CC1B0F
ncrush_context_new, xrefs: 00CC1B14
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\ncrush.c, xrefs: 00CC1B19

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ncrush_context_reset
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\ncrush.c$com.freerdp.codec$ncrush_context_new$ncrush_context_new: failed to initialize tables
API String ID: 2838332675-904927664
Opcode ID: a1974156d4806f5c120e09ccc90145cc861dd492c4d15da48bf7c155aeb93e8b
Instruction ID: e737827e8b79a640c1bf5de67cdef7ebad60773746240302bec312025456f8a6
Opcode Fuzzy Hash: a1974156d4806f5c120e09ccc90145cc861dd492c4d15da48bf7c155aeb93e8b
Instruction Fuzzy Hash: 191108F22407063BE304AB16EC42FA6B79CEB42750F14411DF518A6282EFB1ED50CBB4

Function 00CEE4AD Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3E7E

Strings

QueryContextAttributesW: %s (0x%08X), xrefs: 00CF3EBE
sspi_QueryContextAttributesW, xrefs: 00CF3EC3, 00CF3EFB, 00CF3F00, 00CF3F06
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3EC8, 00CF3F07
[%s]: Security module does not provide an implementation, xrefs: 00CF3F01

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryContextAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryContextAttributesW
API String ID: 689400697-2578917824
Opcode ID: 3bfa2b88d85f0201ce86f66392a66bc1e4f743e5204eab4660bc319a0646822b
Instruction ID: 0cdb6d4f19104f9a6eab9bf06a45220c926236ed4b757b2cf19632a9b7ffc9e6
Opcode Fuzzy Hash: 3bfa2b88d85f0201ce86f66392a66bc1e4f743e5204eab4660bc319a0646822b
Instruction Fuzzy Hash: 0E1129723883487BEA612B57BC03E7B3A6CEF92F60F004054F604A61D1DA52CB10A2A2

Function 00CEE4A4 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3F3E

Strings

QueryContextAttributesA: %s (0x%08X), xrefs: 00CF3F7E
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3F88, 00CF3FC7
[%s]: Security module does not provide an implementation, xrefs: 00CF3FC1
sspi_QueryContextAttributesA, xrefs: 00CF3F83, 00CF3FBB, 00CF3FC0, 00CF3FC6

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryContextAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryContextAttributesA
API String ID: 689400697-3211427146
Opcode ID: ae2c30c93e4d98db099a1cdfd1315cfa6f4243642ec87d0cb742ffba26ab4ece
Instruction ID: 3255c61de5ffddd2c12d22238db877f153c1782f074c1757b48651d32cb4dbae
Opcode Fuzzy Hash: ae2c30c93e4d98db099a1cdfd1315cfa6f4243642ec87d0cb742ffba26ab4ece
Instruction Fuzzy Hash: 7F11CA713883497BDA553B57FC03E7B3E6DDB92B60F004094F614A51D1DA91CB10A7A2

Function 00CEE4BF Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF36CE

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3718, 00CF3757
QueryCredentialsAttributesW: %s (0x%08X), xrefs: 00CF370E
[%s]: Security module does not provide an implementation, xrefs: 00CF3751
sspi_QueryCredentialsAttributesW, xrefs: 00CF3713, 00CF374B, 00CF3750, 00CF3756

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryCredentialsAttributesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryCredentialsAttributesW
API String ID: 689400697-3413647607
Opcode ID: d5bcaae669ebc55c0fa523a3f3d6dd993e8d105c839b2fd074243ac67a6eb5b3
Instruction ID: 5fad99995092fa0725cdb883fad668f26a575a798b0c8c2425d52a4fc2ec68c3
Opcode Fuzzy Hash: d5bcaae669ebc55c0fa523a3f3d6dd993e8d105c839b2fd074243ac67a6eb5b3
Instruction Fuzzy Hash: EB11CAF13843887BE6513657FD07E7B3B5CEB92B50F004055FA04B91E1DA51CB50A6A2

Function 00CEE4B6 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 71COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF378E

Strings

QueryCredentialsAttributesA: %s (0x%08X), xrefs: 00CF37CE
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF37D8, 00CF3817
[%s]: Security module does not provide an implementation, xrefs: 00CF3811
sspi_QueryCredentialsAttributesA, xrefs: 00CF37D3, 00CF380B, 00CF3810, 00CF3816

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QueryCredentialsAttributesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QueryCredentialsAttributesA
API String ID: 689400697-3754301720
Opcode ID: 8a3380eb24ea27a789951bced8c4050e9b2db253c9c893fb020c08ca102c584b
Instruction ID: 9aeb51b31ad2a65d9b0ed8c2309aade3f8617855b9a12c9c1b853385b2b8f0bc
Opcode Fuzzy Hash: 8a3380eb24ea27a789951bced8c4050e9b2db253c9c893fb020c08ca102c584b
Instruction Fuzzy Hash: F711ECB13843897AE6513757FD07E7B3B5CEB92B60F004055FB14A51D1DA51CB10F6A2

Function 00CEE4C8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3FFE

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF4045, 00CF4084
QuerySecurityContextToken: %s (0x%08X), xrefs: 00CF403B
[%s]: Security module does not provide an implementation, xrefs: 00CF407E
sspi_QuerySecurityContextToken, xrefs: 00CF4040, 00CF4078, 00CF407D, 00CF4083

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityContextToken: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityContextToken
API String ID: 689400697-2156878011
Opcode ID: 4f171ff92a8a160e13b2da23a5d895d5ce28f49a22edcb161f9188e4464c3402
Instruction ID: b809442144f3aaae5e66dc8a354c27ca3e28d59174c38c4b78a1f01436d0bd79
Opcode Fuzzy Hash: 4f171ff92a8a160e13b2da23a5d895d5ce28f49a22edcb161f9188e4464c3402
Instruction Fuzzy Hash: 2E110C713883097BE6653657FC07F773A6CDB82B60F004054F714A61D2DE91DA50A2B6

