Source: C:\Windows\Logs\logs\rw32core.dll |
Avira: detection malicious, Label: TR/Agent.zottn |
Source: C:\Windows\Logs\logs\Secur32.dll |
ReversingLabs: Detection: 78% |
Source: C:\Windows\Logs\logs\rw32core.dll |
ReversingLabs: Detection: 87% |
Source: OPyF68i97j.exe |
ReversingLabs: Detection: 60% |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: C:\Windows\Logs\logs\Secur32.dll |
Joe Sandbox ML: detected |
Source: C:\Windows\Logs\logs\rw32core.dll |
Joe Sandbox ML: detected |
Source: OPyF68i97j.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: OPyF68i97j.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: |
Binary string: consent.pdb source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr |
Source: |
Binary string: consent.pdbW3 source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00492AF0 FindFirstFileW,FindClose, |
0_2_00492AF0 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose, |
0_2_004929F0 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_00492AF0 FindFirstFileW,FindClose, |
4_2_00492AF0 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose, |
4_2_004929F0 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_004113F4 FindFirstFileA,FindNextFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime, |
14_2_004113F4 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0040B703 FindFirstFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, |
14_2_0040B703 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01225BB6 FindFirstFileExW, |
14_2_01225BB6 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_013392EB FindFirstFileExW, |
14_2_013392EB |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01322760 SHGetValueA,CoCreateGuid,wsprintfA,SHSetValueA,GetComputerNameA,GetUserNameA,lstrlenA,GlobalMemoryStatusEx,__aulldiv,GetLogicalDriveStringsA,GetDriveTypeA,GetDiskFreeSpaceExA,RegOpenKeyExA,RegQueryValueExA,GetNativeSystemInfo,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument, |
14_2_01322760 |
Source: global traffic |
TCP traffic: 114.55.25.226 ports 8443,8080,1,2,443,80,53,21 |
Source: global traffic |
TCP traffic: 192.168.2.5:49708 -> 114.55.25.226:8080 |
Source: global traffic |
TCP traffic: 192.168.2.5:49705 -> 114.55.25.226:53 |
Source: global traffic |
TCP traffic: 192.168.2.5:49749 -> 114.55.25.226:53 |
Source: global traffic |
TCP traffic: 192.168.2.5:49736 -> 114.55.25.226:53 |
Source: global traffic |
TCP traffic: 192.168.2.5:49723 -> 114.55.25.226:53 |
Source: global traffic |
TCP traffic: 192.168.2.5:49767 -> 114.55.25.226:53 |
Source: global traffic |
TCP traffic: 192.168.2.5:49755 -> 114.55.25.226:53 |
Source: global traffic |
TCP traffic: 192.168.2.5:49743 -> 114.55.25.226:53 |
Source: global traffic |
TCP traffic: 192.168.2.5:49717 -> 114.55.25.226:53 |
Source: global traffic |
TCP traffic: 192.168.2.5:49730 -> 114.55.25.226:53 |
Source: global traffic |
TCP traffic: 192.168.2.5:49773 -> 114.55.25.226:53 |
Source: global traffic |
TCP traffic: 192.168.2.5:49761 -> 114.55.25.226:53 |
Source: Joe Sandbox View |
ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0132AEF0 Sleep,recv,recv, |
14_2_0132AEF0 |
Source: global traffic |
DNS traffic detected: DNS query: www.uvfr4ep.com |
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr |
String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 |
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr |
String found in binary or memory: http://ocsp.thawte.com0 |
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr |
String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 |
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr |
String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( |
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr |
String found in binary or memory: http://ts-ocsp.ws.symantec.com07 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49757 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49732 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49775 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49707 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49732 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49763 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49751 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49725 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49763 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49745 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49769 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49719 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49719 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49707 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49751 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49775 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49738 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49725 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49769 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49757 |
Source: unknown |
Network traffic detected: HTTP traffic on port 49738 -> 443 |
Source: unknown |
Network traffic detected: HTTP traffic on port 443 -> 49745 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01323700 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,WTSEnumerateSessionsA,WTSQuerySessionInformationA,lstrcpyA,WTSFreeMemory,lstrcmpA,WTSFreeMemory,GetCurrentProcess,WTSQueryUserToken,DuplicateTokenEx,SetTokenInformation,CreateProcessAsUserA,CreateThread, |
14_2_01323700 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\ |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\brcc.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\rw32core.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\consent.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\Secur32.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_004A321C |