Function 00CEE4DA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF30AD

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF30F4, 00CF3133
QuerySecurityPackageInfoW: %s (0x%08X), xrefs: 00CF30EA
[%s]: Security module does not provide an implementation, xrefs: 00CF312D
sspi_QuerySecurityPackageInfoW, xrefs: 00CF30EF, 00CF3127, 00CF312C, 00CF3132

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityPackageInfoW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityPackageInfoW
API String ID: 689400697-2261828479
Opcode ID: 46cf6592f013e5795b35b817b71ac17a5a9f16164056aa739e28872e2ccf8800
Instruction ID: 2cef72389af35a9f02cf851876d39403f37ab94bf93ae72062b6d8f2861cdb3e
Opcode Fuzzy Hash: 46cf6592f013e5795b35b817b71ac17a5a9f16164056aa739e28872e2ccf8800
Instruction Fuzzy Hash: C411A9713883487AE6613657FC07E7B3A6CDB92B60F009094FA14A61D1DB91DB50A6F2

Function 00CEE4D1 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF316A

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF31B1, 00CF31F0
sspi_QuerySecurityPackageInfoA, xrefs: 00CF31AC, 00CF31E4, 00CF31E9, 00CF31EF
[%s]: Security module does not provide an implementation, xrefs: 00CF31EA
QuerySecurityPackageInfoA: %s (0x%08X), xrefs: 00CF31A7

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$QuerySecurityPackageInfoA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_QuerySecurityPackageInfoA
API String ID: 689400697-3351603741
Opcode ID: fc016429e88f9b6ef439774a419b48d7113deb0c903bcffc8138d481498788ef
Instruction ID: 8fdd0f9d03ae7fabe0b987ab17b0ecab3359020030b77065e42b208f65258247
Opcode Fuzzy Hash: fc016429e88f9b6ef439774a419b48d7113deb0c903bcffc8138d481498788ef
Instruction Fuzzy Hash: 7211A97138C3497AEA613657BC07F7B3E6CDB92B60F004064FA04B61D2DB91DB14A6B6

Function 00CEE449 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF2F33

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF2F7A, 00CF2FB9
EnumerateSecurityPackagesW: %s (0x%08X), xrefs: 00CF2F70
[%s]: Security module does not provide an implementation, xrefs: 00CF2FB3
sspi_EnumerateSecurityPackagesW, xrefs: 00CF2F75, 00CF2FAD, 00CF2FB2, 00CF2FB8

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EnumerateSecurityPackagesW: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EnumerateSecurityPackagesW
API String ID: 689400697-255015424
Opcode ID: 44ea1f663795f6cd8605efab0b1e0baeffb2bc2cc3697d4fe76d86a6b65b97c1
Instruction ID: cacb419e5433fb9bef72fba7004ddebb065d5c943a71d7a36fc6a26107e7ac4f
Opcode Fuzzy Hash: 44ea1f663795f6cd8605efab0b1e0baeffb2bc2cc3697d4fe76d86a6b65b97c1
Instruction Fuzzy Hash: 5711C6713883197BE6613697BC07F773AACDB92B60F004058FA14AA1E1DA51CA10A6A2

Function 00CEE440 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF2FF0

Strings

EnumerateSecurityPackagesA: %s (0x%08X), xrefs: 00CF302D
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3037, 00CF3076
[%s]: Security module does not provide an implementation, xrefs: 00CF3070
sspi_EnumerateSecurityPackagesA, xrefs: 00CF3032, 00CF306A, 00CF306F, 00CF3075

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$EnumerateSecurityPackagesA: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_EnumerateSecurityPackagesA
API String ID: 689400697-1149382491
Opcode ID: 722b57f0fd3209414dbf147a789f03c1831d63195eafe1212443da933c27d465
Instruction ID: 145e67971b562d207bbfd6bd3e0242af02415cf2e2b7949aad48d72077d2250c
Opcode Fuzzy Hash: 722b57f0fd3209414dbf147a789f03c1831d63195eafe1212443da933c27d465
Instruction Fuzzy Hash: E611C6713883487AE7612656FC07E7B3B6CDB82B60F004099FA04A51D1DB51DF10A2F2

Function 00CEE41C Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3920

Strings

sspi_ApplyControlToken, xrefs: 00CF3962, 00CF399A, 00CF399F, 00CF39A5
ApplyControlToken: %s (0x%08X), xrefs: 00CF395D
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3967, 00CF39A6
[%s]: Security module does not provide an implementation, xrefs: 00CF39A0

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: ApplyControlToken: %s (0x%08X)$C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$[%s]: Security module does not provide an implementation$sspi_ApplyControlToken
API String ID: 689400697-2845897268
Opcode ID: 6645b2c1b1e11d1d27106f1ea405de46d1d24a317e71d3fb638375f6c3358076
Instruction ID: c1423177ff5b66775315cad4a2ead8ca6e5dba8b28bcf2fe3a38b8032c8b4096
Opcode Fuzzy Hash: 6645b2c1b1e11d1d27106f1ea405de46d1d24a317e71d3fb638375f6c3358076
Instruction Fuzzy Hash: 7911C0713C834976E6553657BC07E7B3A5CDBD1BA0F004054FA04B61E1DAD1DF10A6B6

Function 00CEE425 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF39DD

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3A24, 00CF3A63
[%s]: Security module does not provide an implementation, xrefs: 00CF3A5D
CompleteAuthToken: %s (0x%08X), xrefs: 00CF3A1A
sspi_CompleteAuthToken, xrefs: 00CF3A1F, 00CF3A57, 00CF3A5C, 00CF3A62

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$CompleteAuthToken: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_CompleteAuthToken
API String ID: 689400697-1972714555
Opcode ID: bfcd76e3c1346117e8d13f89a234c690f4bd65bcd1d8626a700865c02514f66e
Instruction ID: abf7a3fc2f8a61fb20c02eff060d69d91815e59a3f7b21e6533c2d817acb37f2
Opcode Fuzzy Hash: bfcd76e3c1346117e8d13f89a234c690f4bd65bcd1d8626a700865c02514f66e
Instruction Fuzzy Hash: 4511E9713843497BE6617657FC07E773A6CDB92B60F004064FA04A61E1EA91CB10B6A6

Function 00CC954D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

freerdp_image_copy.GETSCREEN-120727697-X86(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00CC95B5

Strings

com.freerdp.color, xrefs: 00CC95C8
SmartScaling requested but compiled without libcairo support!, xrefs: 00CC95E6
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c, xrefs: 00CC95F0
freerdp_image_scale, xrefs: 00CC95EB

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: freerdp_image_copy
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\color.c$SmartScaling requested but compiled without libcairo support!$com.freerdp.color$freerdp_image_scale
API String ID: 1523062921-212429655
Opcode ID: d6f2b8d51dd1d5338eabd8967bffc64df1ac99f688f27ad38b731781c2b1658e
Instruction ID: 70f3740cec489ecaa763d926535529711bcda719d5b685a4e3a4d4ada059d53f
Opcode Fuzzy Hash: d6f2b8d51dd1d5338eabd8967bffc64df1ac99f688f27ad38b731781c2b1658e
Instruction Fuzzy Hash: F32193B224020DBBDF159F54DC12FEE3BA9EB54740F045109FD14AA2E0E771DA61EB50

Function 00CEE4E3 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF4241

Strings

sspi_RevertSecurityContext, xrefs: 00CF4280, 00CF42B8, 00CF42BD, 00CF42C3
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF4285, 00CF42C4
RevertSecurityContext: %s (0x%08X), xrefs: 00CF427B
[%s]: Security module does not provide an implementation, xrefs: 00CF42BE

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$RevertSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_RevertSecurityContext
API String ID: 689400697-954186549
Opcode ID: 7c4816621b9c84f7ab6758722cf484520f51463230d2e21ec6a79e3670064c29
Instruction ID: e1f70db3c161f8d74ec595d4d1964b0ae2e59d7ee293d1187d90f512b58d7554
Opcode Fuzzy Hash: 7c4816621b9c84f7ab6758722cf484520f51463230d2e21ec6a79e3670064c29
Instruction Fuzzy Hash: 02110C713883097BE6653657BC07F773A6CDB92B50F000065FA00B61D1DA91DF50A6B6

Function 00CEE45B Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3B54

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3B98, 00CF3BD7
sspi_FreeContextBuffer, xrefs: 00CF3B93, 00CF3BCB, 00CF3BD0, 00CF3BD6
FreeContextBuffer: %s (0x%08X), xrefs: 00CF3B8E
[%s]: Security module does not provide an implementation, xrefs: 00CF3BD1

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$FreeContextBuffer: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_FreeContextBuffer
API String ID: 689400697-1791514552
Opcode ID: 239f8c40dfbe8948d4852a7deabacc6f0b156a03e369ae35d3f20d6eca9bcaf4
Instruction ID: 9b5698917a389d6bc11fd89c74c0951a5556da87f345dde92033a454ac29baed
Opcode Fuzzy Hash: 239f8c40dfbe8948d4852a7deabacc6f0b156a03e369ae35d3f20d6eca9bcaf4
Instruction Fuzzy Hash: 2A110C7138838877E6513657BC07E7B3A9CDB92B50F005094F600B61E1DE91CB00A6B6

Function 00CEE464 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3C0E

Strings

C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3C52, 00CF3C91
[%s]: Security module does not provide an implementation, xrefs: 00CF3C8B
ImpersonateSecurityContext: %s (0x%08X), xrefs: 00CF3C48
sspi_ImpersonateSecurityContext, xrefs: 00CF3C4D, 00CF3C85, 00CF3C8A, 00CF3C90

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$ImpersonateSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_ImpersonateSecurityContext
API String ID: 689400697-4242683877
Opcode ID: 4bd2868fda7f11b74e8c426594f2654267983f7fae13bf3afc286749b52f7bf2
Instruction ID: 8b21c02ab48f316bc1bc4b742c48aaa0ef70be15c986e4df044462808e12ea66
Opcode Fuzzy Hash: 4bd2868fda7f11b74e8c426594f2654267983f7fae13bf3afc286749b52f7bf2
Instruction Fuzzy Hash: 7E1108713883487BE6613A17BD07E773A6CDB92F60F004064FA00B61D2DA91CB00A2B6

Function 00CEE507 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF3A9A

Strings

DeleteSecurityContext: %s (0x%08X), xrefs: 00CF3AD4
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF3ADE, 00CF3B1D
[%s]: Security module does not provide an implementation, xrefs: 00CF3B17
sspi_DeleteSecurityContext, xrefs: 00CF3AD9, 00CF3B11, 00CF3B16, 00CF3B1C

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$DeleteSecurityContext: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_DeleteSecurityContext
API String ID: 689400697-4185332897
Opcode ID: e12797c2fc9cc5f2a8217d521fdd6250542aea4bf61b8bd5f2233fe587909f73
Instruction ID: c3b4c08def2f4f327cb77cd6e4c06d16d7770366f8db3ff5e993660983e9b44f
Opcode Fuzzy Hash: e12797c2fc9cc5f2a8217d521fdd6250542aea4bf61b8bd5f2233fe587909f73
Instruction Fuzzy Hash: 891108713883887BE6617657BD07E7B3A5CDB92B60F000068FA04B61E1DE91DB00A6B6

Function 00CEE510 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 69COMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00FA70C8,00CF4AA1,00000000,00000000), ref: 00CF348E

Strings

FreeCredentialsHandle: %s (0x%08X), xrefs: 00CF34C8
sspi_FreeCredentialsHandle, xrefs: 00CF34CD, 00CF3505, 00CF350A, 00CF3510
C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c, xrefs: 00CF34D2, 00CF3511
[%s]: Security module does not provide an implementation, xrefs: 00CF350B