0_2_004A321C |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00497563 |
0_2_00497563 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_004A4B22 |
0_2_004A4B22 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_004A333C |
0_2_004A333C |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_0049FD30 |
0_2_0049FD30 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_004A01C8 |
0_2_004A01C8 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00497795 |
0_2_00497795 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_004A321C |
4_2_004A321C |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_00497563 |
4_2_00497563 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_004A4B22 |
4_2_004A4B22 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_004A333C |
4_2_004A333C |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_0049FD30 |
4_2_0049FD30 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_004A01C8 |
4_2_004A01C8 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_00497795 |
4_2_00497795 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_00413000 |
14_2_00413000 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01221670 |
14_2_01221670 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01221000 |
14_2_01221000 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0122BB81 |
14_2_0122BB81 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0132ACB0 |
14_2_0132ACB0 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_013329E5 |
14_2_013329E5 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0132A880 |
14_2_0132A880 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0133BB20 |
14_2_0133BB20 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_013403FD |
14_2_013403FD |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01326240 |
14_2_01326240 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0133ED9C |
14_2_0133ED9C |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0133EC7C |
14_2_0133EC7C |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_013327B3 |
14_2_013327B3 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0133BFB8 |
14_2_0133BFB8 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01341640 |
14_2_01341640 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01325ED0 |
14_2_01325ED0 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: String function: 0132EA20 appears 37 times |
|
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: String function: 0041A7D4 appears 70 times |
|
Source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameconsent.exej% vs OPyF68i97j.exe |
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameBRCC32.EXE. vs OPyF68i97j.exe |
Source: OPyF68i97j.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@23/4@2/1 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01322760 SHGetValueA,CoCreateGuid,wsprintfA,SHSetValueA,GetComputerNameA,GetUserNameA,lstrlenA,GlobalMemoryStatusEx,__aulldiv,GetLogicalDriveStringsA,GetDriveTypeA,GetDiskFreeSpaceExA,RegOpenKeyExA,RegQueryValueExA,GetNativeSystemInfo,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument, |
14_2_01322760 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: wsprintfW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateServiceW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,RegOpenKeyExW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,RegSetValueExW,RegSetValueExW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,RegSetValueExW,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
0_2_004921C0 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: wsprintfW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateServiceW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,RegOpenKeyExW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,RegSetValueExW,RegSetValueExW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,RegSetValueExW,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
4_2_004921C0 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00491DA0 CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,TerminateProcess,Process32Next,CloseHandle,CloseHandle, |
0_2_00491DA0 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00491B20 GetModuleFileNameW,ExitProcess,OpenSCManagerW,OpenServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,ExitProcess, |
0_2_00491B20 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00492B40 StartServiceCtrlDispatcherW, |
0_2_00492B40 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_00492B40 StartServiceCtrlDispatcherW, |
4_2_00492B40 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:3556:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Mutant created: \Sessions\1\BaseNamedObjects\userResideVirtual1 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:7160:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \BaseNamedObjects\Local\SM0:6004:120:WilError_03 |
Source: C:\Windows\Logs\logs\brcc.exe |
Mutant created: \BaseNamedObjects\askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Mutant created: \BaseNamedObjects\SYSTEMResideVirtual0 |
Source: OPyF68i97j.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: OPyF68i97j.exe |
ReversingLabs: Detection: 60% |
Source: unknown |
Process created: C:\Users\user\Desktop\OPyF68i97j.exe "C:\Users\user\Desktop\OPyF68i97j.exe" |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices" |
|
Source: unknown |
Process created: C:\Users\user\Desktop\OPyF68i97j.exe "C:\Users\user\Desktop\OPyF68i97j.exe" -service |
|
Source: unknown |
Process created: C:\Users\user\Desktop\OPyF68i97j.exe C:\Users\user\Desktop\OPyF68i97j.exe |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices" |
|
Source: unknown |
Process created: C:\Users\user\Desktop\OPyF68i97j.exe C:\Users\user\Desktop\OPyF68i97j.exe |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices" |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\Logs\logs\brcc.exe "C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG |
|
Source: C:\Windows\Logs\logs\brcc.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: unknown |
Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager |
|
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices" |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\Logs\logs\brcc.exe "C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices" |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices" |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: xmllite.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: taskschd.dll |
Jump to behavior |
Source: C:\Windows\SysWOW64\schtasks.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: rw32core.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: wtsapi32.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: dhcpcsvc6.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: dhcpcsvc.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: licensemanagersvc.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: licensemanager.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: clipc.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\svchost.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: OPyF68i97j.exe |
Static file information: File size 4323328 > 1048576 |
Source: OPyF68i97j.exe |
Static PE information: Raw size of .Net is bigger than: 0x100000 < 0x200000 |
Source: OPyF68i97j.exe |
Static PE information: Raw size of .Fun is bigger than: 0x100000 < 0x200000 |
Source: OPyF68i97j.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: OPyF68i97j.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: consent.pdb source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr |
Source: |
Binary string: consent.pdbW3 source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr |
Source: brcc.exe.4.dr |
Static PE information: 0x9CE02625 [Tue May 27 05:12:05 2053 UTC] |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0040A155 LoadLibraryA,GetProcAddress, |
14_2_0040A155 |
Source: OPyF68i97j.exe |
Static PE information: section name: .Config |
Source: OPyF68i97j.exe |
Static PE information: section name: .Net |
Source: OPyF68i97j.exe |
Static PE information: section name: .Fun |
Source: rw32core.dll.4.dr |
Static PE information: section name: .pe |
Source: consent.exe.4.dr |
Static PE information: section name: consent |
Source: Secur32.dll.4.dr |
Static PE information: section name: .pe |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_00421BC5 push eax; ret |
14_2_00421C01 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_00422D95 push ebp; retf |
14_2_00422DA4 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0040E6CA push eax; ret |
14_2_0040E7B3 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_012226C6 push ecx; ret |
14_2_012226D9 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0132EA66 push ecx; ret |
14_2_0132EA79 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Executable created and started: C:\Windows\Logs\logs\brcc.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\rw32core.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\Secur32.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\brcc.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\consent.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\rw32core.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\Secur32.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\brcc.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
File created: C:\Windows\Logs\logs\consent.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DISMsrv |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00491B20 GetModuleFileNameW,ExitProcess,OpenSCManagerW,OpenServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,ExitProcess, |
0_2_00491B20 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Evasive API call chain: CreateMutex,DecisionNodes,Sleep |
Source: C:\Windows\Logs\logs\brcc.exe |
Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess |
Source: C:\Windows\Logs\logs\brcc.exe |
Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Dropped PE file which has not been started: C:\Windows\Logs\logs\Secur32.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Dropped PE file which has not been started: C:\Windows\Logs\logs\consent.exe |
Jump to dropped file |
Source: C:\Users\user\Desktop\OPyF68i97j.exe TID: 1488 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe TID: 1488 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe TID: 1476 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe TID: 1220 |
Thread sleep count: 78 > 30 |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe TID: 1220 |
Thread sleep time: -78000s >= -30000s |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe TID: 1220 |
Thread sleep count: 63 > 30 |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe TID: 1476 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\System32\conhost.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Windows\System32\conhost.exe |
WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\System32\conhost.exe |
Last function: Thread delayed |
Source: C:\Windows\Logs\logs\brcc.exe |
Last function: Thread delayed |
Source: C:\Windows\Logs\logs\brcc.exe |
Last function: Thread delayed |
Source: C:\Windows\Logs\logs\brcc.exe |
File Volume queried: C:\ FullSizeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00492AF0 FindFirstFileW,FindClose, |
0_2_00492AF0 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose, |
0_2_004929F0 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_00492AF0 FindFirstFileW,FindClose, |
4_2_00492AF0 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose, |