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: C:\Project\agent-windows\freerdp\FreeRDP\winpr\libwinpr\sspi\sspi.c$FreeCredentialsHandle: %s (0x%08X)$[%s]: Security module does not provide an implementation$sspi_FreeCredentialsHandle
API String ID: 689400697-3116451197
Opcode ID: a7a7b8d2aefbc003126d3725a8f44e5c934c3475e265b4c9c6b8ee3a895ee64a
Instruction ID: f79e0d89b2e90e25e8419f9e397c0b60d6be82e25e048b9a71d656161cc2f291
Opcode Fuzzy Hash: a7a7b8d2aefbc003126d3725a8f44e5c934c3475e265b4c9c6b8ee3a895ee64a
Instruction Fuzzy Hash: EF11C8713883887BEA613627BC07F7B3E5CDB92B60F008064F704A61D1DA91DF50A6B6

Function 00D765C5 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 52COMMON

Download Yara Rule

APIs

primitives_get.GETSCREEN-120727697-X86 ref: 00D765CB

Strings

error when decoding lines, xrefs: 00D76629
com.freerdp.codec, xrefs: 00D7660B
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\yuv.c, xrefs: 00D76633
yuv_process_work_callback, xrefs: 00D7662E

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: primitives_get
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\yuv.c$com.freerdp.codec$error when decoding lines$yuv_process_work_callback
API String ID: 2017034601-2620645302
Opcode ID: a9d7ef252f970c6dffa27ec2ddf02de76eb3ebadb69009ce5fd7c26c29b214dd
Instruction ID: d02d9a726033f0475de53710162205e99770d8ae7891cd5bac30772d4f0e68ca
Opcode Fuzzy Hash: a9d7ef252f970c6dffa27ec2ddf02de76eb3ebadb69009ce5fd7c26c29b214dd
Instruction Fuzzy Hash: BB0156B164030AAFD714EF55DC42F5ABBA8FF04754F14819AF90CAA281F6B1E940DFA4

Function 00CC9EF7 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

region16_extents.GETSCREEN-120727697-X86(?), ref: 00CC9F06
region16_extents.GETSCREEN-120727697-X86(?,?), ref: 00CC9F12
region16_n_rects.GETSCREEN-120727697-X86(?,?,?), ref: 00CC9F1D
region16_n_rects.GETSCREEN-120727697-X86(?), ref: 00CC9F7D

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: region16_extentsregion16_n_rects
String ID:
API String ID: 2062899502-0
Opcode ID: a777aa3e440b79e1151d2e5a78892d79e860e14bb9abc1479bfd8844a7d2d6d9
Instruction ID: b4942ca9b670de4d08cc21cc7b23b8a013d8364c6a2d0354f2c49e1fa0f5978d
Opcode Fuzzy Hash: a777aa3e440b79e1151d2e5a78892d79e860e14bb9abc1479bfd8844a7d2d6d9
Instruction Fuzzy Hash: 49512875D0022AAFCB14DF99C8449AEF7F5FF18750B15816AE859E7250E334AE40DBA0

Function 006E8E40 Relevance: 7.6, APIs: 5, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNELBASE(00F21278,006E8C90,006E8EC0,00000000), ref: 006E8E6A
GetLastError.KERNEL32 ref: 006E8E7F
TlsGetValue.KERNEL32 ref: 006E8E8D
SetLastError.KERNEL32(00000000), ref: 006E8E96
TlsAlloc.KERNEL32 ref: 006E8EC3

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ErrorLastOnce$AllocExecuteInitValue
String ID:
API String ID: 2822033501-0
Opcode ID: 0c453565b8da99aefc1837cf45a332c2945b69f675a12f047dedf022f51f537d
Instruction ID: 81c95be4e07baa7402f57d0d2d9df3debd3ec724bad0a8716452f59b2b4c9540
Opcode Fuzzy Hash: 0c453565b8da99aefc1837cf45a332c2945b69f675a12f047dedf022f51f537d
Instruction Fuzzy Hash: E101D63565130DDFCB109FBAEC49A6B7BB9FB49710B410225F819D3390EB3098058B75

Function 00D749E4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 80COMMON

Download Yara Rule

APIs

audio_format_print.GETSCREEN-120727697-X86(?,?,?), ref: 00D74A72

Strings

audio_formats_print, xrefs: 00D74A17, 00D74A54, 00D74A95
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c, xrefs: 00D74A1C, 00D74A59, 00D74A9A
AUDIO_FORMATS (%hu) ={, xrefs: 00D74A12

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: audio_format_print
String ID: AUDIO_FORMATS (%hu) ={$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c$audio_formats_print
API String ID: 2744001552-3527835062
Opcode ID: 8278a24a6080f64e0ba46f5e3ad8d09a3251d8097074a5f9763b10b1ada8a3b2
Instruction ID: 1cccf3e6dfd691e184f8185257c19960dba49d74458877c6b785fcd6520f7f37
Opcode Fuzzy Hash: 8278a24a6080f64e0ba46f5e3ad8d09a3251d8097074a5f9763b10b1ada8a3b2
Instruction Fuzzy Hash: 0011E27268031637DB12BE165C42FAF2B9CAF62BA4F144015F90C761C2FBB5DA0093B9

Function 00C711D7 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

getChannelError.GETSCREEN-120727697-X86(?), ref: 00C71248

Strings

(, xrefs: 00C71295
freerdp, xrefs: 00C71278
ChannelDetached, xrefs: 00C7127F

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ChannelError
String ID: ($ChannelDetached$freerdp
API String ID: 1163697128-436519898
Opcode ID: a0b67239bd7c05d726d4cc1274ce876e18114648e08a5770bd5409af013c5a80
Instruction ID: b0ae32c3959e39743c6b6ae29fe64dec26df0db7448691a0c3bc63da80726196
Opcode Fuzzy Hash: a0b67239bd7c05d726d4cc1274ce876e18114648e08a5770bd5409af013c5a80
Instruction Fuzzy Hash: F4213D71A00209EFDB14DF98C885FAEBBF5FF08340F148469E958E7252D771AA509FA0

Function 00C70B41 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

getChannelError.GETSCREEN-120727697-X86(?), ref: 00C70BB2

Strings

(, xrefs: 00C70BFF
ChannelAttached, xrefs: 00C70BE9
freerdp, xrefs: 00C70BE2

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ChannelError
String ID: ($ChannelAttached$freerdp
API String ID: 1163697128-2646891115
Opcode ID: d7d3873e38aea3be4a0de84c79ccd9868fec341c2c3a31a04ec2fa1c4eceea04
Instruction ID: 85907b14d6ab58f8ebe211568b197f673c55df080f5d28db45617d805ee2be1b
Opcode Fuzzy Hash: d7d3873e38aea3be4a0de84c79ccd9868fec341c2c3a31a04ec2fa1c4eceea04
Instruction Fuzzy Hash: AB212B71A00209EFDB11DF98C885FAEBBF4FF08344F204569E948E7252D771AA509FA0

Function 00CE783A Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56COMMON

Download Yara Rule

Strings

audin, xrefs: 00CE78F8
rdpsnd, xrefs: 00CE78CA

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID:
String ID: audin$rdpsnd
API String ID: 0-930729200
Opcode ID: 1aad4db287e439b83659f2bd8f1b23f532d11a61dc7f639450b63c98b1677a3f
Instruction ID: d224cdeb3cc325ae71146fb19175a3a305487a3c0c648fdfa262b749eb21c453
Opcode Fuzzy Hash: 1aad4db287e439b83659f2bd8f1b23f532d11a61dc7f639450b63c98b1677a3f
Instruction Fuzzy Hash: 06116031A09A96ABDB24CF26888079AF3A4FF04B51F15532AE46856141D7316E50CBD1

Function 00D74701 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 37COMMON

Download Yara Rule

APIs

audio_format_get_tag_string.GETSCREEN-120727697-X86(?,?,?,?,?,?,?,?), ref: 00D74737

Strings

%s: wFormatTag: 0x%04hX nChannels: %hu nSamplesPerSec: %u nAvgBytesPerSec: %u nBlockAlign: %hu wBitsPerSample: %hu cbSize: %hu, xrefs: 00D7473E
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c, xrefs: 00D74748
audio_format_print, xrefs: 00D74743

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: audio_format_get_tag_string
String ID: %s: wFormatTag: 0x%04hX nChannels: %hu nSamplesPerSec: %u nAvgBytesPerSec: %u nBlockAlign: %hu wBitsPerSample: %hu cbSize: %hu$C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\codec\audio.c$audio_format_print
API String ID: 2866491501-3564663344
Opcode ID: 207ee54f07e54a0f90b5b7fa6f3f9ddf280c42dcaf106ba8c78bec70d03e96cd
Instruction ID: f06d49c9a24ba67a539da46c22982e56ce5da218fb13a4e09bab632d4f230df5
Opcode Fuzzy Hash: 207ee54f07e54a0f90b5b7fa6f3f9ddf280c42dcaf106ba8c78bec70d03e96cd
Instruction Fuzzy Hash: 38F01DB5140318BADA452F51CC02E767769EB48B14B248049FD1C9C192E777D9A2E774

Function 00C62713 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27COMMON

Download Yara Rule

APIs

freerdp_get_last_error.GETSCREEN-120727697-X86(?), ref: 00C62725
freerdp_set_last_error_ex.GETSCREEN-120727697-X86(?,0002000B,freerdp_abort_connect,C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c,0000013A), ref: 00C62745

Strings

freerdp_abort_connect, xrefs: 00C62739
C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c, xrefs: 00C62734

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: freerdp_get_last_errorfreerdp_set_last_error_ex
String ID: C:\Project\agent-windows\freerdp\FreeRDP\libfreerdp\core\freerdp.c$freerdp_abort_connect
API String ID: 3690923134-629580617
Opcode ID: a578d8e89890ebf5b2be0488e27d30db5686aa5b0a27273530c66df655b66390
Instruction ID: f082036c95301c71a6d7c025da24c4e139f9ce7f512ce1f9fdaa3a27c5b8e7c8
Opcode Fuzzy Hash: a578d8e89890ebf5b2be0488e27d30db5686aa5b0a27273530c66df655b66390
Instruction Fuzzy Hash: 00E02631241710EBEB322E20DC82FA6F7949F00BA0F148429F5C47A0A1EEA25E80A680

Function 00D7632D Relevance: 6.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

primitives_get.GETSCREEN-120727697-X86 ref: 00D7633F
primitives_flags.GETSCREEN-120727697-X86(00000000), ref: 00D76353
TpWaitForWork.NTDLL(00000000,00000000), ref: 00D764A9
TpReleaseWork.NTDLL(00000000), ref: 00D764B2

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: Work$ReleaseWaitprimitives_flagsprimitives_get
String ID:
API String ID: 704174238-0
Opcode ID: 16c5792973be3c32ace2c1327637439f871eab5895db3e21b265830fe7487755
Instruction ID: 8dabebf0383377bb3a1d44e03e909503f354bc4fa2b97e2700697e8ca9afc550
Opcode Fuzzy Hash: 16c5792973be3c32ace2c1327637439f871eab5895db3e21b265830fe7487755
Instruction Fuzzy Hash: 6A613AB5A0060ADFCB04CFA8D88199EBBF5FF48314B14856AE859E7351E730E951CFA0