4_2_004929F0 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_004113F4 FindFirstFileA,FindNextFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime, |
14_2_004113F4 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0040B703 FindFirstFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose, |
14_2_0040B703 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01225BB6 FindFirstFileExW, |
14_2_01225BB6 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_013392EB FindFirstFileExW, |
14_2_013392EB |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01322760 SHGetValueA,CoCreateGuid,wsprintfA,SHSetValueA,GetComputerNameA,GetUserNameA,lstrlenA,GlobalMemoryStatusEx,__aulldiv,GetLogicalDriveStringsA,GetDriveTypeA,GetDiskFreeSpaceExA,RegOpenKeyExA,RegQueryValueExA,GetNativeSystemInfo,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument, |
14_2_01322760 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_00405918 GetSystemInfo, |
14_2_00405918 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Thread delayed: delay time: 60000 |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Thread delayed: delay time: 60000 |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Thread delayed: delay time: 60000 |
Jump to behavior |
Source: C:\Windows\Logs\logs\brcc.exe |
Thread delayed: delay time: 60000 |
Jump to behavior |
Source: brcc.exe, 0000000E.00000002.3890021723.00000000004FE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\Logs\logs\brcc.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\Logs\logs\brcc.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\Logs\logs\brcc.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\Logs\logs\brcc.exe |
API call chain: ExitProcess graph end node |
Source: C:\Windows\Logs\logs\brcc.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_004983A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_004983A8 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0040A155 LoadLibraryA,GetProcAddress, |
14_2_0040A155 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_0049D843 mov eax, dword ptr fs:[00000030h] |
0_2_0049D843 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_0049901C mov eax, dword ptr fs:[00000030h] |
0_2_0049901C |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_0049D843 mov eax, dword ptr fs:[00000030h] |
4_2_0049D843 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_0049901C mov eax, dword ptr fs:[00000030h] |
4_2_0049901C |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_00406F0A mov eax, dword ptr fs:[00000030h] |
14_2_00406F0A |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0122431D mov eax, dword ptr fs:[00000030h] |
14_2_0122431D |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_012254CD mov eax, dword ptr fs:[00000030h] |
14_2_012254CD |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_013377BD mov eax, dword ptr fs:[00000030h] |
14_2_013377BD |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01337801 mov eax, dword ptr fs:[00000030h] |
14_2_01337801 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01333CD4 mov eax, dword ptr fs:[00000030h] |
14_2_01333CD4 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_012270E0 GetProcessHeap, |
14_2_012270E0 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00492DDF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00492DDF |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_004983A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_004983A8 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_00492DDF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
4_2_00492DDF |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 4_2_004983A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
4_2_004983A8 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01221CBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
14_2_01221CBF |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_012224F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
14_2_012224F8 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_012254FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
14_2_012254FE |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0132E972 SetUnhandledExceptionFilter, |
14_2_0132E972 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0132E810 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
14_2_0132E810 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0132DF42 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
14_2_0132DF42 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_01331654 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
14_2_01331654 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Process created: C:\Windows\Logs\logs\brcc.exe "C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG |
Jump to behavior |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00491930 ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,OpenProcessToken,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,RevertToSelf,LocalFree,LocalFree,FreeSid, |
0_2_00491930 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00491930 ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,OpenProcessToken,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,RevertToSelf,LocalFree,LocalFree,FreeSid, |
0_2_00491930 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_012226DC cpuid |
14_2_012226DC |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_004935E1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, |
0_2_004935E1 |
Source: C:\Users\user\Desktop\OPyF68i97j.exe |
Code function: 0_2_00491E90 GetCurrentProcessId,ProcessIdToSessionId,GetUserNameA,lstrcatA,lstrcpyA,ReleaseMutex,CloseHandle,CreateMutexA,GetModuleFileNameA,WinExec,WinExec,WinExec,GetCurrentProcessId,ExitProcess, |
0_2_00491E90 |
Source: C:\Windows\Logs\logs\brcc.exe |
Code function: 14_2_0040596F GetVersion, |
14_2_0040596F |