Function 00CCC297 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

gdi_SetRgn.GETSCREEN-120727697-X86(?,?,?,?,00000000,00000001,?,?), ref: 00CCC324

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: gdi_
String ID:
API String ID: 2273374161-0
Opcode ID: 2ead09a44aba127efa6001147bae376ec00e50ab3ae76740fbfd5d3136eef1b6
Instruction ID: a13f7bef26efcd80731c8dbd13543bc59f1e95e078e9c860067a49d256cb135f
Opcode Fuzzy Hash: 2ead09a44aba127efa6001147bae376ec00e50ab3ae76740fbfd5d3136eef1b6
Instruction Fuzzy Hash: 0B31D871900209EFCB10DF98C985EEEB7F9FF48310F14806AE915A7211D334EA45CBA0

Function 00CF5C02 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

RtlEnterCriticalSection.NTDLL(?), ref: 00CF5C16
RtlLeaveCriticalSection.NTDLL(?), ref: 00CF5C34
RtlLeaveCriticalSection.NTDLL(?), ref: 00CF5C54
RtlLeaveCriticalSection.NTDLL(?), ref: 00CF5C9A

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: CriticalSection$Leave$Enter
String ID:
API String ID: 2978645861-0
Opcode ID: 1a07fc6ca7eb2f4d1e2e324ad20d511aa8f5657fc0daca6a5e91ab2e8a495a26
Instruction ID: b9a63e32f0a8d518461d158f17ebf47e08cf97265077032bd39b6e1ab6748a57
Opcode Fuzzy Hash: 1a07fc6ca7eb2f4d1e2e324ad20d511aa8f5657fc0daca6a5e91ab2e8a495a26
Instruction Fuzzy Hash: 82218935210B09EFDB648F14C980A79BBF4FB49365F114429EB93A7250D770AA81CB62

Function 00CC9BBD Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

region16_rects.GETSCREEN-120727697-X86(?,00000000), ref: 00CC9BDC
region16_extents.GETSCREEN-120727697-X86(?), ref: 00CC9BEC
rectangles_intersects.GETSCREEN-120727697-X86(00000000,?), ref: 00CC9BF7

Part of subcall function 00CC97FD: rectangles_intersection.GETSCREEN-120727697-X86(?,?,?), ref: 00CC980C

rectangles_intersects.GETSCREEN-120727697-X86(00000000,?), ref: 00CC9C1A

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: rectangles_intersects$rectangles_intersectionregion16_extentsregion16_rects
String ID:
API String ID: 3854534691-0
Opcode ID: 3ae0e6e2282d69f6a29daa640538588f82f3507cb970e478017c8bd43d05d967
Instruction ID: 5bada60731b0acbf20b18766d8fc2bd22599e51fda338cfaa990027d1a3248f8
Opcode Fuzzy Hash: 3ae0e6e2282d69f6a29daa640538588f82f3507cb970e478017c8bd43d05d967
Instruction Fuzzy Hash: A101D633124619AADB24DB55D889FFB73ECFB40764F14401EF82896040EB35ED81D1A4

Function 00CE1F3D Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

freerdp_new.GETSCREEN-120727697-X86 ref: 00CE1F56
freerdp_context_new.GETSCREEN-120727697-X86(00000000,00000000,?,?), ref: 00CE1FA4
freerdp_register_addin_provider.GETSCREEN-120727697-X86(?,00000000), ref: 00CE1FC7

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: freerdp_context_newfreerdp_newfreerdp_register_addin_provider
String ID:
API String ID: 3731710698-0
Opcode ID: c7ad4b8ddc29f2026e6594f1cf946530098d0cd0edd3b4bb31e69273d58aaf34
Instruction ID: c58d861cf67699edcfe39812f4e814518e5476ece2240675f27014c877801945
Opcode Fuzzy Hash: c7ad4b8ddc29f2026e6594f1cf946530098d0cd0edd3b4bb31e69273d58aaf34
Instruction Fuzzy Hash: 1511C271604B426BC724AFB7D801B9AB7A9FF54320F18041EFC6987241EB70F960CBA1

Function 00C76AF2 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 299COMMON

Download Yara Rule

APIs

freerdp_settings_free.GETSCREEN-120727697-X86(00000000), ref: 00C77326

Part of subcall function 00C77F9B: GetComputerNameExA.KERNEL32(00000000,?,?,00000000), ref: 00C77FCC
Part of subcall function 00C77F9B: freerdp_settings_set_string.GETSCREEN-120727697-X86(?,00000680,?), ref: 00C77FFC

freerdp_settings_set_string.GETSCREEN-120727697-X86(00000000,00000086,?), ref: 00C76D8C

Strings

C:\Windows\System32\mstscax.dll, xrefs: 00C76F3F

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: freerdp_settings_set_string$ComputerNamefreerdp_settings_free
String ID: C:\Windows\System32\mstscax.dll
API String ID: 2334115954-183970058
Opcode ID: 3ead6d6141e508d70783c2d07cf00166af5ba66f3d51be426905ed17eea09a41
Instruction ID: 18f748e46324f11517d3070684f4585324c3b52d1942d9f90cdc0ad9a3994ba8
Opcode Fuzzy Hash: 3ead6d6141e508d70783c2d07cf00166af5ba66f3d51be426905ed17eea09a41
Instruction Fuzzy Hash: 49E1B4B1515F009FE324DF38D885B93BBE4FF08311F50992EE5AE8B291D7B1A5848B58

Function 00CF68CF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

InitializeCriticalSectionAndSpinCount.KERNEL32(0000000C,00000FA0,?,?,?,00CF6A0A,?,?,00000000,?,00CEE976,00000000), ref: 00CF697B

Strings

%s: unknown handler type %u, xrefs: 00CF6903
WLog_Appender_New, xrefs: 00CF68FE

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: CountCriticalInitializeSectionSpin
String ID: %s: unknown handler type %u$WLog_Appender_New
API String ID: 2593887523-3466059274
Opcode ID: 57a9b03f1826c421c7590099a8655bbbb71342b9cfac026f1a3b8f97ca46dac4
Instruction ID: 8d171b9737f7cfca2bed57c441d5b22597130199aded6cd4ca19685095870393
Opcode Fuzzy Hash: 57a9b03f1826c421c7590099a8655bbbb71342b9cfac026f1a3b8f97ca46dac4
Instruction Fuzzy Hash: 9311553610830D6786A23A3AAC4AD3F6B6CDF43F30B24801DF715A2192DEB1DB013163

Function 00C63FD6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

Strings

DeviceServiceEntry, xrefs: 00C6419C
%s%s-client.%s, xrefs: 00C6415A

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID:
String ID: %s%s-client.%s$DeviceServiceEntry
API String ID: 0-2733899524
Opcode ID: 3537da57ea7a36018a5acff2e8e09aa2afcc40afa21c6ec21f6eecd06e517cac
Instruction ID: aaae58cbfec2e670d9b73810624af420bcf46465ab5f91f6bcacbbce181c6da2
Opcode Fuzzy Hash: 3537da57ea7a36018a5acff2e8e09aa2afcc40afa21c6ec21f6eecd06e517cac
Instruction Fuzzy Hash: 5C119471A01319ABAB259E99C8C1ABF77ACDF41B50F08402AFD24E7241D770DF418791

Function 00CA4029 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000003,00000080,00000000), ref: 00CA4060
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00CA4076

Strings

%s %hu %s %s %s, xrefs: 00CA40FC

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: File$CreatePointer
String ID: %s %hu %s %s %s
API String ID: 2024441833-2916857029
Opcode ID: b695c42299a2a3804cb478fdf90222c17aac81cdc66307ef39e3d7c8992daa10
Instruction ID: ba4291fb55105818d2d683b22501a3024465e7051a882d0b44bb98b12dba3f49
Opcode Fuzzy Hash: b695c42299a2a3804cb478fdf90222c17aac81cdc66307ef39e3d7c8992daa10
Instruction Fuzzy Hash: BB01A231101210BBDB212B66DC4EEAB7F29EF46774F248254FA18990E2D762C952D7B0

Function 00CEEBD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(WLOG_FILTER,00000000,00000000,00000000,?,00CEE987), ref: 00CEEBF6
GetEnvironmentVariableA.KERNEL32(WLOG_FILTER,00000000,00000000,?,?,00CEE987), ref: 00CEEC1A

Strings

WLOG_FILTER, xrefs: 00CEEBE5, 00CEEC15

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: EnvironmentVariable
String ID: WLOG_FILTER
API String ID: 1431749950-2006202657
Opcode ID: bf79e087ab1fa8069fe0715b564dc7d1316a1f6030b96a6ba75a10ed00309626
Instruction ID: 6d23fc70291175d661ec6dd9ffe20322ba75071a1831f001072d51eb6b763e56
Opcode Fuzzy Hash: bf79e087ab1fa8069fe0715b564dc7d1316a1f6030b96a6ba75a10ed00309626
Instruction Fuzzy Hash: 9AF024322157692F86102766BC49C2B7FBDEA86BE8320002AF008D3142FB655C0697B2

Function 00CF4BC1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(WINPR_NATIVE_SSPI,00000000,00000000,?,?,00CF4AE3), ref: 00CF4BCC
GetEnvironmentVariableA.KERNEL32(WINPR_NATIVE_SSPI,00000000,00000000,?,?,00CF4AE3), ref: 00CF4BEC

Strings

WINPR_NATIVE_SSPI, xrefs: 00CF4BC7, 00CF4BE7

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: EnvironmentVariable
String ID: WINPR_NATIVE_SSPI
API String ID: 1431749950-1020623567
Opcode ID: f4ed3cbbf7ae36d89881595b785e96fcbe566a641e53efff93d74f863786adab
Instruction ID: 56c4f3ad4bf836be16c15adf27291ebfdc1042dfd5df2e778f6cc2b1b7756d6c
Opcode Fuzzy Hash: f4ed3cbbf7ae36d89881595b785e96fcbe566a641e53efff93d74f863786adab
Instruction Fuzzy Hash: ABF0273226A6366BD57922A97C05F3B4E74CBC2F21B321118FA05E7187DA40490742F3

Function 00CBA2AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

rfx_context_new.GETSCREEN-120727697-X86(?), ref: 00CBA2ED

Part of subcall function 00CAE4DD: GetVersionExA.KERNEL32(?), ref: 00CAE5CD
Part of subcall function 00CAE4DD: GetNativeSystemInfo.KERNEL32(?), ref: 00CAE5E7
Part of subcall function 00CAE4DD: RegOpenKeyExA.ADVAPI32(80000002,Software\FreeRDP\FreeRDP\RemoteFX,00000000,00020119,?), ref: 00CAE612

progressive_context_free.GETSCREEN-120727697-X86(00000000), ref: 00CBA36D

Strings

com.freerdp.codec.progressive, xrefs: 00CBA2CA

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: InfoNativeOpenSystemVersionprogressive_context_freerfx_context_new
String ID: com.freerdp.codec.progressive
API String ID: 2699998398-3622116780
Opcode ID: 57234f945137b88eae6debcd36e78d38ae763884ff791a1fc53bed09f5fb6c51
Instruction ID: 9b5c2bcb76044ff0ab59c10416f9122179b8f03676d59f5bda71b1bed97d4f59
Opcode Fuzzy Hash: 57234f945137b88eae6debcd36e78d38ae763884ff791a1fc53bed09f5fb6c51
Instruction Fuzzy Hash: E8F0253390470216D32077759C01F8B7BD8DF43B70F14002EF159965D2DA70D401C276

Function 00CA1ED8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

freerdp_settings_get_key_for_name.GETSCREEN-120727697-X86(?), ref: 00CA1EEF
freerdp_settings_get_type_for_key.GETSCREEN-120727697-X86(00000000), ref: 00CA1F51

Strings

TRUE, xrefs: 00CA1F65

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: freerdp_settings_get_key_for_namefreerdp_settings_get_type_for_key
String ID: TRUE
API String ID: 1888880752-3412697401
Opcode ID: edb2a0a43bb647a5f3de07aed0fb1771d53ba3b3d6b9d82bd8137d7bad1e4db1
Instruction ID: 47fe95b50e2b3f50d53236ac2f4a57a902267d89b16e41fa9b632be209bb8db2
Opcode Fuzzy Hash: edb2a0a43bb647a5f3de07aed0fb1771d53ba3b3d6b9d82bd8137d7bad1e4db1
Instruction Fuzzy Hash: 85E0E5323003A6BF9B155ADFEC82E9F331DEB87B79F094066FD0496141E760DA0045B0

Function 00CF717D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(WTSAPI_LIBRARY,00000000,00000000,?,00CF7163), ref: 00CF7190
GetEnvironmentVariableA.KERNEL32(WTSAPI_LIBRARY,00000000,00000000,?,?,00CF7163), ref: 00CF71B1

Part of subcall function 00CF7310: LoadLibraryA.KERNEL32(?,?,00CF71C4,00000000,?,?,00CF7163), ref: 00CF7316
Part of subcall function 00CF7310: GetProcAddress.KERNEL32(00000000,InitWtsApi), ref: 00CF732B

Strings

WTSAPI_LIBRARY, xrefs: 00CF718B, 00CF71AC

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: EnvironmentVariable$AddressLibraryLoadProc
String ID: WTSAPI_LIBRARY
API String ID: 3590464466-1122459656
Opcode ID: 95401d380039b3102170197381898e07c83083badcd0864d40b7962c3036f142
Instruction ID: 81899c94932b77682e75ccedafa72d661b93eb397e7d2ff629db0d0d694de3cd
Opcode Fuzzy Hash: 95401d380039b3102170197381898e07c83083badcd0864d40b7962c3036f142
Instruction Fuzzy Hash: 3AE09B3221A71A2BD1712358BC0AFFF1A25DFC2B65F600219F504F61C6AB50590985B7

Function 00CF7310 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,00CF71C4,00000000,?,?,00CF7163), ref: 00CF7316
GetProcAddress.KERNEL32(00000000,InitWtsApi), ref: 00CF732B

Strings

InitWtsApi, xrefs: 00CF7325

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: InitWtsApi
API String ID: 2574300362-3428673357
Opcode ID: 3528b29f29c87284c5f241e449093af0471e706cc21459812d516632ac486929
Instruction ID: be53ae5c7f72de6f6ed39a310ddf535644d9739082c71cf3ec95a354bbe92648
Opcode Fuzzy Hash: 3528b29f29c87284c5f241e449093af0471e706cc21459812d516632ac486929
Instruction Fuzzy Hash: 41D05E71A9870EAB9F40AFF2BC059263FECEB416403045935AC2DD2261EB71C624A6A1

Function 00D5F42C Relevance: 5.2, APIs: 4, Instructions: 154COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00D4B650,00EA0388,0000000C), ref: 00D5F430
SetLastError.KERNEL32(00000000), ref: 00D5F4D2
GetLastError.KERNEL32(00000000,?,00D45FDD,00D5F0E3,?,?,00CEF77A,0000000C,?,?,?,?,00C627D2,?,?,?), ref: 00D5F581
SetLastError.KERNEL32(00000000,00000006), ref: 00D5F623

Part of subcall function 00D5F066: HeapFree.KERNEL32(00000000,00000000,?,00D45F2D,?,?,?,00CEFA9A,?,?,?,?,?,00C6293F,?,?), ref: 00D5F07C
Part of subcall function 00D5F066: GetLastError.KERNEL32(?,?,00D45F2D,?,?,?,00CEFA9A,?,?,?,?,?,00C6293F,?,?), ref: 00D5F087

Memory Dump Source

Source File: 00000007.00000002.119692796117.0000000000681000.00000040.00000001.01000000.00000003.sdmp, Offset: 00680000, based on PE: true

Associated: 00000007.00000002.119692766869.0000000000680000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E04000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000E0C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EAB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000EBE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000ECF000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000F1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000000FB8000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.00000000011A1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001BA3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001CF9000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001D0A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119692796117.0000000001DAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000007.00000002.119694950423.0000000001DD3000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_680000_getscreen-120727697-x86.jbxd

Similarity

API ID: ErrorLast$FreeHeap
String ID:
API String ID: 3197834085-0
Opcode ID: 47cf0da972256e59c7d8c912e23314be030c15ebe3c3930b7a78db73e2660b38
Instruction ID: 02fe11673f801efc6ba6f6cb235ea44265cc923df8d0108943c7cdc9e384f4a3
Opcode Fuzzy Hash: 47cf0da972256e59c7d8c912e23314be030c15ebe3c3930b7a78db73e2660b38
Instruction Fuzzy Hash: 1141C3356093116FDE207B79EC86E2B2288DF45366B180731FEA0EE1E1EB18CC0E8171

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Tactics:	Collection
Data Sources:	Logon Session: Logon Session Creation, Process: Process Access, Process: Process Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report getscreen-120727697-x86.exe

Overview

General Information

Detection

Compliance

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Bitcoin Miner

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Getscreen.me\folder\settings.dat

C:\ProgramData\Getscreen.me\logs\20240903.log

C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe

C:\ProgramData\Getscreen.me\rzrcqgspmqryvpnwupffnbzpjfygzjn-elevate.exe:Zone.Identifier

C:\Users\user\AppData\Local\Getscreen.me\folder\settings.dat

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

Windows Analysis Report
getscreen-120727697-x86.exe

Function 018D29E0 Relevance: 7.7, APIs: 5, Instructions: 212
librarymemoryloaderCOMMON

Function 0084B6E0 Relevance: 6.1, APIs: 4, Instructions: 66
threadCOMMON

Function 0084B62B Relevance: 3.0, APIs: 2, Instructions: 38
threadCOMMON

Function 007F7449 Relevance: 224.3, APIs: 64, Strings: 64, Instructions: 269
libraryloaderCOMMON

Function 007AE4DD Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 138
registrythreadCOMMON

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre