Edit tour

Windows Analysis Report
OPyF68i97j.exe

Overview

General Information

Sample name:	OPyF68i97j.exe renamed because original name is a hash value
Original sample name:	84f6d402fc4b76b949a893344b73ae1b4abb21dc9989745728cd18c92991e0ae.exe
Analysis ID:	1524406
MD5:	048fe750e586bce2fe5c5f0c77dd208f
SHA1:	cc82bb9ec77116cdea64b52aed1417ff2389b925
SHA256:	84f6d402fc4b76b949a893344b73ae1b4abb21dc9989745728cd18c92991e0ae
Tags:	exewww-uvfr4ep-comuser-JAMESWT_MHT
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Drops executables to the windows directory (C:\Windows) and starts them

Found evasive API chain (may stop execution after checking mutex)

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges

Uses schtasks.exe or at.exe to add and modify task schedules

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Communication To Uncommon Destination Ports

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

OPyF68i97j.exe (PID: 6472 cmdline: "C:\Users\user\Desktop\OPyF68i97j.exe" MD5: 048FE750E586BCE2FE5C5F0C77DD208F)

conhost.exe (PID: 6420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7140 cmdline: schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f MD5: 48C2FE20575769DE916F48EF0676A965)

schtasks.exe (PID: 940 cmdline: schtasks /run /tn "TabletPCInputServices" MD5: 48C2FE20575769DE916F48EF0676A965)

OPyF68i97j.exe (PID: 432 cmdline: "C:\Users\user\Desktop\OPyF68i97j.exe" -service MD5: 048FE750E586BCE2FE5C5F0C77DD208F)

brcc.exe (PID: 6516 cmdline: "C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG MD5: 9D2AE725D41B1F9BF384D2F573DF9443)

conhost.exe (PID: 3556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

OPyF68i97j.exe (PID: 6544 cmdline: C:\Users\user\Desktop\OPyF68i97j.exe MD5: 048FE750E586BCE2FE5C5F0C77DD208F)

conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4760 cmdline: schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f MD5: 48C2FE20575769DE916F48EF0676A965)

schtasks.exe (PID: 3364 cmdline: schtasks /run /tn "TabletPCInputServices" MD5: 48C2FE20575769DE916F48EF0676A965)

OPyF68i97j.exe (PID: 7116 cmdline: C:\Users\user\Desktop\OPyF68i97j.exe MD5: 048FE750E586BCE2FE5C5F0C77DD208F)

conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 652 cmdline: schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f MD5: 48C2FE20575769DE916F48EF0676A965)

schtasks.exe (PID: 7108 cmdline: schtasks /run /tn "TabletPCInputServices" MD5: 48C2FE20575769DE916F48EF0676A965)

svchost.exe (PID: 1128 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

System Summary

Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges

Source: Process started

Author: Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f, CommandLine: schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\OPyF68i97j.exe", ParentImage: C:\Users\user\Desktop\OPyF68i97j.exe, ParentProcessId: 6472, ParentProcessName: OPyF68i97j.exe, ProcessCommandLine: schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f, ProcessId: 7140, ProcessName: schtasks.exe

Sigma detected: Communication To Uncommon Destination Ports

Source: Network Connection

Author: Florian Roth (Nextron Systems): Data: DestinationIp: 114.55.25.226, DestinationIsIpv6: false, DestinationPort: 8080, EventID: 3, Image: C:\Windows\Logs\logs\brcc.exe, Initiated: true, ProcessId: 6516, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49708

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 1128, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: OPyF68i97j.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Windows\Logs\logs\rw32core.dll

Avira: detection malicious, Label: TR/Agent.zottn

Multi AV Scanner detection for dropped file

Source: C:\Windows\Logs\logs\Secur32.dll	ReversingLabs: Detection: 78%
Source: C:\Windows\Logs\logs\rw32core.dll	ReversingLabs: Detection: 87%

Multi AV Scanner detection for submitted file

Source: OPyF68i97j.exe

ReversingLabs: Detection: 60%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Windows\Logs\logs\Secur32.dll	Joe Sandbox ML: detected
Source: C:\Windows\Logs\logs\rw32core.dll	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: OPyF68i97j.exe

Joe Sandbox ML: detected

Source: OPyF68i97j.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: OPyF68i97j.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: consent.pdb source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr
Source:	Binary string: consent.pdbW3 source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_00492AF0 FindFirstFileW,FindClose,	0_2_00492AF0
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose,	0_2_004929F0
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_00492AF0 FindFirstFileW,FindClose,	4_2_00492AF0
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose,	4_2_004929F0
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_004113F4 FindFirstFileA,FindNextFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime,	14_2_004113F4
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0040B703 FindFirstFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose,	14_2_0040B703
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01225BB6 FindFirstFileExW,	14_2_01225BB6
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_013392EB FindFirstFileExW,	14_2_013392EB

Source: C:\Windows\Logs\logs\brcc.exe

Code function: 14_2_01322760 SHGetValueA,CoCreateGuid,wsprintfA,SHSetValueA,GetComputerNameA,GetUserNameA,lstrlenA,GlobalMemoryStatusEx,__aulldiv,GetLogicalDriveStringsA,GetDriveTypeA,GetDiskFreeSpaceExA,RegOpenKeyExA,RegQueryValueExA,GetNativeSystemInfo,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,std::_Xinvalid_argument,

14_2_01322760

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 114.55.25.226 ports 8443,8080,1,2,443,80,53,21

Source: global traffic

TCP traffic: 192.168.2.5:49708 -> 114.55.25.226:8080

Source: global traffic	TCP traffic: 192.168.2.5:49705 -> 114.55.25.226:53
Source: global traffic	TCP traffic: 192.168.2.5:49749 -> 114.55.25.226:53
Source: global traffic	TCP traffic: 192.168.2.5:49736 -> 114.55.25.226:53
Source: global traffic	TCP traffic: 192.168.2.5:49723 -> 114.55.25.226:53
Source: global traffic	TCP traffic: 192.168.2.5:49767 -> 114.55.25.226:53
Source: global traffic	TCP traffic: 192.168.2.5:49755 -> 114.55.25.226:53
Source: global traffic	TCP traffic: 192.168.2.5:49743 -> 114.55.25.226:53
Source: global traffic	TCP traffic: 192.168.2.5:49717 -> 114.55.25.226:53
Source: global traffic	TCP traffic: 192.168.2.5:49730 -> 114.55.25.226:53
Source: global traffic	TCP traffic: 192.168.2.5:49773 -> 114.55.25.226:53
Source: global traffic	TCP traffic: 192.168.2.5:49761 -> 114.55.25.226:53

Source: Joe Sandbox View

ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Logs\logs\brcc.exe

Code function: 14_2_0132AEF0 Sleep,recv,recv,

14_2_0132AEF0

Source: global traffic

DNS traffic detected: DNS query: www.uvfr4ep.com

Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07

Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Windows\Logs\logs\brcc.exe

Code function: 14_2_01323700 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,WTSEnumerateSessionsA,WTSQuerySessionInformationA,lstrcpyA,WTSFreeMemory,lstrcmpA,WTSFreeMemory,GetCurrentProcess,WTSQueryUserToken,DuplicateTokenEx,SetTokenInformation,CreateProcessAsUserA,CreateThread,

14_2_01323700

Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\brcc.exe	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\rw32core.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\consent.exe	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\Secur32.dll	Jump to behavior

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_004A321C	0_2_004A321C
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_00497563	0_2_00497563
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_004A4B22	0_2_004A4B22
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_004A333C	0_2_004A333C
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_0049FD30	0_2_0049FD30
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_004A01C8	0_2_004A01C8
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_00497795	0_2_00497795
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_004A321C	4_2_004A321C
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_00497563	4_2_00497563
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_004A4B22	4_2_004A4B22
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_004A333C	4_2_004A333C
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_0049FD30	4_2_0049FD30
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_004A01C8	4_2_004A01C8
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_00497795	4_2_00497795
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_00413000	14_2_00413000
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01221670	14_2_01221670
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01221000	14_2_01221000
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0122BB81	14_2_0122BB81
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0132ACB0	14_2_0132ACB0
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_013329E5	14_2_013329E5
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0132A880	14_2_0132A880
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0133BB20	14_2_0133BB20
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_013403FD	14_2_013403FD
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01326240	14_2_01326240
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0133ED9C	14_2_0133ED9C
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0133EC7C	14_2_0133EC7C
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_013327B3	14_2_013327B3
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0133BFB8	14_2_0133BFB8
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01341640	14_2_01341640
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01325ED0	14_2_01325ED0

Source: C:\Windows\Logs\logs\brcc.exe	Code function: String function: 0132EA20 appears 37 times
Source: C:\Windows\Logs\logs\brcc.exe	Code function: String function: 0041A7D4 appears 70 times

Source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameconsent.exej% vs OPyF68i97j.exe
Source: OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameBRCC32.EXE. vs OPyF68i97j.exe

Source: OPyF68i97j.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@23/4@2/1

Source: C:\Windows\Logs\logs\brcc.exe

14_2_01322760

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: wsprintfW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateServiceW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,RegOpenKeyExW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,RegSetValueExW,RegSetValueExW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,RegSetValueExW,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		0_2_004921C0
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: wsprintfW,OpenSCManagerW,OpenServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CreateServiceW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,RegOpenKeyExW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,RegSetValueExW,RegSetValueExW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,RegSetValueExW,RegCloseKey,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,		4_2_004921C0

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Code function: 0_2_00491DA0 CreateToolhelp32Snapshot,Process32First,Process32Next,OpenProcess,TerminateProcess,Process32Next,CloseHandle,CloseHandle,

0_2_00491DA0

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Code function: 0_2_00491B20 GetModuleFileNameW,ExitProcess,OpenSCManagerW,OpenServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,ExitProcess,

0_2_00491B20

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_00492B40 StartServiceCtrlDispatcherW,		0_2_00492B40
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_00492B40 StartServiceCtrlDispatcherW,		4_2_00492B40

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6420:120:WilError_03
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Mutant created: \Sessions\1\BaseNamedObjects\userResideVirtual1
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6004:120:WilError_03
Source: C:\Windows\Logs\logs\brcc.exe	Mutant created: \BaseNamedObjects\askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Mutant created: \BaseNamedObjects\SYSTEMResideVirtual0

Source: OPyF68i97j.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: OPyF68i97j.exe

ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\OPyF68i97j.exe "C:\Users\user\Desktop\OPyF68i97j.exe"
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices"
Source: unknown	Process created: C:\Users\user\Desktop\OPyF68i97j.exe "C:\Users\user\Desktop\OPyF68i97j.exe" -service
Source: unknown	Process created: C:\Users\user\Desktop\OPyF68i97j.exe C:\Users\user\Desktop\OPyF68i97j.exe
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices"
Source: unknown	Process created: C:\Users\user\Desktop\OPyF68i97j.exe C:\Users\user\Desktop\OPyF68i97j.exe
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices"
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\Logs\logs\brcc.exe "C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG
Source: C:\Windows\Logs\logs\brcc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices"	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\Logs\logs\brcc.exe "C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices"	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /run /tn "TabletPCInputServices"	Jump to behavior

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: rw32core.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior

Source: OPyF68i97j.exe

Static file information: File size 4323328 > 1048576

Source: OPyF68i97j.exe	Static PE information: Raw size of .Net is bigger than: 0x100000 < 0x200000
Source: OPyF68i97j.exe	Static PE information: Raw size of .Fun is bigger than: 0x100000 < 0x200000

Source: OPyF68i97j.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: OPyF68i97j.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: consent.pdb source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr
Source:	Binary string: consent.pdbW3 source: OPyF68i97j.exe, 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmp, consent.exe.4.dr

Source: brcc.exe.4.dr

Static PE information: 0x9CE02625 [Tue May 27 05:12:05 2053 UTC]

Source: C:\Windows\Logs\logs\brcc.exe

Code function: 14_2_0040A155 LoadLibraryA,GetProcAddress,

14_2_0040A155

Source: OPyF68i97j.exe	Static PE information: section name: .Config
Source: OPyF68i97j.exe	Static PE information: section name: .Net
Source: OPyF68i97j.exe	Static PE information: section name: .Fun
Source: rw32core.dll.4.dr	Static PE information: section name: .pe
Source: consent.exe.4.dr	Static PE information: section name: consent
Source: Secur32.dll.4.dr	Static PE information: section name: .pe

Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_00421BC5 push eax; ret	14_2_00421C01
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_00422D95 push ebp; retf	14_2_00422DA4
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0040E6CA push eax; ret	14_2_0040E7B3
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_012226C6 push ecx; ret	14_2_012226D9
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0132EA66 push ecx; ret	14_2_0132EA79

Persistence and Installation Behavior

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Executable created and started: C:\Windows\Logs\logs\brcc.exe

Jump to behavior

Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\rw32core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\Secur32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\brcc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\consent.exe	Jump to dropped file

Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\rw32core.dll	Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\Secur32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\brcc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe	File created: C:\Windows\Logs\logs\consent.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DISMsrv

Jump to behavior

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Code function: 0_2_00491B20 GetModuleFileNameW,ExitProcess,OpenSCManagerW,OpenServiceW,StartServiceW,CloseServiceHandle,CloseServiceHandle,ExitProcess,

0_2_00491B20

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Evasive API call chain: CreateMutex,DecisionNodes,Sleep			graph_4-6377
Source: C:\Windows\Logs\logs\brcc.exe	Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess			graph_14-36018

Source: C:\Windows\Logs\logs\brcc.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_14-36744

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Dropped PE file which has not been started: C:\Windows\Logs\logs\Secur32.dll			Jump to dropped file
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Dropped PE file which has not been started: C:\Windows\Logs\logs\consent.exe			Jump to dropped file

Source: C:\Users\user\Desktop\OPyF68i97j.exe TID: 1488	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe TID: 1488	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe TID: 1476	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe TID: 1220	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe TID: 1220	Thread sleep time: -78000s >= -30000s	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe TID: 1220	Thread sleep count: 63 > 30	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe TID: 1476	Thread sleep time: -60000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\Logs\logs\brcc.exe	Last function: Thread delayed
Source: C:\Windows\Logs\logs\brcc.exe	Last function: Thread delayed

Source: C:\Windows\Logs\logs\brcc.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_00492AF0 FindFirstFileW,FindClose,	0_2_00492AF0
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose,	0_2_004929F0
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_00492AF0 FindFirstFileW,FindClose,	4_2_00492AF0
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_004929F0 lstrlenW,lstrcatW,lstrlenW,FindFirstFileW,FindClose,	4_2_004929F0
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_004113F4 FindFirstFileA,FindNextFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime,	14_2_004113F4
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0040B703 FindFirstFileA,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose,	14_2_0040B703
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01225BB6 FindFirstFileExW,	14_2_01225BB6
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_013392EB FindFirstFileExW,	14_2_013392EB

Source: C:\Windows\Logs\logs\brcc.exe

14_2_01322760

Source: C:\Windows\Logs\logs\brcc.exe

Code function: 14_2_00405918 GetSystemInfo,

14_2_00405918

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Thread delayed: delay time: 60000	Jump to behavior
Source: C:\Windows\Logs\logs\brcc.exe	Thread delayed: delay time: 60000	Jump to behavior

Source: brcc.exe, 0000000E.00000002.3890021723.00000000004FE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5

Source: C:\Users\user\Desktop\OPyF68i97j.exe	API call chain: ExitProcess graph end node	graph_0-6788
Source: C:\Users\user\Desktop\OPyF68i97j.exe	API call chain: ExitProcess graph end node	graph_0-6239
Source: C:\Users\user\Desktop\OPyF68i97j.exe	API call chain: ExitProcess graph end node	graph_0-6179
Source: C:\Users\user\Desktop\OPyF68i97j.exe	API call chain: ExitProcess graph end node	graph_0-6171
Source: C:\Users\user\Desktop\OPyF68i97j.exe	API call chain: ExitProcess graph end node	graph_4-6179
Source: C:\Users\user\Desktop\OPyF68i97j.exe	API call chain: ExitProcess graph end node	graph_4-6310
Source: C:\Users\user\Desktop\OPyF68i97j.exe	API call chain: ExitProcess graph end node	graph_4-6184
Source: C:\Windows\Logs\logs\brcc.exe	API call chain: ExitProcess graph end node	graph_14-36847
Source: C:\Windows\Logs\logs\brcc.exe	API call chain: ExitProcess graph end node	graph_14-36024
Source: C:\Windows\Logs\logs\brcc.exe	API call chain: ExitProcess graph end node	graph_14-35839
Source: C:\Windows\Logs\logs\brcc.exe	API call chain: ExitProcess graph end node	graph_14-35842
Source: C:\Windows\Logs\logs\brcc.exe	API call chain: ExitProcess graph end node	graph_14-36848

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Code function: 0_2_004983A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_004983A8

Source: C:\Windows\Logs\logs\brcc.exe

Code function: 14_2_0040A155 LoadLibraryA,GetProcAddress,

14_2_0040A155

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_0049D843 mov eax, dword ptr fs:[00000030h]	0_2_0049D843
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_0049901C mov eax, dword ptr fs:[00000030h]	0_2_0049901C
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_0049D843 mov eax, dword ptr fs:[00000030h]	4_2_0049D843
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_0049901C mov eax, dword ptr fs:[00000030h]	4_2_0049901C
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_00406F0A mov eax, dword ptr fs:[00000030h]	14_2_00406F0A
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0122431D mov eax, dword ptr fs:[00000030h]	14_2_0122431D
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_012254CD mov eax, dword ptr fs:[00000030h]	14_2_012254CD
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_013377BD mov eax, dword ptr fs:[00000030h]	14_2_013377BD
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01337801 mov eax, dword ptr fs:[00000030h]	14_2_01337801
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01333CD4 mov eax, dword ptr fs:[00000030h]	14_2_01333CD4

Source: C:\Windows\Logs\logs\brcc.exe

Code function: 14_2_012270E0 GetProcessHeap,

14_2_012270E0

Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_00492DDF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00492DDF
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 0_2_004983A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_004983A8
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_00492DDF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00492DDF
Source: C:\Users\user\Desktop\OPyF68i97j.exe	Code function: 4_2_004983A8 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_004983A8
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01221CBF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_01221CBF
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_012224F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_012224F8
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_012254FE IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_012254FE
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0132E972 SetUnhandledExceptionFilter,	14_2_0132E972
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0132E810 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0132E810
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_0132DF42 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_0132DF42
Source: C:\Windows\Logs\logs\brcc.exe	Code function: 14_2_01331654 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_01331654

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Process created: C:\Windows\Logs\logs\brcc.exe "C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG

Jump to behavior

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Code function: 0_2_00491930 ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,GetCurrentProcess,OpenProcessToken,OpenProcessToken,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,RevertToSelf,LocalFree,LocalFree,FreeSid,

0_2_00491930

Source: C:\Users\user\Desktop\OPyF68i97j.exe

0_2_00491930

Source: C:\Windows\Logs\logs\brcc.exe

Code function: 14_2_012226DC cpuid

14_2_012226DC

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Code function: 0_2_004935E1 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_004935E1

Source: C:\Users\user\Desktop\OPyF68i97j.exe

Code function: 0_2_00491E90 GetCurrentProcessId,ProcessIdToSessionId,GetUserNameA,lstrcatA,lstrcpyA,ReleaseMutex,CloseHandle,CreateMutexA,GetModuleFileNameA,WinExec,WinExec,WinExec,GetCurrentProcessId,ExitProcess,

0_2_00491E90

Source: C:\Windows\Logs\logs\brcc.exe

Code function: 14_2_0040596F GetVersion,

14_2_0040596F

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 Valid Accounts	1 Valid Accounts	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	Data from Removable Media	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	13 Windows Service	1 Access Token Manipulation	1 Timestomp	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	2 Service Execution	1 Scheduled Task/Job	13 Windows Service	1 DLL Side-Loading	NTDS	26 System Information Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	11 Process Injection	12 Masquerading	LSA Secrets	121 Security Software Discovery	SSH	Keylogging	2 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	1 Scheduled Task/Job	1 Valid Accounts	Cached Domain Credentials	11 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	11 Virtualization/Sandbox Evasion	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	11 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
OPyF68i97j.exe	61%	ReversingLabs	Win32.Trojan.Malgent
OPyF68i97j.exe	100%	Avira	TR/Agent.ltlye
OPyF68i97j.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Windows\Logs\logs\rw32core.dll	100%	Avira	TR/Agent.zottn
C:\Windows\Logs\logs\Secur32.dll	100%	Joe Sandbox ML
C:\Windows\Logs\logs\rw32core.dll	100%	Joe Sandbox ML
C:\Windows\Logs\logs\Secur32.dll	78%	ReversingLabs	Win32.Trojan.Malgent
C:\Windows\Logs\logs\brcc.exe	4%	ReversingLabs
C:\Windows\Logs\logs\consent.exe	0%	ReversingLabs
C:\Windows\Logs\logs\rw32core.dll	88%	ReversingLabs	Win32.Trojan.CrypterX

Source	Detection	Scanner	Label	Link
http://crl.thawte.com/ThawteTimestampingCA.crl0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.57.27	true	false		unknown
www.uvfr4ep.com	114.55.25.226	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.thawte.com/ThawteTimestampingCA.crl0	OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr	false	URL Reputation: safe	unknown
http://ocsp.thawte.com0	OPyF68i97j.exe, 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmp, brcc.exe.4.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
114.55.25.226	www.uvfr4ep.com	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1524406
Start date and time:	2024-10-02 19:10:00 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	OPyF68i97j.exe renamed because original name is a hash value
Original Sample Name:	84f6d402fc4b76b949a893344b73ae1b4abb21dc9989745728cd18c92991e0ae.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@23/4@2/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 90% Number of executed functions: 56 Number of non-executed functions: 156
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.85.23.86, 88.221.110.121, 88.221.110.106, 40.69.42.241, 52.165.164.15
Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, download.windowsupdate.com.edgesuite.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: OPyF68i97j.exe

Simulations

Behavior and APIs

Time	Type	Description
19:10:50	Task Scheduler	Run new task: TabletPCInputServices path: C:\Users\user\Desktop\OPyF68i97j.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
114.55.25.226	sample.exe	Get hash	malicious	Gh0stCringe, GhostRat, RunningRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	https://trello.com/c/2T5XVROV	Get hash	malicious	HTMLPhisher	Browse	217.20.57.39
	https://email.mg.pmctraining.com/c/eJwUzDGOhSAQANDTSCfBAQQL2n-PgRmUDaAh_E329hvbVzwKpJF3Ehw2B84ro50WV0j68CYB2SNnQrVvLloHPjtLjAq9KAFAJ7thXDVQWlEdcfVg82oOBTo6s9ucFqPaKZ-W5sDSSz9lupuogbhPrBkT10n4ooxjgU8jXuDzfeqNJJ_rESP8fLGXiXJw6ddd6S3_GnaczPIep_gN8B8AAP__bcA-Lw	Get hash	malicious	HTMLPhisher	Browse	217.20.57.23
	Translink_rishi.vasandani_Advice81108.pdf	Get hash	malicious	Unknown	Browse	217.20.57.37
	http://innerglowjourney.com	Get hash	malicious	Unknown	Browse	217.20.57.27
	bWrRSlOThY.exe	Get hash	malicious	AsyncRAT, Neshta	Browse	217.20.57.34
	https://swissquotech.com/swissquote-2024.zip	Get hash	malicious	Phisher	Browse	217.20.57.24
	VD01NDHM8u.exe	Get hash	malicious	ScreenConnect Tool	Browse	217.20.57.42
	tr5jscSEwo.exe	Get hash	malicious	ScreenConnect Tool	Browse	217.20.57.18
	sostener.vbs	Get hash	malicious	AsyncRAT, DcRat	Browse	84.201.210.35
	https://timetraveltv.com/actions/cart_update.php?currency=GBP&return_url=https://blog.acelyaokcu.com/m/?c3Y9bzM2NV8xX29uZSZyYW5kPVdrcFNRMHM9JnVpZD1VU0VSMDkwOTIwMjRVMTIwOTA5MDE=N0123N%5BEMAIL	Get hash	malicious	Unknown	Browse	217.20.57.18

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	yakov.m68k.elf	Get hash	malicious	Mirai	Browse	8.173.5.16
	yakov.mpsl.elf	Get hash	malicious	Mirai	Browse	8.153.219.75
	novo.mpsl.elf	Get hash	malicious	Mirai, Moobot	Browse	140.205.153.117
	novo.x86.elf	Get hash	malicious	Mirai, Moobot	Browse	8.145.200.55
	yakov.sh4.elf	Get hash	malicious	Mirai	Browse	47.96.183.136
	yakov.spc.elf	Get hash	malicious	Mirai	Browse	8.190.175.88
	setup.ic19.exe	Get hash	malicious	GhostRat, Nitol	Browse	118.178.60.61
	7kSftA4Eoh.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	8.130.42.227
	mtgjyX9gHF.exe	Get hash	malicious	Quasar	Browse	39.102.36.209

Process:	C:\Users\user\Desktop\OPyF68i97j.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	448000
Entropy (8bit):	5.888794800317783
Encrypted:	false
SSDEEP:	6144:frkQvCcpytrBOvwGjKgeR0hJ4mze9qAQ6uz9GXTrapA7xEPDimGzMHy:zQcctibjxeORmu8XTS8xlmBy
MD5:	B25511C04B4A3345EF7F228C73924714
SHA1:	46A4CCAE40E66C0527BFB848D2A1FA5A556E9FC0
SHA-256:	66B7983831CBB952CEEB1FFFF608880F1805F1DF0B062CEF4C17B258B7F478CE
SHA-512:	097E10AB41DBD7D45A1E2599A1F551BDD1553249F8B14E3B9CA95A8CBCC8A70227DAEB387AD1F7ECBA46445205E39EF96BE5CF75817BF4583A64A031776883BB
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 78%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........=...\...\...\...7...\...7..@\...7...\...4...\...4...\...4...\...7...\...\...\..i5...\..i5...\..i5...\..Rich.\..................PE..L...)~b`...........!.........&............................................................@..........................!..T....!..(.......................................8...............................@............................................text.............................. ..`.rdata..@X.......Z..................@..@.data....<...0...2..................@....pe.....@~...p.......H..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Windows\Logs\logs\brcc.exe

Download File

Process:	C:\Users\user\Desktop\OPyF68i97j.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	175528
Entropy (8bit):	6.164528854224287
Encrypted:	false
SSDEEP:	3072:le+COG4lWVKQuCOZx4UdmWDXpjU1DAC8d+RgE/+n2cRkddUTO6gU7xDgtdOk6amP:ljlQKQuCO3dLDXpjUXp/+n2cRYUCy
MD5:	9D2AE725D41B1F9BF384D2F573DF9443
SHA1:	B9FA17D3B0A8184B8BD1BCED16F953B46AF97CBE
SHA-256:	2AACF66D78E284729C3CA0DA6C260FA3A95FF61AAE6527D6DC4500AD7DAA1E63
SHA-512:	BA162A3797DD87BC704F9EFFC04C1396E3625AFBCBC9186207DD253C005F8771C999728834AD0CAC5B0A70CF51DDDFB1DA8A8A0273CE975B0F19269DA17813C0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 4%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...%&......................q.....................@.......................... .......Y........... ......................W................F..........0...x...........................................................................................CODE................................`...DATA.............`..................@....tls.........p....... ..............@....rdata..............."..............@..P.idata...............$..............@....edata..............................@..@.reloc... ...........2..............@..P.rsrc...0F......0F...N..............@....debug....... ..qp..................@..P........................................................................................................................................

C:\Windows\Logs\logs\consent.exe

Download File

Process:	C:\Users\user\Desktop\OPyF68i97j.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	101968
Entropy (8bit):	5.814112583624504
Encrypted:	false
SSDEEP:	768:YEau+nTNe8/BQK9A/obyD8qcJzuGqy1Z832H86OdFero6ZU9QZU97wYgZHix3udL:YbEhKq/StqyzuGP8mHVqFqzkwAqt
MD5:	FD97EB722401938AD9C3E4BFAB1519A4
SHA1:	8616FEBC20CE5905F38690302156428EF9C2CDB8
SHA-256:	33BFAA84E7543C9504B16113E0E0B16FAF3F117FC92FE4017F682E8E7D13B4FD
SHA-512:	24D458FB627C38AAE70A08AA0DF1E55E1150A84CA02D616215035B72145EE8F0F48FDA843AF7B4E02A37904EFDCA001FD274E72EF1B37BB7BAD957A72284596E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../v.]N..]N..]N..T6.._N..T6..\|N..]N...N..T6..VN..T6..KN..T6..\N..T6..\N..Rich]N..........................PE..L...n.[J............................Y=........................................................... .............................T....................r..P.......P... ...8...........................pj..@.......H....................................text............................... ..`.data...p...........................@...consent.b...........................@....rsrc...............................@..@.reloc..P............h..............@..B~.[J......[J......[J..../.[J....o.[J......[J......[J......[J......[J....C.[J....B.[J....1.[J....N.[J....9.[J....k.[J(...v.[J9...........ADVAPI32.dll.KERNEL32.dll.GDI32.dll.USER32.dll.msvcrt.dll.ntdll.dll.ole32.dll.MSIMG32.dll.WMsgAPI.dll.WTSAPI32.dll.WINMM.dll.USERENV.dll.WINSTA.dll.CRYPT32.dll.MsCtfMonitor.DLL.COMCTL3

C:\Windows\Logs\logs\rw32core.dll

Download File

Process:	C:\Users\user\Desktop\OPyF68i97j.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	988160
Entropy (8bit):	2.8230010982146707
Encrypted:	false
SSDEEP:	6144:7sxLJfLy/ZqLltXaB+WdqJZsgaUe/7WoyNpD+2RF:o/L+m3xWMZKTWoMT
MD5:	8CCB9E82A89352C0B271032B6B9EDC0B
SHA1:	FE165F91E033D1822E2705FBB90BA5A11688C362
SHA-256:	A08E0D1839B86D0D56A52D07123719211A3C3D43A6AA05AA34531A72ED1207DC
SHA-512:	10717A64DDAE9A99008D086B18DA81F8E793C8823F21AB054593AF618EC6A108A00FD62530E136D5BDEB2696A3F5FAB8B05BABE116051C2D94E12725803470A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 88%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......H../...\|...\|...\|...}...\|...}...\|...}...\|^..}...\|^..}...\|^..}...\|...}...\|...\|Y..\|...}...\|...}...\|...}...\|Rich...\|........................PE..L...)~b`...........!.........`.......!.......................................@............@..........................!..T...."..(............................0..........8...............................@............................................text...'........................... ..`.rdata..PX.......Z..................@..@.data....;...0...2..................@....pe..........p.......J..............@....reloc.......0......................@..B................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	3.72525154374232
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	OPyF68i97j.exe
File size:	4'323'328 bytes
MD5:	048fe750e586bce2fe5c5f0c77dd208f
SHA1:	cc82bb9ec77116cdea64b52aed1417ff2389b925
SHA256:	84f6d402fc4b76b949a893344b73ae1b4abb21dc9989745728cd18c92991e0ae
SHA512:	dc4031cc1de6a6a455a2799247b78eb8379ce4409b09954f64bb918fd031e9ff4f97ea8c17b5643125e892613f0c10de410cecd2dc2b8fc4b42811910165dcd1
SSDEEP:	24576:y5qN8uQ+0EAVj21SRMQEMvwQ+AJuplwAi6qAu2j:yAN8uQqAI1/CwQDd
TLSH:	5A16FC62A96021DBC21B07710E325CA00A1DD239B77FD89BAB874FF5D5B366304FD85A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........]..q...q...q...r...q...t.w.q...u...q...t...q...u...q...r...q...p...q...p.w.q.[.y...q.[.q...q.[.s...q.Rich..q................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x403221
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6088D03C [Wed Apr 28 03:02:20 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	32bedc5101920e7f51069b91650d54c1

Entrypoint Preview

Instruction
call 00007F3C48B985EDh
jmp 00007F3C48B98059h
jmp 00007F3C48B9E285h
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3C48B9823Dh
mov dword ptr [esi], 0041626Ch
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00416274h
mov dword ptr [ecx], 0041626Ch
ret
push ebp
mov ebp, esp
push esi
push dword ptr [ebp+08h]
mov esi, ecx
call 00007F3C48B9820Ah
mov dword ptr [esi], 00416288h
mov eax, esi
pop esi
pop ebp
retn 0004h
and dword ptr [ecx+04h], 00000000h
mov eax, ecx
and dword ptr [ecx+08h], 00000000h
mov dword ptr [ecx+04h], 00416290h
mov dword ptr [ecx], 00416288h
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0041624Ch
and dword ptr [eax], 00000000h
and dword ptr [eax+04h], 00000000h
push eax
mov eax, dword ptr [ebp+08h]
add eax, 04h
push eax
call 00007F3C48B99193h
pop ecx
pop ecx
mov eax, esi
pop esi
pop ebp
retn 0004h
lea eax, dword ptr [ecx+04h]
mov dword ptr [ecx], 0041624Ch
push eax
call 00007F3C48B991DEh
pop ecx
ret
push ebp
mov ebp, esp
push esi
mov esi, ecx
lea eax, dword ptr [esi+04h]
mov dword ptr [esi], 0041624Ch
push eax
call 00007F3C48B991C7h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x1cdd0	0x5c	.rdata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1ce2c	0x78	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x422000	0x1284	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1c140	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x1c178	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x16000	0x1f4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x148a3	0x14a00	172a96b89f510dec6ef68534c8fbc5b1	False	0.5868726325757576	data	6.607133995032096	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x16000	0x7980	0x7a00	d783ef718c19e3a38488025eaeffb391	False	0.4516841700819672	data	5.062425612563753	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x1e000	0x1404	0xa00	0183e6cfb10cff55d0a9de4ebc9891db	False	0.198828125	data	2.6176267194866742	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.Config	0x20000	0x1100	0x1200	86d3089f14de3fc709be753e5d2db603	False	0.18033854166666666	data	2.096154985354179	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.Net	0x22000	0x200000	0x200000	d83d1f77a08246d6324f6604d195c41d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.Fun	0x222000	0x200000	0x200000	d0110a2c999e4380c4d3cb900cc5e19d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x422000	0x1284	0x1400	240f66ded465c56fd78129b998898c5e	False	0.75859375	data	6.41016014574849	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
KERNEL32.dll	CreateMutexA, ReleaseMutex, lstrcpyA, GetCommandLineW, ExitProcess, CreateProcessW, Process32First, GetCurrentProcess, TerminateProcess, LocalAlloc, OpenProcess, lstrcmpW, ProcessIdToSessionId, GetCurrentThread, Process32Next, LocalFree, GetCurrentProcessId, WinExec, CreateThread, WriteConsoleW, HeapReAlloc, lstrcpyW, SetFilePointerEx, lstrcatW, GetLastError, Sleep, CreateFileW, FindClose, GetModuleFileNameW, lstrlenW, FindNextFileW, FindFirstFileW, CloseHandle, lstrcatA, GetModuleFileNameA, LeaveCriticalSection, WriteFile, EnterCriticalSection, CreateToolhelp32Snapshot, HeapSize, GetFileSizeEx, GetConsoleMode, GetConsoleOutputCP, FlushFileBuffers, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsProcessorFeaturePresent, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, GetModuleHandleW, RtlUnwind, RaiseException, SetLastError, EncodePointer, DeleteCriticalSection, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, GetProcAddress, LoadLibraryExW, GetStdHandle, GetModuleHandleExW, GetCommandLineA, HeapAlloc, HeapFree, CompareStringW, LCMapStringW, GetFileType, FindFirstFileExW, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, MultiByteToWideChar, WideCharToMultiByte, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, SetStdHandle, GetStringTypeW, GetProcessHeap, DecodePointer
USER32.dll	wsprintfW
ADVAPI32.dll	SetSecurityDescriptorDacl, SetServiceStatus, RegisterServiceCtrlHandlerW, StartServiceCtrlDispatcherW, RevertToSelf, CreateServiceW, RegCloseKey, AccessCheck, SetSecurityDescriptorOwner, CloseServiceHandle, OpenSCManagerW, AllocateAndInitializeSid, GetUserNameA, ImpersonateSelf, RegSetValueExW, IsValidSecurityDescriptor, OpenProcessToken, FreeSid, StartServiceW, InitializeSecurityDescriptor, InitializeAcl, RegOpenKeyExW, OpenServiceW, GetLengthSid, AddAccessAllowedAce, OpenThreadToken, SetSecurityDescriptorGroup
SHELL32.dll	CommandLineToArgvW, SHCreateDirectoryExW
SHLWAPI.dll	SHSetValueW

Exports

Name	Ordinal	Address
CEFProcessForkHandlerEx	1	0x401340

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:10:55.034523964 CEST	49704	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:10:55.039623022 CEST	21	49704	114.55.25.226	192.168.2.5
Oct 2, 2024 19:10:55.039700985 CEST	49704	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:10:55.039815903 CEST	49704	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:10:55.044764042 CEST	21	49704	114.55.25.226	192.168.2.5
Oct 2, 2024 19:10:55.044837952 CEST	49704	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:10:55.050808907 CEST	21	49704	114.55.25.226	192.168.2.5
Oct 2, 2024 19:10:57.316348076 CEST	21	49704	114.55.25.226	192.168.2.5
Oct 2, 2024 19:10:57.316543102 CEST	49704	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:10:57.316612959 CEST	49704	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:10:57.321610928 CEST	21	49704	114.55.25.226	192.168.2.5
Oct 2, 2024 19:10:58.320128918 CEST	49705	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:10:58.842994928 CEST	53	49705	114.55.25.226	192.168.2.5
Oct 2, 2024 19:10:58.843354940 CEST	49705	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:10:58.843354940 CEST	49705	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:10:58.848407030 CEST	53	49705	114.55.25.226	192.168.2.5
Oct 2, 2024 19:10:58.848476887 CEST	49705	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:10:58.853425026 CEST	53	49705	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:01.156474113 CEST	53	49705	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:01.156913996 CEST	49705	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:01.156914949 CEST	49705	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:01.162209988 CEST	53	49705	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:02.164010048 CEST	49706	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:02.169157028 CEST	80	49706	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:02.169265985 CEST	49706	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:02.169312000 CEST	49706	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:02.174490929 CEST	80	49706	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:02.174696922 CEST	49706	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:02.179498911 CEST	80	49706	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:03.256690979 CEST	80	49706	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:03.256863117 CEST	49706	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:03.257083893 CEST	80	49706	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:03.257137060 CEST	49706	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:04.257685900 CEST	49707	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:04.257791042 CEST	443	49707	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:04.257874012 CEST	49707	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:04.257941008 CEST	49707	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:04.257957935 CEST	443	49707	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:04.258017063 CEST	49707	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:04.258028030 CEST	443	49707	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:04.258261919 CEST	443	49707	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:05.288820028 CEST	49708	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:05.294228077 CEST	8080	49708	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:05.294346094 CEST	49708	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:05.294392109 CEST	49708	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:05.299670935 CEST	8080	49708	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:05.299742937 CEST	49708	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:05.304699898 CEST	8080	49708	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:06.386709929 CEST	8080	49708	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:06.386790991 CEST	8080	49708	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:06.386907101 CEST	8080	49708	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:06.386917114 CEST	49708	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:06.386962891 CEST	49708	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:06.387012959 CEST	49708	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:07.398284912 CEST	49713	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:07.403356075 CEST	8443	49713	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:07.403527975 CEST	49713	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:07.403527975 CEST	49713	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:07.408792973 CEST	8443	49713	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:07.408869982 CEST	49713	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:07.413856030 CEST	8443	49713	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:09.631220102 CEST	8443	49713	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:09.631433010 CEST	49713	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:09.631433964 CEST	49713	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:09.636739016 CEST	8443	49713	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:11.648529053 CEST	49716	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:11.653920889 CEST	21	49716	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:11.654011965 CEST	49716	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:11.654098034 CEST	49716	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:11.659153938 CEST	21	49716	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:11.659266949 CEST	49716	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:11.664165974 CEST	21	49716	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:13.934391975 CEST	21	49716	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:13.934479952 CEST	49716	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:13.934545040 CEST	49716	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:13.939491987 CEST	21	49716	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:14.945472956 CEST	49717	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:14.950917959 CEST	53	49717	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:14.951092958 CEST	49717	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:14.951195002 CEST	49717	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:14.955996037 CEST	53	49717	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:14.956085920 CEST	49717	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:14.960916996 CEST	53	49717	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:17.185420036 CEST	53	49717	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:17.185693026 CEST	49717	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:17.185693026 CEST	49717	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:17.191096067 CEST	53	49717	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:18.195321083 CEST	49718	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:18.203111887 CEST	80	49718	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:18.203233957 CEST	49718	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:18.203319073 CEST	49718	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:18.209994078 CEST	80	49718	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:18.210129023 CEST	49718	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:18.217360020 CEST	80	49718	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:19.307996035 CEST	80	49718	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:19.308120966 CEST	80	49718	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:19.308161020 CEST	49718	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:19.308248043 CEST	49718	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:20.320312023 CEST	49719	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:20.320367098 CEST	443	49719	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:20.320553064 CEST	49719	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:20.320597887 CEST	49719	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:20.320604086 CEST	443	49719	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:20.320664883 CEST	49719	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:20.320669889 CEST	443	49719	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:20.320760965 CEST	443	49719	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:21.351507902 CEST	49720	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:21.356838942 CEST	8080	49720	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:21.356960058 CEST	49720	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:21.357078075 CEST	49720	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:21.362232924 CEST	8080	49720	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:21.362297058 CEST	49720	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:21.367366076 CEST	8080	49720	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:22.280061007 CEST	8080	49720	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:22.280220032 CEST	49720	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:22.280323982 CEST	8080	49720	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:22.280550957 CEST	49720	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:23.289057970 CEST	49721	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:23.294523954 CEST	8443	49721	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:23.294732094 CEST	49721	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:23.298099041 CEST	49721	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:23.303002119 CEST	8443	49721	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:23.303159952 CEST	49721	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:23.308334112 CEST	8443	49721	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:25.405535936 CEST	8443	49721	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:25.405733109 CEST	49721	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:25.405822992 CEST	49721	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:25.411464930 CEST	8443	49721	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:27.429636002 CEST	49722	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:27.435085058 CEST	21	49722	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:27.435278893 CEST	49722	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:27.435410023 CEST	49722	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:27.440416098 CEST	21	49722	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:27.440470934 CEST	49722	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:27.445638895 CEST	21	49722	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:29.483273029 CEST	21	49722	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:29.483374119 CEST	49722	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:29.483428955 CEST	49722	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:29.489684105 CEST	21	49722	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:30.492402077 CEST	49723	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:30.497437954 CEST	53	49723	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:30.497545004 CEST	49723	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:30.497659922 CEST	49723	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:30.502599955 CEST	53	49723	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:30.502660036 CEST	49723	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:30.507421970 CEST	53	49723	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:32.701313972 CEST	53	49723	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:32.701527119 CEST	49723	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:32.701527119 CEST	49723	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:32.706449032 CEST	53	49723	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:33.711107969 CEST	49724	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:33.716006041 CEST	80	49724	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:33.716083050 CEST	49724	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:33.716331959 CEST	49724	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:33.721155882 CEST	80	49724	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:33.721210957 CEST	49724	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:33.725981951 CEST	80	49724	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:34.730340958 CEST	80	49724	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:34.730465889 CEST	49724	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:34.730556011 CEST	80	49724	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:34.730731010 CEST	49724	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:35.742204905 CEST	49725	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:35.742255926 CEST	443	49725	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:35.742352009 CEST	49725	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:35.742429972 CEST	49725	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:35.742439032 CEST	443	49725	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:35.742481947 CEST	49725	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:35.742491007 CEST	443	49725	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:35.742496014 CEST	443	49725	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:36.773463011 CEST	49726	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:36.778315067 CEST	8080	49726	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:36.778708935 CEST	49726	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:36.778796911 CEST	49726	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:36.783595085 CEST	8080	49726	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:36.783646107 CEST	49726	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:36.788471937 CEST	8080	49726	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:37.800400972 CEST	8080	49726	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:37.800595045 CEST	49726	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:37.800745010 CEST	8080	49726	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:37.800781012 CEST	49726	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:38.805041075 CEST	49727	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:38.810003042 CEST	8443	49727	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:38.812508106 CEST	49727	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:38.813829899 CEST	49727	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:38.819272995 CEST	8443	49727	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:38.820481062 CEST	49727	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:38.828080893 CEST	8443	49727	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:41.028652906 CEST	8443	49727	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:41.028703928 CEST	49727	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:41.028768063 CEST	49727	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:41.034436941 CEST	8443	49727	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:43.054778099 CEST	49728	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:43.059840918 CEST	21	49728	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:43.059932947 CEST	49728	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:43.060004950 CEST	49728	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:43.064816952 CEST	21	49728	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:43.064862013 CEST	49728	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:43.069667101 CEST	21	49728	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:45.378277063 CEST	21	49728	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:45.378390074 CEST	49728	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:45.378437996 CEST	49728	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:45.383287907 CEST	21	49728	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:46.382831097 CEST	49730	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:46.388221979 CEST	53	49730	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:46.388324976 CEST	49730	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:46.388410091 CEST	49730	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:46.393306971 CEST	53	49730	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:46.393376112 CEST	49730	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:46.398549080 CEST	53	49730	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:48.682929993 CEST	53	49730	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:48.682996988 CEST	49730	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:48.683058023 CEST	49730	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:48.687843084 CEST	53	49730	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:49.695415020 CEST	49731	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:49.700294018 CEST	80	49731	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:49.701627016 CEST	49731	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:49.701627016 CEST	49731	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:49.706496954 CEST	80	49731	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:49.707411051 CEST	49731	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:49.712198019 CEST	80	49731	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:50.716917038 CEST	80	49731	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:50.716969967 CEST	80	49731	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:50.717019081 CEST	49731	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:50.726202011 CEST	49731	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:51.742249966 CEST	49732	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:51.742352009 CEST	443	49732	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:51.742463112 CEST	49732	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:51.742536068 CEST	49732	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:51.742554903 CEST	443	49732	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:51.742620945 CEST	49732	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:51.742633104 CEST	443	49732	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:51.742924929 CEST	443	49732	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:52.773487091 CEST	49733	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:52.778712034 CEST	8080	49733	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:52.780597925 CEST	49733	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:52.780693054 CEST	49733	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:52.786017895 CEST	8080	49733	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:52.788573027 CEST	49733	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:52.793473005 CEST	8080	49733	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:53.766402006 CEST	8080	49733	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:53.766649008 CEST	8080	49733	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:53.766658068 CEST	49733	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:53.766731024 CEST	49733	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:54.773498058 CEST	49734	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:54.778683901 CEST	8443	49734	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:54.778799057 CEST	49734	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:54.778872013 CEST	49734	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:54.783734083 CEST	8443	49734	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:54.783804893 CEST	49734	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:54.788664103 CEST	8443	49734	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:56.960781097 CEST	8443	49734	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:56.961108923 CEST	49734	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:56.961110115 CEST	49734	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:56.966232061 CEST	8443	49734	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:58.992386103 CEST	49735	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:58.997275114 CEST	21	49735	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:58.997370005 CEST	49735	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:58.997462988 CEST	49735	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:59.002204895 CEST	21	49735	114.55.25.226	192.168.2.5
Oct 2, 2024 19:11:59.002263069 CEST	49735	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:11:59.007016897 CEST	21	49735	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:01.315126896 CEST	21	49735	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:01.315191984 CEST	49735	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:01.315232038 CEST	49735	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:01.320070028 CEST	21	49735	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:02.320415974 CEST	49736	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:02.325467110 CEST	53	49736	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:02.325545073 CEST	49736	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:02.325615883 CEST	49736	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:02.330547094 CEST	53	49736	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:02.330611944 CEST	49736	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:02.335426092 CEST	53	49736	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:04.655927896 CEST	53	49736	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:04.656044960 CEST	49736	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:04.657779932 CEST	49736	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:04.663296938 CEST	53	49736	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:05.664145947 CEST	49737	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:05.670362949 CEST	80	49737	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:05.670459032 CEST	49737	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:05.670519114 CEST	49737	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:05.676343918 CEST	80	49737	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:05.676397085 CEST	49737	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:05.682120085 CEST	80	49737	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:07.262792110 CEST	80	49737	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:07.262872934 CEST	80	49737	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:07.262993097 CEST	49737	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:07.262993097 CEST	49737	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:08.273639917 CEST	49738	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:08.273683071 CEST	443	49738	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:08.273818016 CEST	49738	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:08.273940086 CEST	49738	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:08.273947954 CEST	443	49738	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:08.274000883 CEST	49738	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:08.274004936 CEST	443	49738	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:08.274219036 CEST	443	49738	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:09.304847956 CEST	49740	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:09.309964895 CEST	8080	49740	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:09.310081959 CEST	49740	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:09.310163975 CEST	49740	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:09.315366983 CEST	8080	49740	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:09.315423965 CEST	49740	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:09.320310116 CEST	8080	49740	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:10.705073118 CEST	8080	49740	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:10.705100060 CEST	8080	49740	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:10.705156088 CEST	49740	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:10.705208063 CEST	49740	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:11.711244106 CEST	49741	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:11.716301918 CEST	8443	49741	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:11.716455936 CEST	49741	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:11.716645956 CEST	49741	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:11.721407890 CEST	8443	49741	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:11.721484900 CEST	49741	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:11.726350069 CEST	8443	49741	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:14.100837946 CEST	8443	49741	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:14.101006985 CEST	49741	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:14.101006985 CEST	49741	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:14.106163025 CEST	8443	49741	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:16.118201017 CEST	49742	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:16.123156071 CEST	21	49742	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:16.123224020 CEST	49742	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:16.126435995 CEST	49742	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:16.131185055 CEST	21	49742	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:16.131247997 CEST	49742	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:16.136194944 CEST	21	49742	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:18.463104963 CEST	21	49742	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:18.463327885 CEST	49742	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:18.484064102 CEST	49742	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:18.489383936 CEST	21	49742	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:19.492522955 CEST	49743	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:19.499481916 CEST	53	49743	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:19.499586105 CEST	49743	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:19.499699116 CEST	49743	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:19.506077051 CEST	53	49743	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:19.506149054 CEST	49743	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:19.512480974 CEST	53	49743	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:21.838073969 CEST	53	49743	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:21.838155985 CEST	49743	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:21.838243008 CEST	49743	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:21.843369007 CEST	53	49743	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:22.851735115 CEST	49744	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:22.958069086 CEST	80	49744	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:22.958163023 CEST	49744	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:22.958273888 CEST	49744	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:22.963135958 CEST	80	49744	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:22.963186979 CEST	49744	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:22.968247890 CEST	80	49744	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:24.060487032 CEST	80	49744	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:24.060535908 CEST	80	49744	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:24.060694933 CEST	49744	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:24.060743093 CEST	49744	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:25.070521116 CEST	49745	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:25.070570946 CEST	443	49745	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:25.070677996 CEST	49745	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:25.070725918 CEST	49745	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:25.070732117 CEST	443	49745	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:25.070789099 CEST	49745	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:25.070795059 CEST	443	49745	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:25.070914030 CEST	443	49745	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:26.101963043 CEST	49746	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:26.106981039 CEST	8080	49746	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:26.107230902 CEST	49746	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:26.107364893 CEST	49746	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:26.112294912 CEST	8080	49746	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:26.112390995 CEST	49746	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:26.117202044 CEST	8080	49746	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:27.191003084 CEST	8080	49746	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:27.191118002 CEST	8080	49746	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:27.191250086 CEST	49746	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:27.191344976 CEST	49746	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:28.195792913 CEST	49747	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:28.200979948 CEST	8443	49747	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:28.201097012 CEST	49747	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:28.201169014 CEST	49747	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:28.205985069 CEST	8443	49747	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:28.206069946 CEST	49747	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:28.211035013 CEST	8443	49747	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:30.397106886 CEST	8443	49747	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:30.397253990 CEST	49747	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:30.399796963 CEST	49747	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:30.405484915 CEST	8443	49747	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:39.550226927 CEST	49748	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:39.555442095 CEST	21	49748	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:39.555547953 CEST	49748	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:39.555639982 CEST	49748	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:39.560717106 CEST	21	49748	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:39.560779095 CEST	49748	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:39.565840006 CEST	21	49748	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:41.789344072 CEST	21	49748	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:41.789433956 CEST	49748	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:41.789479971 CEST	49748	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:41.794559002 CEST	21	49748	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:42.804932117 CEST	49749	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:42.809883118 CEST	53	49749	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:42.809983969 CEST	49749	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:42.812762022 CEST	49749	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:42.817549944 CEST	53	49749	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:42.817629099 CEST	49749	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:42.822427034 CEST	53	49749	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:45.165263891 CEST	53	49749	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:45.165337086 CEST	49749	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:45.165390015 CEST	49749	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:45.170244932 CEST	53	49749	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:46.180198908 CEST	49750	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:46.185406923 CEST	80	49750	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:46.185590982 CEST	49750	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:46.185731888 CEST	49750	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:46.190812111 CEST	80	49750	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:46.190953016 CEST	49750	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:46.195979118 CEST	80	49750	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:47.262811899 CEST	80	49750	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:47.262865067 CEST	80	49750	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:47.262916088 CEST	49750	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:47.262994051 CEST	49750	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:48.276707888 CEST	49751	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:48.276822090 CEST	443	49751	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:48.276916027 CEST	49751	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:48.279817104 CEST	49751	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:48.279855013 CEST	443	49751	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:48.279912949 CEST	49751	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:48.279926062 CEST	443	49751	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:48.279980898 CEST	443	49751	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:49.320686102 CEST	49752	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:49.325930119 CEST	8080	49752	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:49.326025963 CEST	49752	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:49.326258898 CEST	49752	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:49.331274033 CEST	8080	49752	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:49.331413031 CEST	49752	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:49.336299896 CEST	8080	49752	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:50.404556036 CEST	8080	49752	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:50.404607058 CEST	8080	49752	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:50.404869080 CEST	49752	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:50.404869080 CEST	49752	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:51.414990902 CEST	49753	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:51.420918941 CEST	8443	49753	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:51.421410084 CEST	49753	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:51.421813965 CEST	49753	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:51.427145004 CEST	8443	49753	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:51.427501917 CEST	49753	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:51.432545900 CEST	8443	49753	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:53.667176008 CEST	8443	49753	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:53.667268038 CEST	49753	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:53.669425011 CEST	49753	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:53.678559065 CEST	8443	49753	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:55.695619106 CEST	49754	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:55.700475931 CEST	21	49754	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:55.700560093 CEST	49754	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:55.700653076 CEST	49754	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:55.705881119 CEST	21	49754	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:55.705940008 CEST	49754	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:55.710742950 CEST	21	49754	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:57.998763084 CEST	21	49754	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:57.998981953 CEST	49754	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:57.999074936 CEST	49754	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:58.003868103 CEST	21	49754	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:59.008259058 CEST	49755	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:59.013276100 CEST	53	49755	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:59.013382912 CEST	49755	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:59.013470888 CEST	49755	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:59.018301964 CEST	53	49755	114.55.25.226	192.168.2.5
Oct 2, 2024 19:12:59.018376112 CEST	49755	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:12:59.023468018 CEST	53	49755	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:01.220983982 CEST	53	49755	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:01.221110106 CEST	49755	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:01.221268892 CEST	49755	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:01.226109028 CEST	53	49755	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:02.227161884 CEST	49756	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:02.232180119 CEST	80	49756	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:02.232326984 CEST	49756	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:02.232494116 CEST	49756	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:02.237497091 CEST	80	49756	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:02.237561941 CEST	49756	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:02.242326021 CEST	80	49756	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:03.242086887 CEST	80	49756	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:03.242120028 CEST	80	49756	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:03.242352009 CEST	49756	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:03.251465082 CEST	49756	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:04.258321047 CEST	49757	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:04.258379936 CEST	443	49757	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:04.258462906 CEST	49757	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:04.258620977 CEST	49757	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:04.258631945 CEST	443	49757	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:04.258800983 CEST	443	49757	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:04.258848906 CEST	49757	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:04.258860111 CEST	443	49757	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:05.289593935 CEST	49758	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:05.294703960 CEST	8080	49758	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:05.294795036 CEST	49758	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:05.294900894 CEST	49758	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:05.299767017 CEST	8080	49758	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:05.299839973 CEST	49758	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:05.304655075 CEST	8080	49758	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:06.361156940 CEST	8080	49758	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:06.361249924 CEST	8080	49758	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:06.361418962 CEST	49758	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:06.361555099 CEST	49758	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:07.367857933 CEST	49759	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:07.373492002 CEST	8443	49759	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:07.373616934 CEST	49759	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:07.373716116 CEST	49759	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:07.378645897 CEST	8443	49759	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:07.378710985 CEST	49759	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:07.383780003 CEST	8443	49759	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:09.681777954 CEST	8443	49759	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:09.681978941 CEST	49759	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:09.682044029 CEST	49759	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:09.687015057 CEST	8443	49759	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:11.711536884 CEST	49760	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:11.716517925 CEST	21	49760	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:11.716618061 CEST	49760	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:11.716708899 CEST	49760	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:11.721762896 CEST	21	49760	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:11.721837044 CEST	49760	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:11.726727962 CEST	21	49760	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:14.041316032 CEST	21	49760	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:14.041445017 CEST	49760	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:14.041528940 CEST	49760	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:14.046343088 CEST	21	49760	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:15.055269957 CEST	49761	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:15.061414003 CEST	53	49761	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:15.061512947 CEST	49761	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:15.061577082 CEST	49761	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:15.068722010 CEST	53	49761	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:15.068778038 CEST	49761	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:15.074784040 CEST	53	49761	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:17.386607885 CEST	53	49761	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:17.386703014 CEST	49761	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:17.386745930 CEST	49761	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:17.391731977 CEST	53	49761	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:18.399046898 CEST	49762	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:18.404000998 CEST	80	49762	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:18.404135942 CEST	49762	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:18.404220104 CEST	49762	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:18.409056902 CEST	80	49762	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:18.409137011 CEST	49762	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:18.413958073 CEST	80	49762	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:22.552242994 CEST	80	49762	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:22.552491903 CEST	49762	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:22.552613020 CEST	80	49762	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:22.552805901 CEST	49762	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:23.555345058 CEST	49763	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:23.555412054 CEST	443	49763	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:23.555672884 CEST	49763	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:23.555672884 CEST	49763	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:23.555743933 CEST	443	49763	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:23.555811882 CEST	49763	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:23.555821896 CEST	443	49763	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:23.555965900 CEST	443	49763	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:24.586937904 CEST	49764	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:24.592142105 CEST	8080	49764	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:24.592526913 CEST	49764	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:24.592803955 CEST	49764	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:24.597889900 CEST	8080	49764	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:24.598066092 CEST	49764	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:24.603065968 CEST	8080	49764	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:25.706309080 CEST	8080	49764	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:25.706329107 CEST	8080	49764	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:25.706532001 CEST	49764	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:25.706532001 CEST	49764	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:26.711442947 CEST	49765	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:26.716525078 CEST	8443	49765	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:26.716739893 CEST	49765	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:26.716739893 CEST	49765	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:26.722757101 CEST	8443	49765	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:26.722939968 CEST	49765	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:26.727829933 CEST	8443	49765	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:29.093740940 CEST	8443	49765	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:29.093947887 CEST	49765	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:29.094044924 CEST	49765	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:29.098835945 CEST	8443	49765	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:31.120459080 CEST	49766	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:31.125644922 CEST	21	49766	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:31.125783920 CEST	49766	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:31.125953913 CEST	49766	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:31.130976915 CEST	21	49766	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:31.131061077 CEST	49766	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:31.135871887 CEST	21	49766	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:33.817843914 CEST	21	49766	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:33.817941904 CEST	49766	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:33.818033934 CEST	49766	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:33.818180084 CEST	21	49766	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:33.818240881 CEST	49766	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:33.823148966 CEST	21	49766	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:34.820976019 CEST	49767	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:35.043606043 CEST	53	49767	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:35.043838978 CEST	49767	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:35.043967962 CEST	49767	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:35.048969030 CEST	53	49767	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:35.049194098 CEST	49767	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:35.054117918 CEST	53	49767	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:37.410007000 CEST	53	49767	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:37.410361052 CEST	49767	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:37.410361052 CEST	49767	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:37.415433884 CEST	53	49767	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:38.414753914 CEST	49768	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:38.420186043 CEST	80	49768	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:38.420531988 CEST	49768	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:38.420531988 CEST	49768	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:38.425487995 CEST	80	49768	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:38.425753117 CEST	49768	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:38.430633068 CEST	80	49768	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:39.566139936 CEST	80	49768	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:39.566189051 CEST	80	49768	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:39.566217899 CEST	80	49768	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:39.566580057 CEST	49768	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:39.566677094 CEST	49768	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:40.571050882 CEST	49769	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:40.571146965 CEST	443	49769	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:40.571508884 CEST	49769	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:40.571589947 CEST	49769	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:40.571604967 CEST	443	49769	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:40.571785927 CEST	49769	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:40.571814060 CEST	443	49769	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:40.571939945 CEST	443	49769	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:40.607445002 CEST	80	49768	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:40.607852936 CEST	49768	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:40.607939959 CEST	80	49768	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:40.608216047 CEST	49768	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:41.602041006 CEST	49770	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:41.607180119 CEST	8080	49770	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:41.607350111 CEST	49770	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:41.607350111 CEST	49770	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:41.612289906 CEST	8080	49770	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:41.612405062 CEST	49770	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:41.617259979 CEST	8080	49770	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:42.619282007 CEST	8080	49770	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:42.619627953 CEST	49770	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:42.620148897 CEST	8080	49770	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:42.620407104 CEST	49770	8080	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:43.633430958 CEST	49771	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:43.639651060 CEST	8443	49771	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:43.639905930 CEST	49771	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:43.641299009 CEST	49771	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:43.646508932 CEST	8443	49771	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:43.646667957 CEST	49771	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:43.651520967 CEST	8443	49771	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:46.103487015 CEST	8443	49771	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:46.103802919 CEST	49771	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:46.103842020 CEST	49771	8443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:46.110207081 CEST	8443	49771	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:48.133424044 CEST	49772	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:48.138310909 CEST	21	49772	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:48.138397932 CEST	49772	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:48.138468981 CEST	49772	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:48.143332005 CEST	21	49772	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:48.143390894 CEST	49772	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:48.148222923 CEST	21	49772	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:50.490430117 CEST	21	49772	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:50.490700006 CEST	49772	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:50.490700006 CEST	49772	21	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:50.495806932 CEST	21	49772	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:51.543158054 CEST	49773	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:51.979924917 CEST	53	49773	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:51.980169058 CEST	49773	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:51.980170012 CEST	49773	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:51.986911058 CEST	53	49773	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:51.987148046 CEST	49773	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:51.994357109 CEST	53	49773	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:54.317300081 CEST	53	49773	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:54.317421913 CEST	49773	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:54.586102009 CEST	49773	53	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:54.832678080 CEST	53	49773	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:55.586925983 CEST	49774	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:55.592127085 CEST	80	49774	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:55.592446089 CEST	49774	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:55.592446089 CEST	49774	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:55.597534895 CEST	80	49774	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:55.597620010 CEST	49774	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:55.602473021 CEST	80	49774	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:56.702287912 CEST	80	49774	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:56.702475071 CEST	49774	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:56.702738047 CEST	80	49774	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:56.702795029 CEST	49774	80	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:57.836651087 CEST	49775	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:57.836750984 CEST	443	49775	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:57.836833954 CEST	49775	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:57.837146044 CEST	49775	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:57.837182999 CEST	443	49775	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:57.837248087 CEST	49775	443	192.168.2.5	114.55.25.226
Oct 2, 2024 19:13:57.837265015 CEST	443	49775	114.55.25.226	192.168.2.5
Oct 2, 2024 19:13:57.837270975 CEST	443	49775	114.55.25.226	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 2, 2024 19:10:52.874509096 CEST	59042	53	192.168.2.5	1.1.1.1
Oct 2, 2024 19:10:53.867113113 CEST	59042	53	192.168.2.5	1.1.1.1
Oct 2, 2024 19:10:54.009879112 CEST	53	59042	1.1.1.1	192.168.2.5
Oct 2, 2024 19:10:54.014725924 CEST	53	59042	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 2, 2024 19:10:52.874509096 CEST	192.168.2.5	1.1.1.1	0x496	Standard query (0)	www.uvfr4ep.com	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:10:53.867113113 CEST	192.168.2.5	1.1.1.1	0x496	Standard query (0)	www.uvfr4ep.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 2, 2024 19:10:54.009879112 CEST	1.1.1.1	192.168.2.5	0x496	No error (0)	www.uvfr4ep.com		114.55.25.226	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:10:54.014725924 CEST	1.1.1.1	192.168.2.5	0x496	No error (0)	www.uvfr4ep.com		114.55.25.226	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:12:08.384399891 CEST	1.1.1.1	192.168.2.5	0x1e68	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 2, 2024 19:12:08.384399891 CEST	1.1.1.1	192.168.2.5	0x1e68	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.27	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:12:08.384399891 CEST	1.1.1.1	192.168.2.5	0x1e68	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.37	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:12:08.384399891 CEST	1.1.1.1	192.168.2.5	0x1e68	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.34	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:12:08.384399891 CEST	1.1.1.1	192.168.2.5	0x1e68	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.43	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:12:08.384399891 CEST	1.1.1.1	192.168.2.5	0x1e68	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.36	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:12:08.384399891 CEST	1.1.1.1	192.168.2.5	0x1e68	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.26	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:12:08.384399891 CEST	1.1.1.1	192.168.2.5	0x1e68	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		84.201.210.22	A (IP address)	IN (0x0001)	false
Oct 2, 2024 19:12:08.384399891 CEST	1.1.1.1	192.168.2.5	0x1e68	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.57.40	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:11:02.169312000 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:11:02.174696922 CEST	110	OUT	Data Raw: fb fa 6b 8e 87 39 c7 fb a8 5b e0 4a b6 ed 2b 6b 06 a5 cb fc f6 f1 2d a0 84 5d 90 65 14 15 f4 7a e3 c5 00 92 61 b2 9e 3e 67 94 2e 89 7c 21 d0 c3 a4 0d 64 42 40 0a e7 62 4d 88 5a a8 d7 c0 3d af 2d 3e c3 49 dd 0b 65 f4 65 98 35 84 6d 51 92 b0 d2 7e Data Ascii: k9[J+k-]eza>g.\|!dB@bMZ=->Iee5mQ~5>${8kkoMXi5<cy
Oct 2, 2024 19:11:03.256690979 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:11:03 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49708	114.55.25.226	8080	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:11:06.386709929 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:11:06 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49718	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:11:18.203319073 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:11:18.210129023 CEST	110	OUT	Data Raw: 8c 8d 1c f9 f0 4e b0 8c 2d 72 85 b8 33 a2 92 cd 7c 43 56 fc f0 93 d8 85 51 36 09 3f e5 3e 8a a3 be 6d 97 ca a7 f2 7d 8c 95 ca 3c 0c 8e 19 1e 12 a9 9c 8e 35 31 1f 65 30 ef 94 b4 85 51 9c 34 01 07 e1 23 66 6c 3c f1 31 97 c6 27 01 9f 69 5c 61 df ef Data Ascii: N-r3\|CVQ6?>m}<51e0Q4#fl<1'i\aBO1a)b@E;w^rq.
Oct 2, 2024 19:11:19.307996035 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:11:19 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49720	114.55.25.226	8080	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:11:22.280061007 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:11:22 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49724	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:11:33.716331959 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:11:33.721210957 CEST	110	OUT	Data Raw: 93 92 03 e6 ef 51 af 93 98 75 53 b7 07 8f 75 07 4e 29 7a a8 8b 20 aa 44 4d 47 57 3d bf 22 89 b0 38 4c 5c 14 a7 f0 b2 a2 3f d2 f5 1c a5 2b e6 c7 84 e9 bd 7e 55 b3 08 ee ec fa f5 98 14 9f 28 0d 9e df f7 a7 73 21 21 00 3d de ee 11 b4 5b a4 b4 f2 9a Data Ascii: QuSuN)z DMGW="8L\?+~U(s!!=[+E~LCqCd
Oct 2, 2024 19:11:34.730340958 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:11:34 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49726	114.55.25.226	8080	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:11:37.800400972 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:11:37 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49731	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:11:49.701627016 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:11:49.707411051 CEST	110	OUT	Data Raw: 94 95 04 e1 e8 56 a8 94 fd 29 dd 55 65 50 07 69 bd 0c 75 62 4f 78 7f 9a a7 df 43 f7 b4 63 2f de 69 64 c9 6d e5 c7 a9 17 5d 89 7c f9 c0 f3 93 ae 70 cb b5 b3 96 ec da 37 01 65 e6 55 18 d9 89 64 c8 f0 65 d9 36 11 3d b2 5f 85 67 f4 d1 83 d1 dd 06 b8 Data Ascii: V)UePiubOxCc/idm]\|p7eUde6=_g.t4I%}Asm1
Oct 2, 2024 19:11:50.716917038 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:11:50 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49733	114.55.25.226	8080	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:11:53.766402006 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:11:53 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49737	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:12:05.670519114 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:12:05.676397085 CEST	110	OUT	Data Raw: 05 04 95 70 79 c7 39 05 b3 57 fe b3 ca 52 3d 5c 1f 18 30 bd 32 4b 3a fa 7c 8f ce d9 a7 10 59 d0 e8 c9 a2 db 57 5b f0 2e 82 66 ce 8e fe 60 38 0a 43 4e 61 fd 7a 4e 0e c6 4b a4 fa ea 9a 3b 6e fb d8 cc 9f fe 15 1c f5 1a 80 6a d5 83 ef 10 7a 79 35 3d Data Ascii: py9WR=\02K:\|YW[.f`8CNazNK;njzy5=`>{8b~YRW
Oct 2, 2024 19:12:07.262792110 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:12:07 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49740	114.55.25.226	8080	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:12:10.705073118 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:12:10 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49744	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:12:22.958273888 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:12:22.963186979 CEST	110	OUT	Data Raw: 0f 0e 9f 7a 73 cd 33 0f 95 b8 77 91 ef 25 84 50 e5 6f 21 ea 46 bc 2d 70 53 18 52 d7 7b a4 5d 27 3a 81 7d a4 4f fb fc 5c ae 83 4d a6 d1 1d 8b 0c b3 33 7a a0 04 b3 13 46 6e 39 6c ee 4c 85 60 06 00 8e 4a 8b 07 b6 f3 62 ac 8f 56 ab c0 6d c9 7f c5 40 Data Ascii: zs3w%Po!F-pSR{]':}O\M3zFn9lL`JbVm@z_U]6GBRp!*
Oct 2, 2024 19:12:24.060487032 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:12:23 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49746	114.55.25.226	8080	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:12:27.191003084 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:12:27 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49750	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:12:46.185731888 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:12:46.190953016 CEST	110	OUT	Data Raw: 5d 5c cd 28 21 9f 61 5d cc 0a be 85 c6 47 64 6a c0 aa 6f 87 11 38 e7 51 c8 74 8e 87 7a 94 6a 7f 6c 1f 63 b1 30 a0 5e a0 a5 63 d6 e0 aa 2d 39 64 c4 a4 66 9f 01 65 8b 35 a7 07 e2 ec 1f e7 05 0c 04 42 06 cc 2a bf 03 cc a7 6f cd ed bb 5d 7b 17 b2 d7 Data Ascii: ]\(!a]Gdjo8Qtzjlc0^c-9dfe5B*o]{K,kNSMF1]SW
Oct 2, 2024 19:12:47.262811899 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:12:47 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49752	114.55.25.226	8080	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:12:50.404556036 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:12:50 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49756	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:13:02.232494116 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:13:02.237561941 CEST	110	OUT	Data Raw: c1 c0 51 b4 bd 03 fd c1 9b e6 15 ff 5d 1c ba f4 f8 03 1d e1 4c 0c 22 11 ae 4a 7a 91 d5 b1 18 15 ee aa fc 2d 9c 7d 35 3c 6e 13 e1 06 ad ea 7b 66 60 91 88 65 c0 cd d2 e9 5d a5 8a 66 2c 5e eb fa 1a 6b 05 cc 1a fe f4 cc 6c 1f fa 0b bc 9a 39 15 16 e2 Data Ascii: Q]L"Jz-}5<n{f`e]f,^kl9(}Xm5'
Oct 2, 2024 19:13:03.242086887 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:13:03 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49758	114.55.25.226	8080	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:13:06.361156940 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:13:06 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49762	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:13:18.404220104 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:13:18.409137011 CEST	110	OUT	Data Raw: 94 95 04 e1 e8 56 a8 94 3c 93 25 1f 72 59 b1 bd f2 16 3d 65 c4 a8 da 57 41 68 f1 28 e4 4a 71 93 ff 07 9a 62 32 85 d8 c5 9c 33 84 b3 d7 fa 25 7a 3f d1 fd b4 1d 3c 7f fa e7 d2 54 8a 48 f0 d7 29 5e 93 36 d6 e1 53 4c 60 9e 3f 9f be c6 8a 67 09 49 a2 Data Ascii: V<%rY=eWAh(Jqb23%z?<TH)^6SL`?gIc{eh.1#
Oct 2, 2024 19:13:22.552242994 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:13:22 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49764	114.55.25.226	8080	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:13:25.706309080 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:13:25 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49768	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:13:38.420531988 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:13:38.425753117 CEST	110	OUT	Data Raw: 19 18 89 6c 65 db 25 19 43 b4 69 87 bd 0d a9 de b7 b1 39 2e 7d ab af 8e 02 53 e3 fa 35 77 dc 06 fb 4b 51 5f 8e ee 48 9d 6e 99 45 a6 95 23 b0 94 f7 fb 74 72 29 b2 87 ae 29 64 cb d5 14 40 f7 31 d7 52 70 66 d0 b5 51 b5 6c 95 5e ab 84 53 f2 e7 81 88 Data Ascii: le%Ci9.}S5wKQ_HnE#tr))d@1RpfQl^SW\Ep!hw5
Oct 2, 2024 19:13:39.566139936 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:13:39 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>
Oct 2, 2024 19:13:40.607445002 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:13:39 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>
Oct 2, 2024 19:13:40.607939959 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:13:39 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49770	114.55.25.226	8080	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:13:42.619282007 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:13:42 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49774	114.55.25.226	80	6516	C:\Windows\Logs\logs\brcc.exe

Timestamp	Bytes transferred	Direction	Data
Oct 2, 2024 19:13:55.592446089 CEST	6	OUT	Data Raw: 17 03 03 00 6e Data Ascii: n
Oct 2, 2024 19:13:55.597620010 CEST	110	OUT	Data Raw: 58 59 c8 2d 24 9a 64 58 c3 e8 ab 84 22 1b b5 53 97 8d e5 1d 07 f6 84 6a a7 83 36 2b c4 7d 31 6c 27 1c a0 5d 97 17 7a bd af 84 c6 e4 4b 74 ed 58 96 86 e9 00 12 ae ed 0b cd f5 5f 45 a4 0b 5b 1a 4a 44 c0 25 88 0d 22 d4 ad 88 dd e9 5a 04 af 2b e0 f5 Data Ascii: XY-$dX"Sj6+}1l']zKtX_E[JD%"Z+wln$K[74orNC
Oct 2, 2024 19:13:56.702287912 CEST	321	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Wed, 02 Oct 2024 17:13:56 GMT Content-Type: text/html Content-Length: 157 Connection: close X-Sg: dbsk Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 30 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>400 Bad Request</title></head><body><center><h1>400 Bad Request</h1></center><hr><center>nginx/1.20.1</center></body></html>

Target ID:	0
Start time:	13:10:49
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\OPyF68i97j.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OPyF68i97j.exe"
Imagebase:	0x490000
File size:	4'323'328 bytes
MD5 hash:	048FE750E586BCE2FE5C5F0C77DD208F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:10:49
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:10:49
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:10:49
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /run /tn "TabletPCInputServices"
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:10:49
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\OPyF68i97j.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\OPyF68i97j.exe" -service
Imagebase:	0x490000
File size:	4'323'328 bytes
MD5 hash:	048FE750E586BCE2FE5C5F0C77DD208F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:10:49
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\OPyF68i97j.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\OPyF68i97j.exe
Imagebase:	0x490000
File size:	4'323'328 bytes
MD5 hash:	048FE750E586BCE2FE5C5F0C77DD208F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:10:49
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:10:49
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:10:49
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /run /tn "TabletPCInputServices"
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:10:50
Start date:	02/10/2024
Path:	C:\Users\user\Desktop\OPyF68i97j.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\OPyF68i97j.exe
Imagebase:	0x490000
File size:	4'323'328 bytes
MD5 hash:	048FE750E586BCE2FE5C5F0C77DD208F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	13:10:50
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	13:10:50
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn "TabletPCInputServices" /tr "C:\Users\user\Desktop\OPyF68i97j.exe" /sc minute /mo 10 /ru system /f
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:10:50
Start date:	02/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /run /tn "TabletPCInputServices"
Imagebase:	0x3a0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:10:51
Start date:	02/10/2024
Path:	C:\Windows\Logs\logs\brcc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Logs\logs\brcc.exe" askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG
Imagebase:	0x400000
File size:	175'528 bytes
MD5 hash:	9D2AE725D41B1F9BF384D2F573DF9443
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 4%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	13:10:51
Start date:	02/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	13:11:33
Start date:	02/10/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22%
Total number of Nodes:	581
Total number of Limit Nodes:	12

Executed Functions

Function 004921C0 Relevance: 77.2, APIs: 34, Strings: 10, Instructions: 211
stringserviceregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 00492212
OpenSCManagerW.SECHOST(00000000,00000000,000F003F), ref: 0049222E
OpenServiceW.ADVAPI32(00000000,00000000,000F01FF), ref: 00492247
CloseServiceHandle.ADVAPI32(00000000), ref: 00492257
CloseServiceHandle.ADVAPI32(00000000), ref: 00492264
CreateServiceW.ADVAPI32(00000000,00000000,?,000F01FF,?,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 004922A1
lstrcpyW.KERNEL32(?,SYSTE), ref: 004922BD
lstrlenW.KERNEL32(?), ref: 004922CA
lstrcpyW.KERNEL32(?,M\Curr), ref: 004922E1
lstrlenW.KERNEL32(?), ref: 004922E8
lstrcpyW.KERNEL32(?,entCont), ref: 004922FF
lstrlenW.KERNEL32(?), ref: 00492306
lstrcpyW.KERNEL32(?,rolSet\), ref: 0049231D
lstrlenW.KERNEL32(?), ref: 00492324
lstrcpyW.KERNEL32(?,Servi), ref: 0049233B
lstrlenW.KERNEL32(?), ref: 00492342
lstrcpyW.KERNEL32(?,ces\), ref: 00492359
lstrlenW.KERNEL32(?), ref: 00492360
lstrcpyW.KERNEL32(?,?), ref: 0049237E
RegOpenKeyExW.KERNELBASE(80000002,?,00000000,00000002,?), ref: 00492397
lstrcpyW.KERNEL32(?,004AC040), ref: 004923B1
lstrlenW.KERNEL32(?), ref: 004923C0
lstrcpyW.KERNEL32(00000000,004AC048), ref: 004923D1
RegSetValueExW.KERNELBASE(?,?,00000000,00000004,?,00000004), ref: 004923F3
lstrcpyW.KERNEL32(?,Desc), ref: 00492401
lstrlenW.KERNEL32(?), ref: 0049240A
lstrcpyW.KERNEL32(?,rip), ref: 0049241D
lstrlenW.KERNEL32(?), ref: 0049242A
lstrcpyW.KERNEL32(?,tion), ref: 0049243D
lstrlenW.KERNEL32(?), ref: 0049244A
RegSetValueExW.KERNELBASE(?,?,00000000,00000001,?,00000001), ref: 00492460
RegCloseKey.KERNELBASE(?), ref: 0049246D
CloseServiceHandle.ADVAPI32(?), ref: 00492485
CloseServiceHandle.ADVAPI32(?), ref: 0049249A

Strings

Servi, xrefs: 00492332
Desc, xrefs: 004923F5
SYSTE, xrefs: 004922B1
rolSet\, xrefs: 00492314
rip, xrefs: 00492414
ces\, xrefs: 00492350
entCont, xrefs: 004922F6
tion, xrefs: 00492434
"%s" -service, xrefs: 0049220C
M\Curr, xrefs: 004922D8

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: lstrcpy$lstrlen$Service$Close$Handle$Open$Value$CreateManagerwsprintf
String ID: "%s" -service$Desc$M\Curr$SYSTE$Servi$ces\$entCont$rip$rolSet\$tion
API String ID: 1302190746-3081135776
Opcode ID: bf24f7cce1e50ce88070fb1e9c317137ea722caf29fea24ecaf900b2e7027f40
Instruction ID: 3cceacb72383bb2eb049c7fc0878346b63a720cf428f9548308c451c3352ebea
Opcode Fuzzy Hash: bf24f7cce1e50ce88070fb1e9c317137ea722caf29fea24ecaf900b2e7027f40
Instruction Fuzzy Hash: 9771557290522CAFCB10DBA0DD44FDA7BBDEF49301F0500A6F705A3191DB74AA958F98

Function 00491930 Relevance: 36.2, APIs: 24, Instructions: 164
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateSelf.KERNELBASE(00000002), ref: 00491964
GetCurrentThread.KERNEL32 ref: 0049197C
OpenThreadToken.ADVAPI32(00000000), ref: 00491983
GetLastError.KERNEL32 ref: 0049198D
GetCurrentProcess.KERNEL32(00000008,?), ref: 004919AA
OpenProcessToken.ADVAPI32(00000000), ref: 004919B3
GetCurrentProcess.KERNEL32(00000008,?), ref: 004919C3
OpenProcessToken.ADVAPI32(00000000), ref: 004919C6
AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004919ED
LocalAlloc.KERNEL32(00000040,00000014), ref: 00491A05
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00491A14
GetLengthSid.ADVAPI32(00000000), ref: 00491A26
LocalAlloc.KERNEL32(00000040,00000010), ref: 00491A32
InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 00491A42
AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,00000000), ref: 00491A58
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 00491A6C
SetSecurityDescriptorGroup.ADVAPI32(00000000,00000000,00000000), ref: 00491A7C
SetSecurityDescriptorOwner.ADVAPI32(00000000,00000000,00000000), ref: 00491A8C
IsValidSecurityDescriptor.ADVAPI32(00000000), ref: 00491A97
AccessCheck.ADVAPI32(00000000,?,00000001,00000001,?,00000014,?,00000000), ref: 00491AD7
RevertToSelf.KERNELBASE ref: 00491AE1
LocalFree.KERNEL32(00000000), ref: 00491AEF
LocalFree.KERNEL32(00000000), ref: 00491AF7
FreeSid.ADVAPI32(00000000), ref: 00491B07

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: DescriptorSecurity$LocalProcess$CurrentFreeInitializeOpenToken$AccessAllocSelfThread$AllocateAllowedCheckDaclErrorGroupImpersonateLastLengthOwnerRevertValid
String ID:
API String ID: 897049590-0
Opcode ID: 3bc0e8f9cdd8c72f0e724855255cbb110ac131844420f00f8f644bba313b73d3
Instruction ID: fec36ffe7706dbf05d09ce1652524ee4c47dd18af18c7262daa56e268468f881
Opcode Fuzzy Hash: 3bc0e8f9cdd8c72f0e724855255cbb110ac131844420f00f8f644bba313b73d3
Instruction Fuzzy Hash: 01515F71A4120AABEF11DFA1DD49FAF7FBCAF05740F054025F601E62A0DBB89D458B68

Function 00491E90 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 135
processstringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00491ED1
ProcessIdToSessionId.KERNEL32(00000000,?), ref: 00491EDF
GetUserNameA.ADVAPI32(?,?), ref: 00491EF3
lstrcatA.KERNEL32(?,Unknown), ref: 00491F09

Part of subcall function 004916F0: ReleaseMutex.KERNEL32(?,63EBF37A,00000000,00000000,004A5800,000000FF,?,00492073), ref: 00491727
Part of subcall function 004916F0: CloseHandle.KERNEL32(?,?,00492073), ref: 00491733

lstrcpyA.KERNEL32(00000000,?), ref: 00491F60
ReleaseMutex.KERNEL32(?), ref: 00491F80
CloseHandle.KERNEL32(?), ref: 00491F8C
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00491FA1
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00491FD1
WinExec.KERNEL32(?,00000000), ref: 0049202B
WinExec.KERNEL32(?,00000000), ref: 00492059
GetCurrentProcessId.KERNEL32 ref: 00492073

Part of subcall function 00491DA0: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,00000000,00000000,00000000), ref: 00491DDF
Part of subcall function 00491DA0: Process32First.KERNEL32(00000000,?), ref: 00491DED
Part of subcall function 00491DA0: OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00491E10
Part of subcall function 00491DA0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00491E1D
Part of subcall function 00491DA0: Process32Next.KERNEL32(00000000,?), ref: 00491E40
Part of subcall function 00491DA0: CloseHandle.KERNEL32(00000000), ref: 00491E47

ExitProcess.KERNEL32 ref: 00492082

Strings

Unknown, xrefs: 00491EFD
schtasks /create /tn "%s" /tr "%s" /sc minute /mo %d /f, xrefs: 00491FFA, 00492007
schtasks /create /tn "%s" /tr "%s" /sc minute /mo %d /ru system /f, xrefs: 00491FF2
%sResideVirtual%d, xrefs: 00491F1C
TabletPCInputServices, xrefs: 00491FFF, 00492032
schtasks /run /tn "%s", xrefs: 00492037

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Process$CloseHandleMutex$CreateCurrentExecNameProcess32Release$ExitFileFirstModuleNextOpenSessionSnapshotTerminateToolhelp32Userlstrcatlstrcpy
String ID: %sResideVirtual%d$TabletPCInputServices$Unknown$schtasks /create /tn "%s" /tr "%s" /sc minute /mo %d /f$schtasks /create /tn "%s" /tr "%s" /sc minute /mo %d /ru system /f$schtasks /run /tn "%s"
API String ID: 749260584-984207080
Opcode ID: 58cf3f2e19dcd830df8c48d95cf52b3e109ea32f1e6f5d63a688aadf2e26ae5c
Instruction ID: c5e2958a9c6c2f350d9d18eb8f9f819d2de1da44193f051f2d5fdee2f8e93d67
Opcode Fuzzy Hash: 58cf3f2e19dcd830df8c48d95cf52b3e109ea32f1e6f5d63a688aadf2e26ae5c
Instruction Fuzzy Hash: BC41B7B1A45318ABDF20DB60DC4AFDA7B7CAB15704F0401A6F645E71C1DBB46AC48F58

Function 00491B20 Relevance: 12.2, APIs: 8, Instructions: 160
serviceCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00491E90: GetCurrentProcessId.KERNEL32 ref: 00491ED1
Part of subcall function 00491E90: ProcessIdToSessionId.KERNEL32(00000000,?), ref: 00491EDF
Part of subcall function 00491E90: GetUserNameA.ADVAPI32(?,?), ref: 00491EF3
Part of subcall function 00491E90: lstrcatA.KERNEL32(?,Unknown), ref: 00491F09
Part of subcall function 00491E90: lstrcpyA.KERNEL32(00000000,?), ref: 00491F60
Part of subcall function 00491E90: ReleaseMutex.KERNEL32(?), ref: 00491F80
Part of subcall function 00491E90: CloseHandle.KERNEL32(?), ref: 00491F8C
Part of subcall function 00491E90: CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 00491FA1
Part of subcall function 00491E90: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00491FD1

GetModuleFileNameW.KERNEL32(00000000,?,00000104,63EBF37A,00000000,00000000), ref: 00491B97
ExitProcess.KERNEL32 ref: 00491D15
OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,?,?,00000000), ref: 00491D2B
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00000000), ref: 00491D3B
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00000000), ref: 00491D4C
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000), ref: 00491D59
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000), ref: 00491D60
ExitProcess.KERNEL32 ref: 00491D71

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ProcessService$CloseHandleName$ExitFileModuleMutexOpen$CreateCurrentManagerReleaseSessionStartUserlstrcatlstrcpy
String ID:
API String ID: 3235917964-0
Opcode ID: d954af59d113911bd63d34cf69684cd3411cf3a678d2f1ea90165afd29f66002
Instruction ID: 0a83df48254017662a87b9194f1a81ff3f91bc0af9b80274ff92e1d14f61b026
Opcode Fuzzy Hash: d954af59d113911bd63d34cf69684cd3411cf3a678d2f1ea90165afd29f66002
Instruction Fuzzy Hash: A851E3759002199BDF24DB24DC8DBDEBB75EF45304F1442ADE909A72A0DB786B80CF58

Function 004912B0 Relevance: 9.0, APIs: 6, Instructions: 36
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReleaseMutex.KERNEL32(?,00000000,00000000,00491F6D), ref: 004912C1
CloseHandle.KERNEL32(?), ref: 004912CD
CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00491F6D), ref: 004912E2
GetLastError.KERNEL32 ref: 004912F2
ReleaseMutex.KERNEL32(?), ref: 00491313
CloseHandle.KERNEL32(?), ref: 0049131F

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Mutex$CloseHandleRelease$CreateErrorLast
String ID:
API String ID: 299056699-0
Opcode ID: b7d1e7709a75df8677032a7ed35025e8b8889b47130df195982de1a9b0ed2439
Instruction ID: ef52d2d5ff5c405c3d86134ed958ea3a43db5591ecccc79fe7139aa6840eb6c0
Opcode Fuzzy Hash: b7d1e7709a75df8677032a7ed35025e8b8889b47130df195982de1a9b0ed2439
Instruction Fuzzy Hash: DAF04FB1604B119BDB219F70EC5C7C37EA4BB19301F044939F59BC22A0C7B59880CB68

Function 004913D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpW.KERNEL32(?,-service), ref: 00491419
ExitProcess.KERNEL32 ref: 0049142A

Part of subcall function 00491930: ImpersonateSelf.KERNELBASE(00000002), ref: 00491964
Part of subcall function 00491930: GetCurrentThread.KERNEL32 ref: 0049197C
Part of subcall function 00491930: OpenThreadToken.ADVAPI32(00000000), ref: 00491983
Part of subcall function 00491930: GetLastError.KERNEL32 ref: 0049198D
Part of subcall function 00491930: GetCurrentProcess.KERNEL32(00000008,?), ref: 004919AA
Part of subcall function 00491930: OpenProcessToken.ADVAPI32(00000000), ref: 004919B3
Part of subcall function 00491930: GetCurrentProcess.KERNEL32(00000008,?), ref: 004919C3
Part of subcall function 00491930: OpenProcessToken.ADVAPI32(00000000), ref: 004919C6
Part of subcall function 00491930: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004919ED
Part of subcall function 00491930: LocalAlloc.KERNEL32(00000040,00000014), ref: 00491A05
Part of subcall function 00491930: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00491A14
Part of subcall function 00491930: GetLengthSid.ADVAPI32(00000000), ref: 00491A26
Part of subcall function 00491930: LocalAlloc.KERNEL32(00000040,00000010), ref: 00491A32
Part of subcall function 00491930: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 00491A42
Part of subcall function 00491930: AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,00000000), ref: 00491A58

Part of subcall function 00491B20: GetModuleFileNameW.KERNEL32(00000000,?,00000104,63EBF37A,00000000,00000000), ref: 00491B97

Strings

-service, xrefs: 00491411

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Process$CurrentInitializeOpenToken$AllocLocalThread$AccessAllocateAllowedDescriptorErrorExitFileImpersonateLastLengthModuleNameSecuritySelflstrcmp
String ID: -service
API String ID: 2077529461-2074144066
Opcode ID: b51ae6db1ab88941767d291077cbd663d0132d0fa5c25d62052e254ca2bba06c
Instruction ID: 503aded75bca2879fa99beb45a6a11860081647b3a0bbb5b21bd98308d49ee1d
Opcode Fuzzy Hash: b51ae6db1ab88941767d291077cbd663d0132d0fa5c25d62052e254ca2bba06c
Instruction Fuzzy Hash: F7F0F930D04106A6CF10BF7699027BEBFA49F19318F11427FF90463261EA286990829E

Non-executed Functions

Function 00491DA0 Relevance: 10.6, APIs: 7, Instructions: 80
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,00000000,00000000,00000000), ref: 00491DDF
Process32First.KERNEL32(00000000,?), ref: 00491DED
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00491E10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00491E1D
Process32Next.KERNEL32(00000000,?), ref: 00491E40
CloseHandle.KERNEL32(00000000), ref: 00491E47
CloseHandle.KERNEL32(00000000), ref: 00491E65

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: ab9da6b530e0361f058e4a3a2c805af1d98300b09b231a9ecff0a39087a49c40
Instruction ID: 89a31b4b17e2b7eeb363f531c70724ee5c2f17b1021540201aa2ac1f7be39cc9
Opcode Fuzzy Hash: ab9da6b530e0361f058e4a3a2c805af1d98300b09b231a9ecff0a39087a49c40
Instruction Fuzzy Hash: 5721C9312043016BDF20DF20EC85BBB7FE8EB86755F44053EF959862D0DB24AC45C69A

Function 004A01C8 Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1427COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 004A0384

Strings

1#IND, xrefs: 004A1661
1#INF, xrefs: 004A167F
1#QNAN, xrefs: 004A1675
1#SNAN, xrefs: 004A166B

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 050711ce4ab4b710cfc13db98717e3e335e27fc502a1cbb758b0c6313d1a4e43
Instruction ID: eec9e11f73ea0f532335c2293dbfcba82caf1f48810a97a08446b7b896517e5d
Opcode Fuzzy Hash: 050711ce4ab4b710cfc13db98717e3e335e27fc502a1cbb758b0c6313d1a4e43
Instruction Fuzzy Hash: F8D22972E082288FDB65CE28DD407EAB7B5EB5A305F1445EBD40DE7240E778AE818F45

Function 004929F0 Relevance: 7.6, APIs: 5, Instructions: 80stringfileCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00000000), ref: 00492A17
lstrcatW.KERNEL32(?,?), ref: 00492A6D
lstrlenW.KERNEL32(?), ref: 00492A7B
FindFirstFileW.KERNEL32(?,?), ref: 00492AB7
FindClose.KERNEL32(00000000), ref: 00492AC7

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Findlstrlen$CloseFileFirstlstrcat
String ID:
API String ID: 2221514933-0
Opcode ID: abe7df52ea9b1521c97142ffc4d7f121de1c56d7703a879be4930906bfe6ca02
Instruction ID: 1ea456282f75d4d4a50b0732ab9ca5d07de2a4bf5e75e2802d0dd6adc08f6ed5
Opcode Fuzzy Hash: abe7df52ea9b1521c97142ffc4d7f121de1c56d7703a879be4930906bfe6ca02
Instruction Fuzzy Hash: C621F732405714ABCB30DB60EC4D6AB7BE8EF46315F10493BE559C7191D6749884879E

Function 004983A8 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 004984A0
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 004984AA
UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 004984B7

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 2d2918df46587f12f8ec280c3e3d88229ecdabe9bdfd986e7966d11adb5dcd80
Instruction ID: 91c3a47256fc2a7740196e01d447b83aeb7f7ad377f99ac529594ceed697d9f6
Opcode Fuzzy Hash: 2d2918df46587f12f8ec280c3e3d88229ecdabe9bdfd986e7966d11adb5dcd80
Instruction Fuzzy Hash: 9B31E774901228ABCF61DF29D889BCDBBB4BF08314F5041EAE41CA7251EB749F818F48

Function 0049901C Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,?,0049901B,?,?,00000000,?), ref: 0049903E
TerminateProcess.KERNEL32(00000000,?,0049901B,?,?,00000000,?), ref: 00499045
ExitProcess.KERNEL32 ref: 00499057

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: ade01d4074f65352cd41944da87a153c09eac26d82b5d4c5cbd506beced1e646
Instruction ID: bbdcfae18d928a607c7d218b009d4715343a18686b915a85242801087cfdf0a6
Opcode Fuzzy Hash: ade01d4074f65352cd41944da87a153c09eac26d82b5d4c5cbd506beced1e646
Instruction Fuzzy Hash: 29E04F31004104ABCF11AF59CC08A093F29FB41341B094439F41986132CB3ADD82CB48

Function 00492B40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 00492B70

Strings

TestWrite, xrefs: 00492B53

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID: TestWrite
API String ID: 3789849863-1711770924
Opcode ID: 5829eab2a07bb3311af46094caf5edbb2fed385b8159fbf296b5c857167248a9
Instruction ID: bd0e075842981ca8d318d38315b977274b150aeab29d3cf4f9e83d0187c8aa76
Opcode Fuzzy Hash: 5829eab2a07bb3311af46094caf5edbb2fed385b8159fbf296b5c857167248a9
Instruction Fuzzy Hash: C9E01AB490521CABDB00DF95D64979EBBF4EB04308F5145AAD80567241DBB45A088BA9

Function 0049FD30 Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bc668b8b44d7bfb338e1b0398f39d33e802b05a49133743f99c14bb2fa942e4
Instruction ID: e8b31ef7fb8299c78e6ba93b5f12cc9675ac2a0181b3712f51a9d8415e18d4dd
Opcode Fuzzy Hash: 1bc668b8b44d7bfb338e1b0398f39d33e802b05a49133743f99c14bb2fa942e4
Instruction Fuzzy Hash: 91F15C71E002199FDF14CFA8C9806AEBBB1FF99314F15826AE819EB344D735AD05CB94

Function 00492AF0 Relevance: 3.0, APIs: 2, Instructions: 26fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,00000000), ref: 00492B13
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00492B21

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 175bd04492e448e786967119c5a0c22e79e8e805826b7d4ab4733b4f542dbb34
Instruction ID: 26890a62fb72ee08edffb08f4efe489053f2087684d6d50beaf36577ce9cbb23
Opcode Fuzzy Hash: 175bd04492e448e786967119c5a0c22e79e8e805826b7d4ab4733b4f542dbb34
Instruction Fuzzy Hash: 86E09B711456005FC2209F349C495677BDCD745225F154B26A879822D0E9329454C69E

Function 004A4B22 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004A4B1D,?,?,00000008,?,?,004A47B5,00000000), ref: 004A4D4F

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: ca1bfd8f5b16a5cf1605ee7462efcb9cdce2fbe1fc89b39bf8dd9ef06a73451c
Instruction ID: c505204baa11a8d92db12e682bae653b96079628709ce1b73040061f6f7ada61
Opcode Fuzzy Hash: ca1bfd8f5b16a5cf1605ee7462efcb9cdce2fbe1fc89b39bf8dd9ef06a73451c
Instruction Fuzzy Hash: 98B15C31610608CFD715CF28C486B697BE0FF96364F258659E89ACF3A1C379E992CB44

Function 00497563 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 004976DF

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 63ea2712ae36f081eda2fdf5608d15ceaf206ca272076bf4c91352699f705b27
Instruction ID: 69843d7b2e5b2a52cfbd96aa59e7c6b7ef5214978e11b6c73de4c5d23b07f3c1
Opcode Fuzzy Hash: 63ea2712ae36f081eda2fdf5608d15ceaf206ca272076bf4c91352699f705b27
Instruction Fuzzy Hash: E351887023CA48AADF784A2C89957BF7F999B42328F14043FD446D7782DA1DAD05835E

Function 00497795 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 00497911

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: b6c8fd394a4385cb96eeb6526d220197f9bec5e84873b0840d057cbb14610335
Instruction ID: 85b55d94c9e5d2889ef3037893e967a4493f36868e92552a9fbad138852708f7
Opcode Fuzzy Hash: b6c8fd394a4385cb96eeb6526d220197f9bec5e84873b0840d057cbb14610335
Instruction Fuzzy Hash: EA5157B023C64856EF38E668889E7BFAF89AF41304F18447FD48297391D61DAD09C35E

Function 004A333C Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076e0986a98fb2ad234cad95280b139f447e79507e3d91f2dd07534dc7d90bcc
Instruction ID: c14546761345f765ff6188ea972120d8f2c8d033059d99a1c5843b2a17c4d3cb
Opcode Fuzzy Hash: 076e0986a98fb2ad234cad95280b139f447e79507e3d91f2dd07534dc7d90bcc
Instruction Fuzzy Hash: 8721B673F2043947770CC47E8C522BDB6E1C68C501745823AF8A6EA2C1D968D917E2E4

Function 004A321C Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb20f6fc4f47de5524259f71d583fac7a523cd9d1a8d05841d1eef5c2ea2454
Instruction ID: 0321b4f9d93e55f2eb3e485f3079aafb0afc0b0d00bfae5744a8474a29605747
Opcode Fuzzy Hash: efb20f6fc4f47de5524259f71d583fac7a523cd9d1a8d05841d1eef5c2ea2454
Instruction Fuzzy Hash: 9D11A723F30C255A675C81698C1327A95D2EBD824031F533AD826E7284E8A4DF13D290

Function 0049D843 Relevance: .0, Instructions: 22COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b9aa229c6464817f707d15d796411dac954e5f630b2d955eccaff9382012813
Instruction ID: 5570a56e907c5c527aa284e7a59509f6a24fdd060102c3d1815ca3904b994733
Opcode Fuzzy Hash: 1b9aa229c6464817f707d15d796411dac954e5f630b2d955eccaff9382012813
Instruction Fuzzy Hash: 2CE04632911228EBCB24EB8A8904A8AFBACEB44B14B5104ABB511D3601C274DE00CBD4

Function 00492090 Relevance: 45.6, APIs: 4, Strings: 22, Instructions: 69
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 0049216B
lstrlenW.KERNEL32(?), ref: 00492178
SHSetValueW.SHLWAPI(80000001,006F0053,TabletPCInputServices,00000001,?,00000000), ref: 0049219D
ExitProcess.KERNEL32 ref: 004921AC

Strings

n, xrefs: 00492124
@rt, xrefs: 0049219D
r, xrefs: 004920C9
f, xrefs: 004920BB
r, xrefs: 00492132
r, xrefs: 004920DE
r, xrefs: 0049211D
\, xrefs: 0049210F
w, xrefs: 00492108
TabletPCInputServices, xrefs: 0049218F
R, xrefs: 00492147
i, xrefs: 00492139
V, xrefs: 0049212B
i, xrefs: 004920D7
u, xrefs: 00492116
w, xrefs: 004920C2
i, xrefs: 004920FA
d, xrefs: 00492101
f, xrefs: 004920EC
S, xrefs: 004920B1
s, xrefs: 004920E5
n, xrefs: 0049214E

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ExitFileModuleNameProcessValuelstrlen
String ID: @rt$R$S$TabletPCInputServices$V$\$d$f$f$i$i$i$n$n$r$r$r$r$s$u$w$w
API String ID: 2356826538-729126582
Opcode ID: b516c702de16d20d13c2c725dcbc0128b718e44e3412b19cf0b064590ecacadc
Instruction ID: 60e2c49e4ae5ab80d7751187d480cad084f087e3448e5c3055edf5ddd53db33d
Opcode Fuzzy Hash: b516c702de16d20d13c2c725dcbc0128b718e44e3412b19cf0b064590ecacadc
Instruction Fuzzy Hash: 5031E8B090021CEEEB10CF91E949BEDBFB5EB05748F104129A6156A291D7B64688CFA4

Function 004924B0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 275
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00491530: lstrcatW.KERNEL32(?,00000008,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00491604
Part of subcall function 00491530: lstrcatW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491613
Part of subcall function 00491530: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049161C
Part of subcall function 00491530: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049163D
Part of subcall function 00491530: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049164B
Part of subcall function 00491530: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049166A

lstrcatW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0049144A), ref: 00492590
lstrcatW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0049144A), ref: 004925A1
lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0049144A), ref: 004925B1
lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0049144A), ref: 004925C1

Part of subcall function 004928E0: lstrcatW.KERNEL32(?,?,7595F770,?), ref: 00492916
Part of subcall function 004928E0: lstrlenW.KERNEL32(?), ref: 0049292B
Part of subcall function 004928E0: lstrlenW.KERNEL32(0000002F), ref: 0049294F
Part of subcall function 004928E0: lstrlenW.KERNEL32(?), ref: 0049295C
Part of subcall function 004928E0: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 004929B4
Part of subcall function 004928E0: GetLastError.KERNEL32 ref: 004929BF

Part of subcall function 00492AF0: FindFirstFileW.KERNEL32(?,?,00000000), ref: 00492B13
Part of subcall function 00492AF0: FindClose.KERNEL32(00000000,?,?,00000000), ref: 00492B21

lstrcpyA.KERNEL32(00000000,?), ref: 004927A5
ReleaseMutex.KERNEL32(?), ref: 004927C7
CloseHandle.KERNEL32(?), ref: 004927D3
lstrcatW.KERNEL32(?,?), ref: 00492853
wsprintfW.USER32 ref: 00492873
CreateProcessW.KERNEL32(?,?,00000001,00000001,00000001,00000001,00000001,00000001,?,?), ref: 004928C1
Sleep.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004928D2

Strings

Function exe : %S exe size : %u dll : %S dll size : %u, xrefs: 0049270E
NetWork exe : %S exe size : %u dll : %S dll size : %u, xrefs: 0049264F
"%s" %S, xrefs: 0049286D

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: lstrcat$lstrlen$CloseCreateFind$DirectoryErrorFileFirstHandleLastMutexProcessReleaseSleeplstrcpywsprintf
String ID: "%s" %S$Function exe : %S exe size : %u dll : %S dll size : %u$NetWork exe : %S exe size : %u dll : %S dll size : %u
API String ID: 1787968544-1339826144
Opcode ID: e699b334411b896df028221fa484c9ce4f91697672d7cebd137caca4d2f5236c
Instruction ID: 978ddc93b5e99c96478a903f32f8369831daf6b2a44a5fc7bda5ed681d522383
Opcode Fuzzy Hash: e699b334411b896df028221fa484c9ce4f91697672d7cebd137caca4d2f5236c
Instruction Fuzzy Hash: 86B12171900219ABDF30EB61CD45FDA7BBCAF49348F0401EAB609A7191DB746B85CF58

Function 00491480 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,00000008,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00491604

Part of subcall function 00491480: lstrcatW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491613
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049161C
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049163D
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049164B
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049166A
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491684
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491692
Part of subcall function 00491480: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 004916C2
Part of subcall function 00491480: lstrcatW.KERNEL32(?,006B1FF8,?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?), ref: 004916CC

Strings

SHOIOJGA094953-, xrefs: 004915C2
ASJG943P9TGEAGAGP, xrefs: 004915D4
askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG, xrefs: 0049158E
/%$, xrefs: 004915A8, 004915AD

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: /%$$ASJG943P9TGEAGAGP$SHOIOJGA094953-$askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG
API String ID: 493641738-1664939733
Opcode ID: a8d2572f8fd157a0467df45bb091da27454174081d039cfa1dae71fad27b1cf6
Instruction ID: 537a477a7d8768b4a8f2df014eee6bede5d2e4bb6e43d21df6334e25e0ddf682
Opcode Fuzzy Hash: a8d2572f8fd157a0467df45bb091da27454174081d039cfa1dae71fad27b1cf6
Instruction Fuzzy Hash: 2361F670600205AFCB20DF29DD85BAFBBF5EF85304F04852EE546972A1DB78AD41CB99

Function 00491530 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 140
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,00000008,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00491604
lstrcatW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491613
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049161C
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049163D
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049164B
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049166A
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491684
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491692
lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 004916C2
lstrcatW.KERNEL32(?,006B1FF8,?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?), ref: 004916CC

Strings

SHOIOJGA094953-, xrefs: 004915C2
ASJG943P9TGEAGAGP, xrefs: 004915D4
askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG, xrefs: 0049158E
/%$, xrefs: 004915A8, 004915AD

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: /%$$ASJG943P9TGEAGAGP$SHOIOJGA094953-$askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG
API String ID: 493641738-1664939733
Opcode ID: 75c905cb566b79080cb020569c30e038d5dba22884149851e4b86ceacd9866b4
Instruction ID: 53908bf14a11770d340f0550d9eae5510cbcf3eff139a46ca88e6dd4b6a6360e
Opcode Fuzzy Hash: 75c905cb566b79080cb020569c30e038d5dba22884149851e4b86ceacd9866b4
Instruction Fuzzy Hash: 8A51D470900215AFCB20DF65DD85BABBFF8EF45304F04852EE542A72A1D778AD41C798

Function 0049DF60 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___free_lconv_mon.LIBCMT ref: 0049DFA4

Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB36
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB48
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB5A
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB6C
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB7E
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB90
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBA2
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBB4
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBC6
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBD8
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBEA
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBFC
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DC0E

_free.LIBCMT ref: 0049DF99

Part of subcall function 00499D31: HeapFree.KERNEL32(00000000,00000000,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200), ref: 00499D47
Part of subcall function 00499D31: GetLastError.KERNEL32(004AE200,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200,004AE200), ref: 00499D59

_free.LIBCMT ref: 0049DFBB
_free.LIBCMT ref: 0049DFD0
_free.LIBCMT ref: 0049DFDB
_free.LIBCMT ref: 0049DFFD
_free.LIBCMT ref: 0049E010
_free.LIBCMT ref: 0049E01E
_free.LIBCMT ref: 0049E029
_free.LIBCMT ref: 0049E061
_free.LIBCMT ref: 0049E068
_free.LIBCMT ref: 0049E085
_free.LIBCMT ref: 0049E09D

Strings

J, xrefs: 0049DF76

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: J
API String ID: 161543041-2157922337
Opcode ID: d1277a13de082da91929ca57ecbbfccbf60eaf1c4f8dd8c92cb920cc87748433
Instruction ID: eb586024dd964233a58823a3a268cc559cc2def3b6b0fa563b3df1a4a0a16598
Opcode Fuzzy Hash: d1277a13de082da91929ca57ecbbfccbf60eaf1c4f8dd8c92cb920cc87748433
Instruction Fuzzy Hash: 1F314F316002019FEF21AA7AD886B5B7BE8AF00359F14493FE455D7295DB7DEC818B28

Function 00491120 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000004,00000000,00000000,7595F770,?,?,?,00492676,?,?,?), ref: 00491153
SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000,?,?,00492676,?,?,?), ref: 00491176
WriteFile.KERNEL32(00000000,?,v&I,?,00000000,?,?,00492676,?,?,?), ref: 0049118C
GetLastError.KERNEL32(?,?,?,00492676,?,?,?,?,?,?,?,?,?,?,?,00000300), ref: 004911B1
CloseHandle.KERNEL32(00000000,?,?,?,?,00492676,?,?,?), ref: 004911C6
Sleep.KERNEL32(000001F4,?,?,?,?,00492676,?,?,?), ref: 004911D1

Strings

(TRUE == bRet) && (dWriteNumber == config_size) , xrefs: 004911A1
v&I, xrefs: 0049117C, 00491186
INVALID_HANDLE_VALUE != hFile errorcode : %d file: %S, xrefs: 004911B8

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastPointerSleepWrite
String ID: (TRUE == bRet) && (dWriteNumber == config_size) $INVALID_HANDLE_VALUE != hFile errorcode : %d file: %S$v&I
API String ID: 284182958-178700489
Opcode ID: 64b26dd76e0f5379aba950c1fe095ae93655682b7ec3c63059c4330225e9aca9
Instruction ID: 8f23c5a3c57e93db051efbbeb2e5b8b1c599e462cfaeb94006c70ac95142d0df
Opcode Fuzzy Hash: 64b26dd76e0f5379aba950c1fe095ae93655682b7ec3c63059c4330225e9aca9
Instruction Fuzzy Hash: F3212432684301BBDA10DF609C0AF5B7FA8EF8A720F14062BFA51921E1D774944587DE

Function 004928E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,?,7595F770,?), ref: 00492916
lstrlenW.KERNEL32(?), ref: 0049292B
lstrlenW.KERNEL32(0000002F), ref: 0049294F
lstrlenW.KERNEL32(?), ref: 0049295C
SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 004929B4
GetLastError.KERNEL32 ref: 004929BF

Strings

\, xrefs: 00492965

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: lstrlen$CreateDirectoryErrorLastlstrcat
String ID: \
API String ID: 1382740711-2967466578
Opcode ID: 10e0f0b9bfaf3d51149ec605bd32471ad2766b34d09cf6ffc7a4c3bd7eae0d33
Instruction ID: eb1dd0ec6a56bdc6a16ebaca415e2a6d5aa760368d12754cc0dd6f4a0bd7589d
Opcode Fuzzy Hash: 10e0f0b9bfaf3d51149ec605bd32471ad2766b34d09cf6ffc7a4c3bd7eae0d33
Instruction Fuzzy Hash: D721D6B1A0131CAACF20DB61DD4CBEB7F68EF01304F1186BAE91993141E7B89E448F94

Function 00494110 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_ValidateLocalCookies.LIBCMT ref: 0049413B
___except_validate_context_record.LIBVCRUNTIME ref: 00494143
_ValidateLocalCookies.LIBCMT ref: 004941D1
__IsNonwritableInCurrentImage.LIBCMT ref: 004941FC
_ValidateLocalCookies.LIBCMT ref: 00494251

Strings

csm, xrefs: 004941E6

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f7a3e57d5f633a1c0618d8346cf0893e0e84aa6a1b94c82747fe3ea4f2c83c95
Instruction ID: 2e0e896b00721ce58a5de16ce711141b8c7ecd5391cce2bed5df2f8c33e95adc
Opcode Fuzzy Hash: f7a3e57d5f633a1c0618d8346cf0893e0e84aa6a1b94c82747fe3ea4f2c83c95
Instruction Fuzzy Hash: 7F41F534A002089BCF10DF69C849E9E7FB1AF95328F14817BE8145B392D739D956CB99

Function 00499DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 00499E3E
api-ms-, xrefs: 00499E2A

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 25dac25b284b70273728739754db045336454ef3bc38b9ad438a51e46d58cc2b
Instruction ID: e7ba4160d83b0256485b359bc08f81c96f7d92a38c5635af6a8a54c988ae9fe0
Opcode Fuzzy Hash: 25dac25b284b70273728739754db045336454ef3bc38b9ad438a51e46d58cc2b
Instruction Fuzzy Hash: D521C631E01220ABCF21CA6D8C40B1B3F58AB52BA0F25053EED16A73D1D638ED0186E9

Function 0049DCB8 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0049DC80: _free.LIBCMT ref: 0049DCA5

_free.LIBCMT ref: 0049DD06

Part of subcall function 00499D31: HeapFree.KERNEL32(00000000,00000000,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200), ref: 00499D47
Part of subcall function 00499D31: GetLastError.KERNEL32(004AE200,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200,004AE200), ref: 00499D59

_free.LIBCMT ref: 0049DD11
_free.LIBCMT ref: 0049DD1C
_free.LIBCMT ref: 0049DD70
_free.LIBCMT ref: 0049DD7B
_free.LIBCMT ref: 0049DD86
_free.LIBCMT ref: 0049DD91

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d88016c8f192cd9e66b99b433c08ba9ba6908eb77d80b9a979daad6b387c8377
Instruction ID: 4b9091c4d3222095dcbe060a091ca258ac514cce20150f75e62a791e4c8ab645
Opcode Fuzzy Hash: d88016c8f192cd9e66b99b433c08ba9ba6908eb77d80b9a979daad6b387c8377
Instruction Fuzzy Hash: 6D115471940704AAEE20B7B2CD87FCB7F9C9F00708F400D3EF29966156D6BDB9449654

Function 0049EF29 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 0049EF71
__fassign.LIBCMT ref: 0049F156
__fassign.LIBCMT ref: 0049F173
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0049F1BB
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0049F1FB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0049F2A3

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: fa56a7d7dd016bedc8c05fa55a22cb3fc43d6ce2e050500ab4d2f4302e0ab7f2
Instruction ID: 813a38873e0932aec4ca3fc2dbdca634121a3675a25122b699d79e17005a8541
Opcode Fuzzy Hash: fa56a7d7dd016bedc8c05fa55a22cb3fc43d6ce2e050500ab4d2f4302e0ab7f2
Instruction Fuzzy Hash: 6BC16C75D002589FCF14CFE9C880AEDBFB5AF49314F2841BAE815EB242D6359D46CB68

Function 0049B0E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000200,?,00496BAE,00000200,00000000,?,?,00496703,?,00000000,00000200,00000000), ref: 0049B0E5
_free.LIBCMT ref: 0049B142
_free.LIBCMT ref: 0049B178
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00496703,?,00000000,00000200,00000000), ref: 0049B183

Strings

8J, xrefs: 0049B16B

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ErrorLast_free
String ID: 8J
API String ID: 2283115069-3490681954
Opcode ID: ad9b2c0400f629f83e80a308dbf533a6dca9940e41f5bc28d79aa81d1dbe34d4
Instruction ID: d4244da54fe59ed5ac86e02457e4fb1b7bdbba9c5f022ded2a9adca4d33d5212
Opcode Fuzzy Hash: ad9b2c0400f629f83e80a308dbf533a6dca9940e41f5bc28d79aa81d1dbe34d4
Instruction Fuzzy Hash: CB110A322145112A9F116AB7BD97D6B2D8AEBC27F9F25063FF264822D1DB3D8C01419D

Function 0049B237 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000200,00000000,00499CC6,00496890,00000000,?,004983A3,?,?,00000200,?,00491F2C,?,?), ref: 0049B23C
_free.LIBCMT ref: 0049B299
_free.LIBCMT ref: 0049B2CF
SetLastError.KERNEL32(00000000,00000006,000000FF,?,004983A3,?,?,00000200,?,00491F2C,?,?,?,00491472,00000000,?), ref: 0049B2DA

Strings

8J, xrefs: 0049B2C2

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ErrorLast_free
String ID: 8J
API String ID: 2283115069-3490681954
Opcode ID: f084348487f184f1e7803243fc4f711c1a58ba57e9fcdbdd24be523d105c673e
Instruction ID: ad39fcfb4cace2d4be5a1f0bceffdfc23a7b8249a7702fc42ca0da63e85a0dd1
Opcode Fuzzy Hash: f084348487f184f1e7803243fc4f711c1a58ba57e9fcdbdd24be523d105c673e
Instruction Fuzzy Hash: 86112C322042016ADF116BB6BD89D5F2E99EBC2779F25027FF224822E1DF3D8C01519D

Function 0049905E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00499053,00000000,?,0049901B,?,?,00000000), ref: 00499073
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00499086
FreeLibrary.KERNEL32(00000000,?,?,00499053,00000000,?,0049901B,?,?,00000000), ref: 004990A9

Strings

mscoree.dll, xrefs: 0049906C
CorExitProcess, xrefs: 0049907E

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 696ecf7f67fcc4b6cc6a55144c9b37f603081c8a3445929d2324e338db5119e8
Instruction ID: 73b419070b5206dcd383a705adbb13ee9e800685d1d247fd0fd1b31ef5e69d2f
Opcode Fuzzy Hash: 696ecf7f67fcc4b6cc6a55144c9b37f603081c8a3445929d2324e338db5119e8
Instruction Fuzzy Hash: A9F0A031601218FBCF219B64DD0EB9E7EB8EB05756F154079F504A21A2CB788E00DBD8

Function 0049DC17 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0049DC2F

Part of subcall function 00499D31: HeapFree.KERNEL32(00000000,00000000,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200), ref: 00499D47
Part of subcall function 00499D31: GetLastError.KERNEL32(004AE200,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200,004AE200), ref: 00499D59

_free.LIBCMT ref: 0049DC41
_free.LIBCMT ref: 0049DC53
_free.LIBCMT ref: 0049DC65
_free.LIBCMT ref: 0049DC77

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: afe3247d2ce1cdfe87e7c7d44f29fe1f0ed3777ac2fc4dba23e70eed9de8112a
Instruction ID: d77649f19d10f279535a697354c2db7d803938f746dd6e28a311364662f1fc50
Opcode Fuzzy Hash: afe3247d2ce1cdfe87e7c7d44f29fe1f0ed3777ac2fc4dba23e70eed9de8112a
Instruction Fuzzy Hash: A1F06232904601A78E20DB9AE9C6C1B7FD9EA05355B540C2FF058D7601CB7CFC80C66C

Function 0049B491 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0049B51B

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 4d188971a6fa4204caef89fb7e3ccd4c4c55d280ea87260fd91b417bae0265c5
Instruction ID: f60097497dee1ec4074d170ece3165cf11303ba9657d105f34cfea86aec4aadb
Opcode Fuzzy Hash: 4d188971a6fa4204caef89fb7e3ccd4c4c55d280ea87260fd91b417bae0265c5
Instruction Fuzzy Hash: 32B13331900245AFDF118F68DA81BAEBFE5EF95314F1541BBE844AB341D7389D02CBA9

Function 004A3907 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,00000000,?,004A29B7,00000000,00000001,00000000,00000000,?,0049F300,?,00000000,00000000), ref: 004A391E
GetLastError.KERNEL32(?,004A29B7,00000000,00000001,00000000,00000000,?,0049F300,?,00000000,00000000,?,00000000,?,0049F84C,?), ref: 004A392A

Part of subcall function 004A38F0: CloseHandle.KERNEL32(FFFFFFFE,004A393A,?,004A29B7,00000000,00000001,00000000,00000000,?,0049F300,?,00000000,00000000,?,00000000), ref: 004A3900

___initconout.LIBCMT ref: 004A393A

Part of subcall function 004A38B2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004A38E1,004A29A4,00000000,?,0049F300,?,00000000,00000000,?), ref: 004A38C5

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,?,004A29B7,00000000,00000001,00000000,00000000,?,0049F300,?,00000000,00000000,?), ref: 004A394F

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 475b23788058356c487cabd9e0dfcbf61c460955b3eeda064c9983c576e24d88
Instruction ID: 7441f08516ac10a6ff437d365a4b07333a29cb6c9f70fdeb7bd1a75283ac3e65
Opcode Fuzzy Hash: 475b23788058356c487cabd9e0dfcbf61c460955b3eeda064c9983c576e24d88
Instruction Fuzzy Hash: 4EF03736400115BFCF227FD1DC04A9A7F66FB1A361F058029FE1986130D6768D609B99

Function 0049B19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0049B1ED
_free.LIBCMT ref: 0049B221

Strings

8J, xrefs: 0049B214

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: _free
String ID: 8J
API String ID: 269201875-3490681954
Opcode ID: e48ad7c0f6460bb4c2e87e345e7142c569c6b201b091d87eaa87548c3bf94cf2
Instruction ID: 83e6cfa1de8f275722c780beca3b336ec12d23cf16cd9c493132b78e9d9d1b08
Opcode Fuzzy Hash: e48ad7c0f6460bb4c2e87e345e7142c569c6b201b091d87eaa87548c3bf94cf2
Instruction Fuzzy Hash: 9801283140523226DE223776BD1AE6F1D44CF12BA9F14073BF960A52E9DB2C8C1141DE

Function 00492DA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00493317

Part of subcall function 004942E9: RaiseException.KERNEL32(?,?,?,93I,00000000,00000000,00000000,?,?,?,?,?,00493339,?,004AC838,%sResideVirtual%d), ref: 00494349

__CxxThrowException@8.LIBVCRUNTIME ref: 00493334

Strings

Unknown exception, xrefs: 00493341

Memory Dump Source

Source File: 00000000.00000002.2023489098.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000000.00000002.2023360004.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023538601.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023564033.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000004B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023593922.00000000006B2000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2023803808.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 682fe5d4504e22df046d7b75d131f6ae458e62a6e892a0ad61f0fd513a808a65
Instruction ID: 81b97e415f7bb619a1a557b0752e873be8e308b0e45b4d68003930d2f8cfe19f
Opcode Fuzzy Hash: 682fe5d4504e22df046d7b75d131f6ae458e62a6e892a0ad61f0fd513a808a65
Instruction Fuzzy Hash: 6BF0F434900208B78F10BBA6D909D9E7F6C6A12714B60817BB81485181EF6CEB06859C

Analysis Process: OPyF68i97j.exePID: 432, Parent PID: 632COMMON

Execution Graph

Execution Coverage:	3.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	526
Total number of Limit Nodes:	16

Executed Functions

Function 004929F0 Relevance: 7.6, APIs: 5, Instructions: 80
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,00000000), ref: 00492A17
lstrcatW.KERNEL32(?,?), ref: 00492A6D
lstrlenW.KERNEL32(?), ref: 00492A7B
FindFirstFileW.KERNELBASE(?,?), ref: 00492AB7
FindClose.KERNELBASE(00000000), ref: 00492AC7

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Findlstrlen$CloseFileFirstlstrcat
String ID:
API String ID: 2221514933-0
Opcode ID: abe7df52ea9b1521c97142ffc4d7f121de1c56d7703a879be4930906bfe6ca02
Instruction ID: 1ea456282f75d4d4a50b0732ab9ca5d07de2a4bf5e75e2802d0dd6adc08f6ed5
Opcode Fuzzy Hash: abe7df52ea9b1521c97142ffc4d7f121de1c56d7703a879be4930906bfe6ca02
Instruction Fuzzy Hash: C621F732405714ABCB30DB60EC4D6AB7BE8EF46315F10493BE559C7191D6749884879E

Function 00492B40 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StartServiceCtrlDispatcherW.ADVAPI32(?), ref: 00492B70

Strings

TestWrite, xrefs: 00492B53

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: CtrlDispatcherServiceStart
String ID: TestWrite
API String ID: 3789849863-1711770924
Opcode ID: 5829eab2a07bb3311af46094caf5edbb2fed385b8159fbf296b5c857167248a9
Instruction ID: bd0e075842981ca8d318d38315b977274b150aeab29d3cf4f9e83d0187c8aa76
Opcode Fuzzy Hash: 5829eab2a07bb3311af46094caf5edbb2fed385b8159fbf296b5c857167248a9
Instruction Fuzzy Hash: C9E01AB490521CABDB00DF95D64979EBBF4EB04308F5145AAD80567241DBB45A088BA9

Function 00492AF0 Relevance: 3.0, APIs: 2, Instructions: 26
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(?,?,00000000), ref: 00492B13
FindClose.KERNEL32(00000000,?,?,00000000), ref: 00492B21

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 175bd04492e448e786967119c5a0c22e79e8e805826b7d4ab4733b4f542dbb34
Instruction ID: 26890a62fb72ee08edffb08f4efe489053f2087684d6d50beaf36577ce9cbb23
Opcode Fuzzy Hash: 175bd04492e448e786967119c5a0c22e79e8e805826b7d4ab4733b4f542dbb34
Instruction Fuzzy Hash: 86E09B711456005FC2209F349C495677BDCD745225F154B26A879822D0E9329454C69E

Function 004924B0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 275
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00491530: lstrcatW.KERNEL32(?,00000008,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00491604
Part of subcall function 00491530: lstrcatW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491613
Part of subcall function 00491530: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049161C
Part of subcall function 00491530: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049163D
Part of subcall function 00491530: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049164B
Part of subcall function 00491530: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049166A

lstrcatW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0049144A), ref: 00492590
lstrcatW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0049144A), ref: 004925A1
lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0049144A), ref: 004925B1
lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,0049144A), ref: 004925C1

Part of subcall function 004928E0: lstrcatW.KERNEL32(?,?,7595F770,?), ref: 00492916
Part of subcall function 004928E0: lstrlenW.KERNEL32(?), ref: 0049292B
Part of subcall function 004928E0: lstrlenW.KERNEL32(0000002F), ref: 0049294F
Part of subcall function 004928E0: lstrlenW.KERNEL32(?), ref: 0049295C
Part of subcall function 004928E0: SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 004929B4
Part of subcall function 004928E0: GetLastError.KERNEL32 ref: 004929BF

Part of subcall function 00492AF0: FindFirstFileW.KERNELBASE(?,?,00000000), ref: 00492B13
Part of subcall function 00492AF0: FindClose.KERNEL32(00000000,?,?,00000000), ref: 00492B21

lstrcpyA.KERNEL32(00000000,?), ref: 004927A5
ReleaseMutex.KERNEL32(?), ref: 004927C7
CloseHandle.KERNEL32(?), ref: 004927D3
lstrcatW.KERNEL32(?,?), ref: 00492853
wsprintfW.USER32 ref: 00492873
CreateProcessW.KERNELBASE(?,?,00000001,00000001,00000001,00000001,00000001,00000001,?,?), ref: 004928C1
Sleep.KERNELBASE(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004928D2

Strings

"%s" %S, xrefs: 0049286D
Function exe : %S exe size : %u dll : %S dll size : %u, xrefs: 0049270E
NetWork exe : %S exe size : %u dll : %S dll size : %u, xrefs: 0049264F

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: lstrcat$lstrlen$CloseCreateFind$DirectoryErrorFileFirstHandleLastMutexProcessReleaseSleeplstrcpywsprintf
String ID: "%s" %S$Function exe : %S exe size : %u dll : %S dll size : %u$NetWork exe : %S exe size : %u dll : %S dll size : %u
API String ID: 1787968544-1339826144
Opcode ID: e699b334411b896df028221fa484c9ce4f91697672d7cebd137caca4d2f5236c
Instruction ID: 978ddc93b5e99c96478a903f32f8369831daf6b2a44a5fc7bda5ed681d522383
Opcode Fuzzy Hash: e699b334411b896df028221fa484c9ce4f91697672d7cebd137caca4d2f5236c
Instruction Fuzzy Hash: 86B12171900219ABDF30EB61CD45FDA7BBCAF49348F0401EAB609A7191DB746B85CF58

Function 00491120 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 71
filesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,40000000,00000002,00000000,00000004,00000000,00000000,7595F770,?,?,?,00492676,?,?,?), ref: 00491153
SetFilePointerEx.KERNELBASE(00000000,?,?,00000000,00000000,?,?,00492676,?,?,?), ref: 00491176
WriteFile.KERNELBASE(00000000,?,v&I,?,00000000,?,?,00492676,?,?,?), ref: 0049118C
GetLastError.KERNEL32(?,?,?,00492676,?,?,?,?,?,?,?,?,?,?,?,00000300), ref: 004911B1
CloseHandle.KERNELBASE(00000000,?,?,?,?,00492676,?,?,?), ref: 004911C6
Sleep.KERNELBASE(000001F4,?,?,?,?,00492676,?,?,?), ref: 004911D1

Strings

v&I, xrefs: 0049117C, 00491186
INVALID_HANDLE_VALUE != hFile errorcode : %d file: %S, xrefs: 004911B8
(TRUE == bRet) && (dWriteNumber == config_size) , xrefs: 004911A1

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastPointerSleepWrite
String ID: (TRUE == bRet) && (dWriteNumber == config_size) $INVALID_HANDLE_VALUE != hFile errorcode : %d file: %S$v&I
API String ID: 284182958-178700489
Opcode ID: 64b26dd76e0f5379aba950c1fe095ae93655682b7ec3c63059c4330225e9aca9
Instruction ID: 8f23c5a3c57e93db051efbbeb2e5b8b1c599e462cfaeb94006c70ac95142d0df
Opcode Fuzzy Hash: 64b26dd76e0f5379aba950c1fe095ae93655682b7ec3c63059c4330225e9aca9
Instruction Fuzzy Hash: F3212432684301BBDA10DF609C0AF5B7FA8EF8A720F14062BFA51921E1D774944587DE

Function 004928E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,?,7595F770,?), ref: 00492916
lstrlenW.KERNEL32(?), ref: 0049292B
lstrlenW.KERNEL32(0000002F), ref: 0049294F
lstrlenW.KERNEL32(?), ref: 0049295C
SHCreateDirectoryExW.SHELL32(00000000,?,00000000), ref: 004929B4
GetLastError.KERNEL32 ref: 004929BF

Strings

\, xrefs: 00492965

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: lstrlen$CreateDirectoryErrorLastlstrcat
String ID: \
API String ID: 1382740711-2967466578
Opcode ID: 10e0f0b9bfaf3d51149ec605bd32471ad2766b34d09cf6ffc7a4c3bd7eae0d33
Instruction ID: eb1dd0ec6a56bdc6a16ebaca415e2a6d5aa760368d12754cc0dd6f4a0bd7589d
Opcode Fuzzy Hash: 10e0f0b9bfaf3d51149ec605bd32471ad2766b34d09cf6ffc7a4c3bd7eae0d33
Instruction Fuzzy Hash: D721D6B1A0131CAACF20DB61DD4CBEB7F68EF01304F1186BAE91993141E7B89E448F94

Function 004912B0 Relevance: 9.0, APIs: 6, Instructions: 36
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReleaseMutex.KERNEL32(?,00000000,00000000,00491F6D), ref: 004912C1
CloseHandle.KERNEL32(?), ref: 004912CD
CreateMutexA.KERNELBASE(00000000,00000001,00000000,00000000,00000000,00491F6D), ref: 004912E2
GetLastError.KERNEL32 ref: 004912F2
ReleaseMutex.KERNEL32(?), ref: 00491313
CloseHandle.KERNEL32(?), ref: 0049131F

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Mutex$CloseHandleRelease$CreateErrorLast
String ID:
API String ID: 299056699-0
Opcode ID: b7d1e7709a75df8677032a7ed35025e8b8889b47130df195982de1a9b0ed2439
Instruction ID: ef52d2d5ff5c405c3d86134ed958ea3a43db5591ecccc79fe7139aa6840eb6c0
Opcode Fuzzy Hash: b7d1e7709a75df8677032a7ed35025e8b8889b47130df195982de1a9b0ed2439
Instruction Fuzzy Hash: DAF04FB1604B119BDB219F70EC5C7C37EA4BB19301F044939F59BC22A0C7B59880CB68

Function 004913D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcmpW.KERNELBASE(?,-service), ref: 00491419
ExitProcess.KERNEL32 ref: 0049142A

Part of subcall function 00491930: ImpersonateSelf.ADVAPI32(00000002), ref: 00491964
Part of subcall function 00491930: GetCurrentThread.KERNEL32 ref: 0049197C
Part of subcall function 00491930: OpenThreadToken.ADVAPI32(00000000), ref: 00491983
Part of subcall function 00491930: GetLastError.KERNEL32 ref: 0049198D
Part of subcall function 00491930: GetCurrentProcess.KERNEL32(00000008,?), ref: 004919AA
Part of subcall function 00491930: OpenProcessToken.ADVAPI32(00000000), ref: 004919B3
Part of subcall function 00491930: GetCurrentProcess.KERNEL32(00000008,?), ref: 004919C3
Part of subcall function 00491930: OpenProcessToken.ADVAPI32(00000000), ref: 004919C6
Part of subcall function 00491930: AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004919ED
Part of subcall function 00491930: LocalAlloc.KERNEL32(00000040,00000014), ref: 00491A05
Part of subcall function 00491930: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00491A14
Part of subcall function 00491930: GetLengthSid.ADVAPI32(00000000), ref: 00491A26
Part of subcall function 00491930: LocalAlloc.KERNEL32(00000040,00000010), ref: 00491A32
Part of subcall function 00491930: InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 00491A42
Part of subcall function 00491930: AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,00000000), ref: 00491A58

Part of subcall function 00491B20: GetModuleFileNameW.KERNEL32(00000000,?,00000104,C94B88FF,00000000,00000000), ref: 00491B97

Strings

-service, xrefs: 00491411

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Process$CurrentInitializeOpenToken$AllocLocalThread$AccessAllocateAllowedDescriptorErrorExitFileImpersonateLastLengthModuleNameSecuritySelflstrcmp
String ID: -service
API String ID: 2077529461-2074144066
Opcode ID: b51ae6db1ab88941767d291077cbd663d0132d0fa5c25d62052e254ca2bba06c
Instruction ID: 503aded75bca2879fa99beb45a6a11860081647b3a0bbb5b21bd98308d49ee1d
Opcode Fuzzy Hash: b51ae6db1ab88941767d291077cbd663d0132d0fa5c25d62052e254ca2bba06c
Instruction Fuzzy Hash: F7F0F930D04106A6CF10BF7699027BEBFA49F19318F11427FF90463261EA286990829E

Function 00499CD4 Relevance: 1.5, APIs: 1, Instructions: 39
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0049B282,00000001,00000364,00000006,000000FF,?,004983A3,?,?,00000200,?,00491F2C), ref: 00499D15

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 76b38f3a6f9616f9569c9256a9eca45b7016f51f06e2d98d6f4811454ce3998e
Instruction ID: 4975576fd508e0b127f2290639dd10ad8be0c943e7fa38bc9ff7e387ef61d96e
Opcode Fuzzy Hash: 76b38f3a6f9616f9569c9256a9eca45b7016f51f06e2d98d6f4811454ce3998e
Instruction Fuzzy Hash: A9F0E93150012477EF255BAE9D85A5F3F98EF46770B19863FAC059B281CA28DC4086AC

Non-executed Functions

Function 004921C0 Relevance: 77.2, APIs: 34, Strings: 10, Instructions: 211
stringserviceregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

wsprintfW.USER32 ref: 00492212
OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F), ref: 0049222E
OpenServiceW.ADVAPI32(00000000,00000000,000F01FF), ref: 00492247
CloseServiceHandle.ADVAPI32(00000000), ref: 00492257
CloseServiceHandle.ADVAPI32(00000000), ref: 00492264
CreateServiceW.ADVAPI32(00000000,00000000,?,000F01FF,?,00000002,00000001,?,00000000,00000000,00000000,00000000,00000000), ref: 004922A1
lstrcpyW.KERNEL32(?,SYSTE), ref: 004922BD
lstrlenW.KERNEL32(?), ref: 004922CA
lstrcpyW.KERNEL32(?,M\Curr), ref: 004922E1
lstrlenW.KERNEL32(?), ref: 004922E8
lstrcpyW.KERNEL32(?,entCont), ref: 004922FF
lstrlenW.KERNEL32(?), ref: 00492306
lstrcpyW.KERNEL32(?,rolSet\), ref: 0049231D
lstrlenW.KERNEL32(?), ref: 00492324
lstrcpyW.KERNEL32(?,Servi), ref: 0049233B
lstrlenW.KERNEL32(?), ref: 00492342
lstrcpyW.KERNEL32(?,ces\), ref: 00492359
lstrlenW.KERNEL32(?), ref: 00492360
lstrcpyW.KERNEL32(?,?), ref: 0049237E
RegOpenKeyExW.ADVAPI32(80000002,?,00000000,00000002,?), ref: 00492397
lstrcpyW.KERNEL32(?,004AC040), ref: 004923B1
lstrlenW.KERNEL32(?), ref: 004923C0
lstrcpyW.KERNEL32(00000000,004AC048), ref: 004923D1
RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004), ref: 004923F3
lstrcpyW.KERNEL32(?,Desc), ref: 00492401
lstrlenW.KERNEL32(?), ref: 0049240A
lstrcpyW.KERNEL32(?,rip), ref: 0049241D
lstrlenW.KERNEL32(?), ref: 0049242A
lstrcpyW.KERNEL32(?,tion), ref: 0049243D
lstrlenW.KERNEL32(?), ref: 0049244A
RegSetValueExW.ADVAPI32(?,?,00000000,00000001,?,00000001), ref: 00492460
RegCloseKey.ADVAPI32(?), ref: 0049246D
CloseServiceHandle.ADVAPI32(?), ref: 00492485
CloseServiceHandle.ADVAPI32(?), ref: 0049249A

Strings

Desc, xrefs: 004923F5
rolSet\, xrefs: 00492314
SYSTE, xrefs: 004922B1
M\Curr, xrefs: 004922D8
ces\, xrefs: 00492350
"%s" -service, xrefs: 0049220C
entCont, xrefs: 004922F6
tion, xrefs: 00492434
rip, xrefs: 00492414
Servi, xrefs: 00492332

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: lstrcpy$lstrlen$Service$Close$Handle$Open$Value$CreateManagerwsprintf
String ID: "%s" -service$Desc$M\Curr$SYSTE$Servi$ces\$entCont$rip$rolSet\$tion
API String ID: 1302190746-3081135776
Opcode ID: bf24f7cce1e50ce88070fb1e9c317137ea722caf29fea24ecaf900b2e7027f40
Instruction ID: 3cceacb72383bb2eb049c7fc0878346b63a720cf428f9548308c451c3352ebea
Opcode Fuzzy Hash: bf24f7cce1e50ce88070fb1e9c317137ea722caf29fea24ecaf900b2e7027f40
Instruction Fuzzy Hash: 9771557290522CAFCB10DBA0DD44FDA7BBDEF49301F0500A6F705A3191DB74AA958F98

Function 00492090 Relevance: 50.8, APIs: 4, Strings: 25, Instructions: 69
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000), ref: 0049216B
lstrlenW.KERNEL32(?), ref: 00492178
SHSetValueW.SHLWAPI(80000001,006F0053,TabletPCInputServices,00000001,?,00000000), ref: 0049219D
ExitProcess.KERNEL32 ref: 004921AC

Strings

\, xrefs: 0049210F
r, xrefs: 00492132
n, xrefs: 00492140
R, xrefs: 00492147
S, xrefs: 004920B1
r, xrefs: 0049211D
u, xrefs: 00492116
@rt, xrefs: 0049219D
w, xrefs: 004920C2
f, xrefs: 004920BB
\, xrefs: 004920D0
n, xrefs: 0049214E
r, xrefs: 004920DE
TabletPCInputServices, xrefs: 0049218F
d, xrefs: 00492101
i, xrefs: 004920D7
V, xrefs: 0049212B
r, xrefs: 004920C9
f, xrefs: 004920EC
i, xrefs: 004920FA
n, xrefs: 00492124
\, xrefs: 004920F3
s, xrefs: 004920E5
w, xrefs: 00492108
i, xrefs: 00492139

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ExitFileModuleNameProcessValuelstrlen
String ID: @rt$R$S$TabletPCInputServices$V$\$\$\$d$f$f$i$i$i$n$n$n$r$r$r$r$s$u$w$w
API String ID: 2356826538-302260228
Opcode ID: b516c702de16d20d13c2c725dcbc0128b718e44e3412b19cf0b064590ecacadc
Instruction ID: 60e2c49e4ae5ab80d7751187d480cad084f087e3448e5c3055edf5ddd53db33d
Opcode Fuzzy Hash: b516c702de16d20d13c2c725dcbc0128b718e44e3412b19cf0b064590ecacadc
Instruction Fuzzy Hash: 5031E8B090021CEEEB10CF91E949BEDBFB5EB05748F104129A6156A291D7B64688CFA4

Function 00491930 Relevance: 36.2, APIs: 24, Instructions: 164
memorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ImpersonateSelf.ADVAPI32(00000002), ref: 00491964
GetCurrentThread.KERNEL32 ref: 0049197C
OpenThreadToken.ADVAPI32(00000000), ref: 00491983
GetLastError.KERNEL32 ref: 0049198D
GetCurrentProcess.KERNEL32(00000008,?), ref: 004919AA
OpenProcessToken.ADVAPI32(00000000), ref: 004919B3
GetCurrentProcess.KERNEL32(00000008,?), ref: 004919C3
OpenProcessToken.ADVAPI32(00000000), ref: 004919C6
AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 004919ED
LocalAlloc.KERNEL32(00000040,00000014), ref: 00491A05
InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 00491A14
GetLengthSid.ADVAPI32(00000000), ref: 00491A26
LocalAlloc.KERNEL32(00000040,00000010), ref: 00491A32
InitializeAcl.ADVAPI32(00000000,00000010,00000002), ref: 00491A42
AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,00000000), ref: 00491A58
SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 00491A6C
SetSecurityDescriptorGroup.ADVAPI32(00000000,00000000,00000000), ref: 00491A7C
SetSecurityDescriptorOwner.ADVAPI32(00000000,00000000,00000000), ref: 00491A8C
IsValidSecurityDescriptor.ADVAPI32(00000000), ref: 00491A97
AccessCheck.ADVAPI32(00000000,?,00000001,00000001,?,00000014,?,00000000), ref: 00491AD7
RevertToSelf.ADVAPI32 ref: 00491AE1
LocalFree.KERNEL32(00000000), ref: 00491AEF
LocalFree.KERNEL32(00000000), ref: 00491AF7
FreeSid.ADVAPI32(00000000), ref: 00491B07

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: DescriptorSecurity$LocalProcess$CurrentFreeInitializeOpenToken$AccessAllocSelfThread$AllocateAllowedCheckDaclErrorGroupImpersonateLastLengthOwnerRevertValid
String ID:
API String ID: 897049590-0
Opcode ID: 3bc0e8f9cdd8c72f0e724855255cbb110ac131844420f00f8f644bba313b73d3
Instruction ID: fec36ffe7706dbf05d09ce1652524ee4c47dd18af18c7262daa56e268468f881
Opcode Fuzzy Hash: 3bc0e8f9cdd8c72f0e724855255cbb110ac131844420f00f8f644bba313b73d3
Instruction Fuzzy Hash: 01515F71A4120AABEF11DFA1DD49FAF7FBCAF05740F054025F601E62A0DBB89D458B68

Function 00491E90 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 135
processstringsynchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32 ref: 00491ED1
ProcessIdToSessionId.KERNEL32(00000000,?), ref: 00491EDF
GetUserNameA.ADVAPI32(?,?), ref: 00491EF3
lstrcatA.KERNEL32(?,Unknown), ref: 00491F09

Part of subcall function 004916F0: ReleaseMutex.KERNEL32(?,C94B88FF,00000000,00000000,004A5800,000000FF,?,00492073), ref: 00491727
Part of subcall function 004916F0: CloseHandle.KERNEL32(?,?,00492073), ref: 00491733

lstrcpyA.KERNEL32(00000000,?), ref: 00491F60
ReleaseMutex.KERNEL32(?), ref: 00491F80
CloseHandle.KERNEL32(?), ref: 00491F8C
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00491FA1
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00491FD1
WinExec.KERNEL32(?,00000000), ref: 0049202B
WinExec.KERNEL32(?,00000000), ref: 00492059
GetCurrentProcessId.KERNEL32 ref: 00492073

Part of subcall function 00491DA0: CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,00000000,00000000,00000000), ref: 00491DDF
Part of subcall function 00491DA0: Process32First.KERNEL32(00000000,?), ref: 00491DED
Part of subcall function 00491DA0: OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00491E10
Part of subcall function 00491DA0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00491E1D
Part of subcall function 00491DA0: Process32Next.KERNEL32(00000000,?), ref: 00491E40
Part of subcall function 00491DA0: CloseHandle.KERNEL32(00000000), ref: 00491E47

ExitProcess.KERNEL32 ref: 00492082

Strings

schtasks /create /tn "%s" /tr "%s" /sc minute /mo %d /ru system /f, xrefs: 00491FF2
%sResideVirtual%d, xrefs: 00491F1C
TabletPCInputServices, xrefs: 00491FFF, 00492032
schtasks /create /tn "%s" /tr "%s" /sc minute /mo %d /f, xrefs: 00491FFA, 00492007
Unknown, xrefs: 00491EFD
schtasks /run /tn "%s", xrefs: 00492037

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Process$CloseHandleMutex$CreateCurrentExecNameProcess32Release$ExitFileFirstModuleNextOpenSessionSnapshotTerminateToolhelp32Userlstrcatlstrcpy
String ID: %sResideVirtual%d$TabletPCInputServices$Unknown$schtasks /create /tn "%s" /tr "%s" /sc minute /mo %d /f$schtasks /create /tn "%s" /tr "%s" /sc minute /mo %d /ru system /f$schtasks /run /tn "%s"
API String ID: 749260584-984207080
Opcode ID: 58cf3f2e19dcd830df8c48d95cf52b3e109ea32f1e6f5d63a688aadf2e26ae5c
Instruction ID: c5e2958a9c6c2f350d9d18eb8f9f819d2de1da44193f051f2d5fdee2f8e93d67
Opcode Fuzzy Hash: 58cf3f2e19dcd830df8c48d95cf52b3e109ea32f1e6f5d63a688aadf2e26ae5c
Instruction Fuzzy Hash: BC41B7B1A45318ABDF20DB60DC4AFDA7B7CAB15704F0401A6F645E71C1DBB46AC48F58

Function 00491480 Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,00000008,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00491604

Part of subcall function 00491480: lstrcatW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491613
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049161C
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049163D
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049164B
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049166A
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491684
Part of subcall function 00491480: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491692
Part of subcall function 00491480: lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 004916C2
Part of subcall function 00491480: lstrcatW.KERNEL32(?,006B1FF8,?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?), ref: 004916CC

Strings

MZP, xrefs: 004915A8, 004915AD
ASJG943P9TGEAGAGP, xrefs: 004915D4
askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG, xrefs: 0049158E
SHOIOJGA094953-, xrefs: 004915C2

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: ASJG943P9TGEAGAGP$MZP$SHOIOJGA094953-$askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG
API String ID: 493641738-2741108744
Opcode ID: a8d2572f8fd157a0467df45bb091da27454174081d039cfa1dae71fad27b1cf6
Instruction ID: 537a477a7d8768b4a8f2df014eee6bede5d2e4bb6e43d21df6334e25e0ddf682
Opcode Fuzzy Hash: a8d2572f8fd157a0467df45bb091da27454174081d039cfa1dae71fad27b1cf6
Instruction Fuzzy Hash: 2361F670600205AFCB20DF29DD85BAFBBF5EF85304F04852EE546972A1DB78AD41CB99

Function 00491530 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 140
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(?,00000008,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 00491604
lstrcatW.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491613
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049161C
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049163D
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049164B
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 0049166A
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491684
lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 00491692
lstrcatW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?,00000000), ref: 004916C2
lstrcatW.KERNEL32(?,006B1FF8,?,?,?,?,?,?,?,?,?,?,?,?,0000000A,?), ref: 004916CC

Strings

MZP, xrefs: 004915A8, 004915AD
ASJG943P9TGEAGAGP, xrefs: 004915D4
askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG, xrefs: 0049158E
SHOIOJGA094953-, xrefs: 004915C2

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: lstrlen$lstrcat
String ID: ASJG943P9TGEAGAGP$MZP$SHOIOJGA094953-$askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG
API String ID: 493641738-2741108744
Opcode ID: 75c905cb566b79080cb020569c30e038d5dba22884149851e4b86ceacd9866b4
Instruction ID: 53908bf14a11770d340f0550d9eae5510cbcf3eff139a46ca88e6dd4b6a6360e
Opcode Fuzzy Hash: 75c905cb566b79080cb020569c30e038d5dba22884149851e4b86ceacd9866b4
Instruction Fuzzy Hash: 8A51D470900215AFCB20DF65DD85BABBFF8EF45304F04852EE542A72A1D778AD41C798

Function 0049DF60 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0049DFA4

Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB36
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB48
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB5A
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB6C
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB7E
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DB90
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBA2
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBB4
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBC6
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBD8
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBEA
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DBFC
Part of subcall function 0049DB19: _free.LIBCMT ref: 0049DC0E

_free.LIBCMT ref: 0049DF99

Part of subcall function 00499D31: HeapFree.KERNEL32(00000000,00000000,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200), ref: 00499D47
Part of subcall function 00499D31: GetLastError.KERNEL32(004AE200,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200,004AE200), ref: 00499D59

_free.LIBCMT ref: 0049DFBB
_free.LIBCMT ref: 0049DFD0
_free.LIBCMT ref: 0049DFDB
_free.LIBCMT ref: 0049DFFD
_free.LIBCMT ref: 0049E010
_free.LIBCMT ref: 0049E01E
_free.LIBCMT ref: 0049E029
_free.LIBCMT ref: 0049E061
_free.LIBCMT ref: 0049E068
_free.LIBCMT ref: 0049E085
_free.LIBCMT ref: 0049E09D

Strings

J, xrefs: 0049DF76

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID: J
API String ID: 161543041-2157922337
Opcode ID: d1277a13de082da91929ca57ecbbfccbf60eaf1c4f8dd8c92cb920cc87748433
Instruction ID: eb586024dd964233a58823a3a268cc559cc2def3b6b0fa563b3df1a4a0a16598
Opcode Fuzzy Hash: d1277a13de082da91929ca57ecbbfccbf60eaf1c4f8dd8c92cb920cc87748433
Instruction Fuzzy Hash: 1F314F316002019FEF21AA7AD886B5B7BE8AF00359F14493FE455D7295DB7DEC818B28

Function 00491B20 Relevance: 12.2, APIs: 8, Instructions: 160serviceCOMMON

Download Yara Rule

APIs

Part of subcall function 00491E90: GetCurrentProcessId.KERNEL32 ref: 00491ED1
Part of subcall function 00491E90: ProcessIdToSessionId.KERNEL32(00000000,?), ref: 00491EDF
Part of subcall function 00491E90: GetUserNameA.ADVAPI32(?,?), ref: 00491EF3
Part of subcall function 00491E90: lstrcatA.KERNEL32(?,Unknown), ref: 00491F09
Part of subcall function 00491E90: lstrcpyA.KERNEL32(00000000,?), ref: 00491F60
Part of subcall function 00491E90: ReleaseMutex.KERNEL32(?), ref: 00491F80
Part of subcall function 00491E90: CloseHandle.KERNEL32(?), ref: 00491F8C
Part of subcall function 00491E90: CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00491FA1
Part of subcall function 00491E90: GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00491FD1

GetModuleFileNameW.KERNEL32(00000000,?,00000104,C94B88FF,00000000,00000000), ref: 00491B97
ExitProcess.KERNEL32 ref: 00491D15
OpenSCManagerW.ADVAPI32(00000000,00000000,00000001,?,?,00000000), ref: 00491D2B
OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,00000000), ref: 00491D3B
StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,00000000), ref: 00491D4C
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000), ref: 00491D59
CloseServiceHandle.ADVAPI32(00000000,?,?,00000000), ref: 00491D60
ExitProcess.KERNEL32 ref: 00491D71

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ProcessService$CloseHandleName$ExitFileModuleMutexOpen$CreateCurrentManagerReleaseSessionStartUserlstrcatlstrcpy
String ID:
API String ID: 3235917964-0
Opcode ID: 539cc90bafc1a1d0ea64264256f86966af5f47e430af3f3d51a400eba62a5910
Instruction ID: 0a83df48254017662a87b9194f1a81ff3f91bc0af9b80274ff92e1d14f61b026
Opcode Fuzzy Hash: 539cc90bafc1a1d0ea64264256f86966af5f47e430af3f3d51a400eba62a5910
Instruction Fuzzy Hash: A851E3759002199BDF24DB24DC8DBDEBB75EF45304F1442ADE909A72A0DB786B80CF58

Function 00494110 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0049413B
___except_validate_context_record.LIBVCRUNTIME ref: 00494143
_ValidateLocalCookies.LIBCMT ref: 004941D1
__IsNonwritableInCurrentImage.LIBCMT ref: 004941FC
_ValidateLocalCookies.LIBCMT ref: 00494251

Strings

csm, xrefs: 004941E6

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f7a3e57d5f633a1c0618d8346cf0893e0e84aa6a1b94c82747fe3ea4f2c83c95
Instruction ID: 2e0e896b00721ce58a5de16ce711141b8c7ecd5391cce2bed5df2f8c33e95adc
Opcode Fuzzy Hash: f7a3e57d5f633a1c0618d8346cf0893e0e84aa6a1b94c82747fe3ea4f2c83c95
Instruction Fuzzy Hash: 7F41F534A002089BCF10DF69C849E9E7FB1AF95328F14817BE8145B392D739D956CB99

Function 00491DA0 Relevance: 10.6, APIs: 7, Instructions: 80processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,00000000,00000000,00000000), ref: 00491DDF
Process32First.KERNEL32(00000000,?), ref: 00491DED
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 00491E10
TerminateProcess.KERNEL32(00000000,00000000), ref: 00491E1D
Process32Next.KERNEL32(00000000,?), ref: 00491E40
CloseHandle.KERNEL32(00000000), ref: 00491E47
CloseHandle.KERNEL32(00000000), ref: 00491E65

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: ab9da6b530e0361f058e4a3a2c805af1d98300b09b231a9ecff0a39087a49c40
Instruction ID: 89a31b4b17e2b7eeb363f531c70724ee5c2f17b1021540201aa2ac1f7be39cc9
Opcode Fuzzy Hash: ab9da6b530e0361f058e4a3a2c805af1d98300b09b231a9ecff0a39087a49c40
Instruction Fuzzy Hash: 5721C9312043016BDF20DF20EC85BBB7FE8EB86755F44053EF959862D0DB24AC45C69A

Function 00499DD3 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

ext-ms-, xrefs: 00499E3E
api-ms-, xrefs: 00499E2A

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 25dac25b284b70273728739754db045336454ef3bc38b9ad438a51e46d58cc2b
Instruction ID: e7ba4160d83b0256485b359bc08f81c96f7d92a38c5635af6a8a54c988ae9fe0
Opcode Fuzzy Hash: 25dac25b284b70273728739754db045336454ef3bc38b9ad438a51e46d58cc2b
Instruction Fuzzy Hash: D521C631E01220ABCF21CA6D8C40B1B3F58AB52BA0F25053EED16A73D1D638ED0186E9

Function 0049DCB8 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0049DC80: _free.LIBCMT ref: 0049DCA5

_free.LIBCMT ref: 0049DD06

Part of subcall function 00499D31: HeapFree.KERNEL32(00000000,00000000,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200), ref: 00499D47
Part of subcall function 00499D31: GetLastError.KERNEL32(004AE200,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200,004AE200), ref: 00499D59

_free.LIBCMT ref: 0049DD11
_free.LIBCMT ref: 0049DD1C
_free.LIBCMT ref: 0049DD70
_free.LIBCMT ref: 0049DD7B
_free.LIBCMT ref: 0049DD86
_free.LIBCMT ref: 0049DD91

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d88016c8f192cd9e66b99b433c08ba9ba6908eb77d80b9a979daad6b387c8377
Instruction ID: 4b9091c4d3222095dcbe060a091ca258ac514cce20150f75e62a791e4c8ab645
Opcode Fuzzy Hash: d88016c8f192cd9e66b99b433c08ba9ba6908eb77d80b9a979daad6b387c8377
Instruction Fuzzy Hash: 6D115471940704AAEE20B7B2CD87FCB7F9C9F00708F400D3EF29966156D6BDB9449654

Function 0049EF29 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMON

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 0049EF71
__fassign.LIBCMT ref: 0049F156
__fassign.LIBCMT ref: 0049F173
WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0049F1BB
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0049F1FB
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 0049F2A3

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: fa56a7d7dd016bedc8c05fa55a22cb3fc43d6ce2e050500ab4d2f4302e0ab7f2
Instruction ID: 813a38873e0932aec4ca3fc2dbdca634121a3675a25122b699d79e17005a8541
Opcode Fuzzy Hash: fa56a7d7dd016bedc8c05fa55a22cb3fc43d6ce2e050500ab4d2f4302e0ab7f2
Instruction Fuzzy Hash: 6BC16C75D002589FCF14CFE9C880AEDBFB5AF49314F2841BAE815EB242D6359D46CB68

Function 0049B0E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000200,?,00496BAE,00000200,00000000,?,?,00496703,?,00000000,00000200,00000000), ref: 0049B0E5
_free.LIBCMT ref: 0049B142
_free.LIBCMT ref: 0049B178
SetLastError.KERNEL32(00000000,00000006,000000FF,?,00496703,?,00000000,00000200,00000000), ref: 0049B183

Strings

8J, xrefs: 0049B16B

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ErrorLast_free
String ID: 8J
API String ID: 2283115069-3490681954
Opcode ID: 7316175678f8aefb2e4ebcde6f50e06eaffc2c0a1982e976c03e29297e543b8b
Instruction ID: d4244da54fe59ed5ac86e02457e4fb1b7bdbba9c5f022ded2a9adca4d33d5212
Opcode Fuzzy Hash: 7316175678f8aefb2e4ebcde6f50e06eaffc2c0a1982e976c03e29297e543b8b
Instruction Fuzzy Hash: CB110A322145112A9F116AB7BD97D6B2D8AEBC27F9F25063FF264822D1DB3D8C01419D

Function 0049B237 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,00000200,00000000,00499CC6,00496890,00000000,?,004983A3,?,?,00000200,?,00491F2C,?,?), ref: 0049B23C
_free.LIBCMT ref: 0049B299
_free.LIBCMT ref: 0049B2CF
SetLastError.KERNEL32(00000000,00000006,000000FF,?,004983A3,?,?,00000200,?,00491F2C,?,?,?,00491472,00000000,?), ref: 0049B2DA

Strings

8J, xrefs: 0049B2C2

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ErrorLast_free
String ID: 8J
API String ID: 2283115069-3490681954
Opcode ID: 9370c5eb15f639d6794b5764ef4ac21887e1f967f18eeee0593d23259089c6f2
Instruction ID: ad39fcfb4cace2d4be5a1f0bceffdfc23a7b8249a7702fc42ca0da63e85a0dd1
Opcode Fuzzy Hash: 9370c5eb15f639d6794b5764ef4ac21887e1f967f18eeee0593d23259089c6f2
Instruction Fuzzy Hash: 86112C322042016ADF116BB6BD89D5F2E99EBC2779F25027FF224822E1DF3D8C01519D

Function 0049905E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,00499053,00000000,?,0049901B,?,?,00000000), ref: 00499073
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00499086
FreeLibrary.KERNEL32(00000000,?,?,00499053,00000000,?,0049901B,?,?,00000000), ref: 004990A9

Strings

mscoree.dll, xrefs: 0049906C
CorExitProcess, xrefs: 0049907E

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 696ecf7f67fcc4b6cc6a55144c9b37f603081c8a3445929d2324e338db5119e8
Instruction ID: 73b419070b5206dcd383a705adbb13ee9e800685d1d247fd0fd1b31ef5e69d2f
Opcode Fuzzy Hash: 696ecf7f67fcc4b6cc6a55144c9b37f603081c8a3445929d2324e338db5119e8
Instruction Fuzzy Hash: A9F0A031601218FBCF219B64DD0EB9E7EB8EB05756F154079F504A21A2CB788E00DBD8

Function 0049DC17 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0049DC2F

Part of subcall function 00499D31: HeapFree.KERNEL32(00000000,00000000,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200), ref: 00499D47
Part of subcall function 00499D31: GetLastError.KERNEL32(004AE200,?,0049DCAA,004AE200,00000000,004AE200,00000000,?,0049DCD1,004AE200,00000007,004AE200,?,0049E0F7,004AE200,004AE200), ref: 00499D59

_free.LIBCMT ref: 0049DC41
_free.LIBCMT ref: 0049DC53
_free.LIBCMT ref: 0049DC65
_free.LIBCMT ref: 0049DC77

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: afe3247d2ce1cdfe87e7c7d44f29fe1f0ed3777ac2fc4dba23e70eed9de8112a
Instruction ID: d77649f19d10f279535a697354c2db7d803938f746dd6e28a311364662f1fc50
Opcode Fuzzy Hash: afe3247d2ce1cdfe87e7c7d44f29fe1f0ed3777ac2fc4dba23e70eed9de8112a
Instruction Fuzzy Hash: A1F06232904601A78E20DB9AE9C6C1B7FD9EA05355B540C2FF058D7601CB7CFC80C66C

Function 0049B491 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0049B51B

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 4d188971a6fa4204caef89fb7e3ccd4c4c55d280ea87260fd91b417bae0265c5
Instruction ID: f60097497dee1ec4074d170ece3165cf11303ba9657d105f34cfea86aec4aadb
Opcode Fuzzy Hash: 4d188971a6fa4204caef89fb7e3ccd4c4c55d280ea87260fd91b417bae0265c5
Instruction Fuzzy Hash: 32B13331900245AFDF118F68DA81BAEBFE5EF95314F1541BBE844AB341D7389D02CBA9

Function 004A3907 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,00000000,?,004A29B7,00000000,00000001,00000000,00000000,?,0049F300,?,00000000,00000000), ref: 004A391E
GetLastError.KERNEL32(?,004A29B7,00000000,00000001,00000000,00000000,?,0049F300,?,00000000,00000000,?,00000000,?,0049F84C,?), ref: 004A392A

Part of subcall function 004A38F0: CloseHandle.KERNEL32(FFFFFFFE,004A393A,?,004A29B7,00000000,00000001,00000000,00000000,?,0049F300,?,00000000,00000000,?,00000000), ref: 004A3900

___initconout.LIBCMT ref: 004A393A

Part of subcall function 004A38B2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004A38E1,004A29A4,00000000,?,0049F300,?,00000000,00000000,?), ref: 004A38C5

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,?,004A29B7,00000000,00000001,00000000,00000000,?,0049F300,?,00000000,00000000,?), ref: 004A394F

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 475b23788058356c487cabd9e0dfcbf61c460955b3eeda064c9983c576e24d88
Instruction ID: 7441f08516ac10a6ff437d365a4b07333a29cb6c9f70fdeb7bd1a75283ac3e65
Opcode Fuzzy Hash: 475b23788058356c487cabd9e0dfcbf61c460955b3eeda064c9983c576e24d88
Instruction Fuzzy Hash: 4EF03736400115BFCF227FD1DC04A9A7F66FB1A361F058029FE1986130D6768D609B99

Function 0049B19D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0049B1ED
_free.LIBCMT ref: 0049B221

Strings

8J, xrefs: 0049B214

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: _free
String ID: 8J
API String ID: 269201875-3490681954
Opcode ID: 0b0e71b80875c557a2f131051416c8c1f85d3034fc58a384c5bc01849fa072f5
Instruction ID: 83e6cfa1de8f275722c780beca3b336ec12d23cf16cd9c493132b78e9d9d1b08
Opcode Fuzzy Hash: 0b0e71b80875c557a2f131051416c8c1f85d3034fc58a384c5bc01849fa072f5
Instruction Fuzzy Hash: 9801283140523226DE223776BD1AE6F1D44CF12BA9F14073BF960A52E9DB2C8C1141DE

Function 00492DA1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00493317

Part of subcall function 004942E9: RaiseException.KERNEL32(?,?,?,93I,00000000,00000000,00000000,?,?,?,?,?,00493339,?,004AC838,%sResideVirtual%d), ref: 00494349

__CxxThrowException@8.LIBVCRUNTIME ref: 00493334

Strings

Unknown exception, xrefs: 00493341

Memory Dump Source

Source File: 00000004.00000002.3889706970.0000000000491000.00000020.00000001.01000000.00000003.sdmp, Offset: 00490000, based on PE: true

Associated: 00000004.00000002.3889687828.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889729142.00000000004A6000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889761126.00000000004AE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000004B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889780984.00000000005CD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.00000000006B2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3889897120.0000000000737000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.3890019739.00000000008B2000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_490000_OPyF68i97j.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 682fe5d4504e22df046d7b75d131f6ae458e62a6e892a0ad61f0fd513a808a65
Instruction ID: 81b97e415f7bb619a1a557b0752e873be8e308b0e45b4d68003930d2f8cfe19f
Opcode Fuzzy Hash: 682fe5d4504e22df046d7b75d131f6ae458e62a6e892a0ad61f0fd513a808a65
Instruction Fuzzy Hash: 6BF0F434900208B78F10BBA6D909D9E7F6C6A12714B60817BB81485181EF6CEB06859C

Analysis Process: brcc.exePID: 6516, Parent PID: 432COMMON

Execution Graph

Execution Coverage:	4.7%
Dynamic/Decrypted Code Coverage:	75.8%
Signature Coverage:	11.6%
Total number of Nodes:	1038
Total number of Limit Nodes:	41

Executed Functions

Function 01325ED0 Relevance: 83.5, APIs: 10, Strings: 37, Instructions: 1229COMMON

Download Yara Rule

Strings

DEFAULT, xrefs: 01326CC2
F, xrefs: 01326BB9
%s\%s\, xrefs: 01326D02
t, xrefs: 01326C90
\, xrefs: 01326C2E
Prox, xrefs: 01326DAE
n, xrefs: 01326C43
Classes, xrefs: 01326CD8
r, xrefs: 01326BFD
e, xrefs: 01326C7B
, xrefs: 01326C82
ver, xrefs: 01326DBE
s, xrefs: 01326C04
t, xrefs: 01326C6D
V, xrefs: 01326C4A
r, xrefs: 01326C74
s, xrefs: 01326C9E
r, xrefs: 01326C51
\, xrefs: 01326C12
n, xrefs: 01326C5F
d, xrefs: 01326C20
f, xrefs: 01326C0B
i, xrefs: 01326C19
R, xrefs: 01326BD8
I, xrefs: 01326C66
e, xrefs: 01326C89
\, xrefs: 01326BE9
u, xrefs: 01326C35
list<T> too long, xrefs: 01326B14
n, xrefs: 01326C97
S, xrefs: 01326BAC
w, xrefs: 01326C27
r, xrefs: 01326C3C
i, xrefs: 01326C58
i, xrefs: 01326BF3
W, xrefs: 01326BC3
ySer, xrefs: 01326DB7

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID:
String ID: $%s\%s\$Classes$DEFAULT$F$I$Prox$R$S$V$W$\$\$\$d$e$e$f$i$i$i$list<T> too long$n$n$n$r$r$r$r$s$s$t$t$u$ver$w$ySer
API String ID: 0-1802518369
Opcode ID: e4cb014bd5efa6b85734bad3866cdda21279c68ec4dc4fd1aef965209ef0d07f
Instruction ID: 5dd53da6e36507aa0db7df5d50f014044c269457fbe023b9e68297f8dc7dda85
Opcode Fuzzy Hash: e4cb014bd5efa6b85734bad3866cdda21279c68ec4dc4fd1aef965209ef0d07f
Instruction Fuzzy Hash: 83A2F7B1D002299FDB18DF68CD85BEEBBB5FF45308F148258D905AB381DB75AA44CB90

Function 01322760 Relevance: 63.8, APIs: 23, Strings: 13, Instructions: 797
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\DemeterID,Product ID,00000004,00000000,?,7B2C007C,00000003,00000000,00000000), ref: 013227D2
CoCreateGuid.COMBASE(?), ref: 013227F0
wsprintfA.USER32 ref: 01322859
SHSetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\DemeterID,Product ID,00000004,00000000,00000004), ref: 013228F4
GetComputerNameA.KERNEL32(00000000,00000100), ref: 01322931
GetUserNameA.ADVAPI32(00000000,00000100), ref: 01322A38
lstrlenA.KERNEL32(00000000,00000007,?,00000000,00000000,00000001), ref: 01322B42
GlobalMemoryStatusEx.KERNELBASE(?,00000007,?,00000000,00000000,00000001), ref: 01322C5D
__aulldiv.LIBCMT ref: 01322C83
GetLogicalDriveStringsA.KERNEL32(00000104,?), ref: 01322D9C
GetDriveTypeA.KERNELBASE(00000000), ref: 01322DE2
GetDiskFreeSpaceExA.KERNELBASE(00000000,?,?,?), ref: 01322E03
RegOpenKeyExA.KERNELBASE(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000101,?,00000007,?,00000000,00000000,00000001), ref: 01323087
RegQueryValueExA.KERNELBASE(?,ProductName,00000000,?,00000000,?), ref: 013230BD
GetNativeSystemInfo.KERNELBASE(?,00000007,?,00000000,00000000,00000001), ref: 013231A2
std::_Xinvalid_argument.LIBCPMT ref: 013232AE
std::_Xinvalid_argument.LIBCPMT ref: 013232BD
std::_Xinvalid_argument.LIBCPMT ref: 013232CC
std::_Xinvalid_argument.LIBCPMT ref: 013232DB
std::_Xinvalid_argument.LIBCPMT ref: 013232EA
std::_Xinvalid_argument.LIBCPMT ref: 013232F9
std::_Xinvalid_argument.LIBCPMT ref: 01323308
std::_Xinvalid_argument.LIBCPMT ref: 01323317

Strings

x86, xrefs: 013231B9
list<T> too long, xrefs: 013232A9, 013232B8, 013232C7, 013232D6, 013232E5, 013232F4, 01323303, 01323312
0 GB / 0 GB, xrefs: 01322FA1
unknown, xrefs: 0132293B, 01322A42, 01322B4C, 013230C7
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 0132307D
%.1f GB / %.1f GB, xrefs: 01322ED0
Product ID, xrefs: 013227C3, 013228D5
x64, xrefs: 013231B2
%08X%04X%04X%02X%02X%02X%02X%02X%02X%02X%02X, xrefs: 01322853
%lld GB, xrefs: 01322CAF
@, xrefs: 01322C52
ProductName, xrefs: 013230B2
SOFTWARE\Microsoft\Windows\CurrentVersion\DemeterID, xrefs: 013227C8, 013228DA

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$Value$DriveName$ComputerCreateDiskFreeGlobalGuidInfoLogicalMemoryNativeOpenQuerySpaceStatusStringsSystemTypeUser__aulldivlstrlenwsprintf
String ID: %.1f GB / %.1f GB$%08X%04X%04X%02X%02X%02X%02X%02X%02X%02X%02X$%lld GB$0 GB / 0 GB$@$Product ID$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion$SOFTWARE\Microsoft\Windows\CurrentVersion\DemeterID$list<T> too long$unknown$x64$x86
API String ID: 3813084420-3657519226
Opcode ID: a2eac15bdd8b0eeb88e97a0c19c77953c64889cfbe49ca48049fa124373a6430
Instruction ID: 9ee71bfda199bc38ce376521b5932b06f6f8b89d20457c2bbf1fbd8df8b31d65
Opcode Fuzzy Hash: a2eac15bdd8b0eeb88e97a0c19c77953c64889cfbe49ca48049fa124373a6430
Instruction Fuzzy Hash: FC62B6719002299FDB24EF28CD48BEEBBB5FF45308F1481E8E509A7295DB759A84CF50

Function 01221670 Relevance: 25.0, APIs: 3, Strings: 11, Instructions: 462
memorylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,-00000FFF,00001000,00000004), ref: 0122181A
LoadLibraryA.KERNELBASE(?), ref: 0122194B
VirtualProtect.KERNELBASE(?,?,?,00000000), ref: 01221A30

Strings

., xrefs: 01221771
ndle, xrefs: 01221A74
k, xrefs: 01221751
rEx, xrefs: 01221A81
e, xrefs: 01221763
l, xrefs: 01221778
asjg98oji4tp0-fposdJDSIOGOPSDFGOEW824PIGR165G6S5, xrefs: 012216E1, 0122170B, 01221733
0, xrefs: 012216C4
3, xrefs: 0122176A
r, xrefs: 01221759
CEFProcessForkHaCreateRemoteThreWaitForSingleObjGetModuleFileNamWriteProcessMemo, xrefs: 01221A69

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: Virtual$AllocLibraryLoadProtect
String ID: .$0$3$CEFProcessForkHaCreateRemoteThreWaitForSingleObjGetModuleFileNamWriteProcessMemo$asjg98oji4tp0-fposdJDSIOGOPSDFGOEW824PIGR165G6S5$e$k$l$ndle$r$rEx
API String ID: 1403325721-2088186737
Opcode ID: 7a2144a6005dfe0644a42c4bf83ea5ce6003c0e899103f6071507b9a7ded3b6e
Instruction ID: 16ecf11b8664ace583f47ad5c03a1052f1860e45d99f0635cf115c309a80b47f
Opcode Fuzzy Hash: 7a2144a6005dfe0644a42c4bf83ea5ce6003c0e899103f6071507b9a7ded3b6e
Instruction Fuzzy Hash: 20028E31A1022A9BDB24CFADC880BADBBF5AF88310F194169D949EF255E770E855CB50

Function 0132ACB0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 198
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(?,0000FFFF,00001006,?,00000004), ref: 0132AD19
setsockopt.WS2_32(?,0000FFFF,00001005,?,00000004), ref: 0132AD3B
send.WS2_32(?,00000317,00000005,00000000), ref: 0132AE38
setsockopt.WS2_32(?,0000FFFF,00001006,00001B58,00000004), ref: 0132AEAD

Strings

%d , xrefs: 0132ADF6
key:, xrefs: 0132ADDD

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: setsockopt$send
String ID: %d $key:
API String ID: 28939370-40514971
Opcode ID: 9f058232208796ef4093c9be4e5b210f11f582d81fa9a389312e146f8c07fb88
Instruction ID: cb84353e3f8045a4b0140ef8f0850ad16b5282a82eb63b94bb3cfc539eb4ff00
Opcode Fuzzy Hash: 9f058232208796ef4093c9be4e5b210f11f582d81fa9a389312e146f8c07fb88
Instruction Fuzzy Hash: CF613871A0025A5BEF21DFACCC80AFFBBB8AF45308F0841ADD545EB682E670D945C761

Function 0132AEF0 Relevance: 4.7, APIs: 3, Instructions: 175networksleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000000A,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0132AE89,?), ref: 0132AF22
recv.WS2_32(?,?,00000005,00000000), ref: 0132AF47
recv.WS2_32(?,00000000,00000000,00000000), ref: 0132AFBC

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: recv$Sleep
String ID:
API String ID: 1123280612-0
Opcode ID: 73481402c15ea69d03eb8ba3930f9a92279197ca0fbe111f9d210097aa04f358
Instruction ID: 7bd83a215c2d1e3b27c002d8cc5a5053eea57675367a8e9432d56a4c2a062e32
Opcode Fuzzy Hash: 73481402c15ea69d03eb8ba3930f9a92279197ca0fbe111f9d210097aa04f358
Instruction Fuzzy Hash: A951F671E002299BCB11EFACCC44AEEBBB4EF59318F144159E814F7342D739A945CBA4

Function 01326B30 Relevance: 82.8, APIs: 10, Strings: 37, Instructions: 518
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyExW.KERNELBASE(80000003,00000000,?,00000208,00000000,00000000,00000000,00000000,?,?,?,00000003,00000000,00000000), ref: 01326CAB
StrStrW.KERNELBASE(?,DEFAULT,?,?,?,00000003,00000000,00000000), ref: 01326CCE
StrStrW.SHLWAPI(?,Classes,?,?,?,00000003,00000000,00000000), ref: 01326CE4
wsprintfW.USER32 ref: 01326D08
RegOpenKeyExW.KERNELBASE(80000003,?,00000000,000F003F,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01326D2B
RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 01326DCF
RegQueryValueExA.ADVAPI32(?,786F7250,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 01326E00
RegCloseKey.KERNELBASE(?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 01327099
RegEnumKeyExW.KERNELBASE(80000003,00000001,?,00000208,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000003,00000000), ref: 0132713F
std::_Xinvalid_argument.LIBCPMT ref: 013271E9

Strings

DEFAULT, xrefs: 01326CC2
F, xrefs: 01326BB9
%s\%s\, xrefs: 01326D02
t, xrefs: 01326C90
\, xrefs: 01326C2E
Prox, xrefs: 01326DAE
n, xrefs: 01326C43
Classes, xrefs: 01326CD8
r, xrefs: 01326BFD
e, xrefs: 01326C7B
, xrefs: 01326C82
ver, xrefs: 01326DBE
s, xrefs: 01326C04
t, xrefs: 01326C6D
V, xrefs: 01326C4A
r, xrefs: 01326C74
s, xrefs: 01326C9E
r, xrefs: 01326C51
\, xrefs: 01326C12
n, xrefs: 01326C5F
d, xrefs: 01326C20
f, xrefs: 01326C0B
i, xrefs: 01326C19
R, xrefs: 01326BD8
I, xrefs: 01326C66
e, xrefs: 01326C89
\, xrefs: 01326BE9
u, xrefs: 01326C35
list<T> too long, xrefs: 01326B14, 013271E4
n, xrefs: 01326C97
S, xrefs: 01326BAC
w, xrefs: 01326C27
r, xrefs: 01326C3C
i, xrefs: 01326C58
i, xrefs: 01326BF3
W, xrefs: 01326BC3
ySer, xrefs: 01326DB7

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: EnumQueryValue$CloseOpenXinvalid_argumentstd::_wsprintf
String ID: $%s\%s\$Classes$DEFAULT$F$I$Prox$R$S$V$W$\$\$\$d$e$e$f$i$i$i$list<T> too long$n$n$n$r$r$r$r$s$s$t$t$u$ver$w$ySer
API String ID: 3975790278-1802518369
Opcode ID: 622bfe3eb8de4b10c95fe299cb75196e69992747f938ebf6b49c72dd73b214ff
Instruction ID: e9eb680251c0d01cb43cc12032d1ed55c3d0a847066ffdadd824b607cbc83db2
Opcode Fuzzy Hash: 622bfe3eb8de4b10c95fe299cb75196e69992747f938ebf6b49c72dd73b214ff
Instruction Fuzzy Hash: 6E12B3B1D002299FDB20DF58DC84BADBBBAFF55318F1441E9E508A7241DB75AA88CF50

Function 0040897A Relevance: 59.7, APIs: 4, Strings: 30, Instructions: 179
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000000,80000000,00000000,00000000,00000004,00000000,00000000), ref: 00408A5A
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000040), ref: 00408AA3
ReadFile.KERNELBASE(000000FF,00000000,00000000,?,00000000), ref: 00408AC9
CloseHandle.KERNELBASE(000000FF), ref: 00408AFC

Strings

f, xrefs: 004089A6
3, xrefs: 004089F4
3, xrefs: 00408A08
e, xrefs: 004089D4
j, xrefs: 00408998
5, xrefs: 004089FC
o, xrefs: 004089B4
2, xrefs: 004089F8
a, xrefs: 0040899F
4, xrefs: 00408A1C
9, xrefs: 00408A20
g, xrefs: 004089BB
9, xrefs: 00408A04
8, xrefs: 004089EC
i, xrefs: 004089AD
9, xrefs: 004089E4
[, xrefs: 004089C2
0, xrefs: 00408A24
p, xrefs: 004089C9
w, xrefs: 004089DC
8, xrefs: 00408A00
2, xrefs: 00408A14
3, xrefs: 00408A18
e, xrefs: 004089E0
k, xrefs: 004089D8
4, xrefs: 004089F0
8, xrefs: 00408A10
0, xrefs: 004089E8
4, xrefs: 00408A0C
f, xrefs: 004089D0

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: File$AllocCloseCreateHandleReadVirtual
String ID: 0$0$2$2$3$3$3$4$4$4$5$8$8$8$9$9$9$[$a$e$e$f$f$g$i$j$k$o$p$w
API String ID: 1642992456-4097334363
Opcode ID: d177e4d0b4d3f0f28d0a54269b2e28703b728717ca7bfb4088a550506f3a52a0
Instruction ID: 276268768fae61a3aa97a37b7a49644376cea3c02c5f615e84aec5e1b91e4cd2
Opcode Fuzzy Hash: d177e4d0b4d3f0f28d0a54269b2e28703b728717ca7bfb4088a550506f3a52a0
Instruction Fuzzy Hash: EB912D70904298DFEB15CFA8C844BDEBBB1AF58304F24809DD548BB382D7B65A85CF65

Function 0132DB10 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 290
synchronizationstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyA.KERNEL32(00000000,askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG), ref: 0132DB69
ReleaseMutex.KERNEL32(?), ref: 0132DB84
CloseHandle.KERNEL32(?), ref: 0132DB8C
CreateMutexA.KERNELBASE(00000000,00000001,00000000), ref: 0132DBA1
GetLastError.KERNEL32 ref: 0132DBB1
ReleaseMutex.KERNEL32(?), ref: 0132DBD8
CloseHandle.KERNEL32(?), ref: 0132DBE0
CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0132DC09
std::_Xinvalid_argument.LIBCPMT ref: 0132DDFF
ExitProcess.KERNEL32 ref: 0132DEC4

Strings

askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG, xrefs: 0132DB63
list<T> too long, xrefs: 0132DDFA

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Mutex$CloseCreateHandleRelease$ErrorExitLastProcessXinvalid_argumentlstrcpystd::_
String ID: askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG$list<T> too long
API String ID: 2710040054-1361808773
Opcode ID: cda2f1d4270498a628128d76acb14b89085056489bbf13c15c694803295c266f
Instruction ID: 4a8a61c03bbbcc8a5230b481f4dce5ca83516d62fbce21a79be8aeef91b36982
Opcode Fuzzy Hash: cda2f1d4270498a628128d76acb14b89085056489bbf13c15c694803295c266f
Instruction Fuzzy Hash: 26C14BB0D002299FDB14EFA8C954BEEFBB5FF58308F248119E519B7284DB746945CBA0

Function 0132A5F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 189
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

InitializeCriticalSection.KERNEL32(00000020,7B2C007C,00000004,?,00000000), ref: 0132A637

Part of subcall function 013344E9: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0132A64D,00000000), ref: 013344FC
Part of subcall function 013344E9: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0133452D

Part of subcall function 01322760: SHGetValueA.SHLWAPI(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\DemeterID,Product ID,00000004,00000000,?,7B2C007C,00000003,00000000,00000000), ref: 013227D2
Part of subcall function 01322760: GetComputerNameA.KERNEL32(00000000,00000100), ref: 01322931

wsprintfA.USER32 ref: 0132A6D7
CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,?), ref: 0132A6F0
InitializeCriticalSection.KERNEL32(00000040), ref: 0132A705

Part of subcall function 0132DEDC: __CxxThrowException@8.LIBVCRUNTIME ref: 0132E441
Part of subcall function 0132DEDC: __CxxThrowException@8.LIBVCRUNTIME ref: 0132E45E

Sleep.KERNELBASE(0000000A), ref: 0132A759
GetTickCount.KERNEL32 ref: 0132A7A6
GetTickCount.KERNEL32 ref: 0132A7D2
Sleep.KERNELBASE(000003E8), ref: 0132A7F5
shutdown.WS2_32(0000003C,00000002), ref: 0132A835
closesocket.WS2_32(0000003C), ref: 0132A83D

Strings

x%d, xrefs: 0132A6C8

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CountCriticalException@8InitializeSectionSleepThrowTickTime$ComputerCreateFileNameSemaphoreSystemUnothrow_t@std@@@Value__ehfuncinfo$??2@closesocketshutdownwsprintf
String ID: x%d
API String ID: 404457191-126850396
Opcode ID: 9a9a2786fbc38e2d972464ddf7a4742e18c919931200aee55ea408f7c9c45dc0
Instruction ID: 85592dcd915431ee0b6c4eb9f67577181a6e73ed60764710bdf1a7280694e84d
Opcode Fuzzy Hash: 9a9a2786fbc38e2d972464ddf7a4742e18c919931200aee55ea408f7c9c45dc0
Instruction Fuzzy Hash: 2B71C274A00315DFDB24EF68D884B9ABBF5FF58304F104169E60AAB790EB70B944CB90

Function 00412074 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 106
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041C528: EnterCriticalSection.KERNEL32(004239FC,?,00412EE4,?,creating stream lock,00000000,?,?,00411151,?,00000000,00420250,?,00413984,00420250), ref: 0041C530
Part of subcall function 0041C528: InitializeCriticalSection.KERNEL32(?,004239FC,?,00412EE4,?,creating stream lock,00000000,?,?,00411151,?,00000000,00420250,?,00413984,00420250), ref: 0041C55E
Part of subcall function 0041C528: LeaveCriticalSection.KERNEL32(004239FC,?,004239FC,?,00412EE4,?,creating stream lock,00000000,?,?,00411151,?,00000000,00420250,?,00413984), ref: 0041C585

SetHandleCount.KERNEL32(00000032), ref: 00412092
GetStartupInfoA.KERNEL32(?), ref: 004120BC
GetStdHandle.KERNEL32(000000F6), ref: 00412175
GetStdHandle.KERNEL32(000000F5,000000F6), ref: 00412181
GetStdHandle.KERNEL32(000000F4,000000F5,000000F6), ref: 0041218D

Strings

t:B, xrefs: 0041207F
creating global handle lock, xrefs: 0041207A

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: Handle$CriticalSection$CountEnterInfoInitializeLeaveStartup
String ID: creating global handle lock$t:B
API String ID: 3255421519-54552273
Opcode ID: df9442e1680a95799462763464bb6d188a3c1a3e5e6f7249e83d71a998f705ee
Instruction ID: 0ea7f76ca1b6aed72b73a66dde49da59dfb8d24c70f5eb80e5666bb39963684a
Opcode Fuzzy Hash: df9442e1680a95799462763464bb6d188a3c1a3e5e6f7249e83d71a998f705ee
Instruction Fuzzy Hash: 7D313571600201ABD324DF25CDC1AAA77E2EB40324F64463FE686C22D1D7BC98D6CB5D

Function 01327CC0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 286
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 01327D40
htons.WS2_32(?), ref: 01327D5A
inet_addr.WS2_32(?), ref: 01327D65
connect.WS2_32(?,?,00000010), ref: 01327D79
closesocket.WS2_32(?), ref: 01327D89

Part of subcall function 01327A70: socket.WS2_32(00000002,00000001,00000006), ref: 01327B25
Part of subcall function 01327A70: connect.WS2_32(00000000,?,00000010), ref: 01327B3D
Part of subcall function 01327A70: setsockopt.WS2_32(00000000,0000FFFF,00001006,?,00000004), ref: 01327B63

Strings

ip : %s port : %d, xrefs: 01327DAD

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: connectsocket$closesockethtonsinet_addrsetsockopt
String ID: ip : %s port : %d
API String ID: 655186869-1577030829
Opcode ID: e15cc969f7928f5dcde393a9d402d23692bd28197269e75b7e6a84d428b08e6e
Instruction ID: 65b432bbd9391240a08cbb6e743e4d37190f7328fd480f51e7935c8cd75b4b3f
Opcode Fuzzy Hash: e15cc969f7928f5dcde393a9d402d23692bd28197269e75b7e6a84d428b08e6e
Instruction Fuzzy Hash: A8B1EF719002189FDB14EFACC884B9DFBB1FF59318F248658E815AB395D731AD45CBA0

Function 00401000 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,`.B), ref: 00401035
GetEnvironmentStrings.KERNEL32 ref: 0041B344
GetCommandLineA.KERNEL32 ref: 0041B34E

Strings

@3O, xrefs: 0041B353, 0041B3CB
`.B, xrefs: 0040102E

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: CommandEnvironmentHandleLineModuleStrings
String ID: @3O$`.B
API String ID: 1584138308-1970850373
Opcode ID: 3fb45a655024feba313da01b91921573050467ea3c01706844517f71734fca6f
Instruction ID: 4488c69faa4ad87b40207625eb41881ce4cb12c3af05c99afcb201778fb6ab85
Opcode Fuzzy Hash: 3fb45a655024feba313da01b91921573050467ea3c01706844517f71734fca6f
Instruction Fuzzy Hash: 0B4127B0A04204ABDB209F659CC2BE737B5EB49308F64411BE95587392D77C98D3CB9E

Function 013372D5 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

api-ms-, xrefs: 0133732C
ext-ms-, xrefs: 01337340

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 65ec2b89e345bf7505a8308e3bfbe4fa9ea6fe4936448f3e317dcee30738c33a
Instruction ID: 9e9881f37fcbdce37609e5b52ab295d5d3e63a86df2d146dd538e43a57b77517
Opcode Fuzzy Hash: 65ec2b89e345bf7505a8308e3bfbe4fa9ea6fe4936448f3e317dcee30738c33a
Instruction Fuzzy Hash: D821EBF6A05215FBDB324A29AC46B1B375CAF85778F150114FE46B7291DA30ED00C6E4

Function 00408C5F Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 459
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004), ref: 00408D40
VirtualProtect.KERNELBASE(?,00000000,00000000,00000000), ref: 004092A0

Strings

, xrefs: 00409146
@, xrefs: 00409150
NvSmartMaxSetState, xrefs: 00409375, 0040937B

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: Virtual$AllocProtect
String ID: $@$NvSmartMaxSetState
API String ID: 2447062925-3527548009
Opcode ID: b706ec27801de8936b598a472a119f9f1197134b4707f3b077e3fa00cdc51dcb
Instruction ID: 1f3e7c0fa9221bd570d4e02ee678290249f37a8e9c7276dc5efa7c34f4a1f29b
Opcode Fuzzy Hash: b706ec27801de8936b598a472a119f9f1197134b4707f3b077e3fa00cdc51dcb
Instruction Fuzzy Hash: 5F32C170D04219CFDB18CF98C994BADBBB2BF48304F1481AAD4496B392C775AE85CF54

Function 013234C0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 156
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetAdaptersAddresses.IPHLPAPI(00000000,00000010,00000000,00000000,?), ref: 01323531
wsprintfW.USER32 ref: 013235F0
lstrlenW.KERNEL32(?), ref: 013235FA

Strings

., xrefs: 0132350C
%, xrefs: 01323505

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: AdaptersAddresseslstrlenwsprintf
String ID: %$.
API String ID: 3037317441-3975786864
Opcode ID: bd215ea4a974906067d08aac08176a92b5e5a54c66d1e4edac1134716e61b406
Instruction ID: a0eeaeeb972f8dd3bfc131d341ffd3a442e68e1d44a84f45824e327032a39052
Opcode Fuzzy Hash: bd215ea4a974906067d08aac08176a92b5e5a54c66d1e4edac1134716e61b406
Instruction Fuzzy Hash: DD516D75A412299FDB25EF68DC88BE9B7F5BF48318F1444E9D409A7201DB359A84CF40

Function 00409BD1 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0041B030: SetConsoleCtrlHandler.KERNEL32(0041B00C,00000001,?,?,?,?,00409BF0,00000002,00408301), ref: 0041B053

GetModuleHandleA.KERNEL32(?), ref: 00409C15

Strings

rw32core.dll, xrefs: 00409CF4
D, xrefs: 00409D2D
could not load string resources, xrefs: 00409C48

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: ConsoleCtrlHandleHandlerModule
String ID: D$could not load string resources$rw32core.dll
API String ID: 790560346-991251983
Opcode ID: b4ae5d54a3b2b48167bdee9764b971dd1d3d7d94c218ad073930a8c0fdf8e7b2
Instruction ID: 8b9188f9c0cb86c5b46988c305a2b7c115439bc794083b693f425d7668405b60
Opcode Fuzzy Hash: b4ae5d54a3b2b48167bdee9764b971dd1d3d7d94c218ad073930a8c0fdf8e7b2
Instruction Fuzzy Hash: B441B272D10208AACB04EBE1ED46EDD77B4FF04304F10852EF8047A2D1EB795A55CB5A

Function 0041B2EF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 111
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStrings.KERNEL32 ref: 0041B344
GetCommandLineA.KERNEL32 ref: 0041B34E
GetModuleHandleA.KERNEL32(00000000,00000000,004F3342,00000000), ref: 0041B41D

Strings

@3O, xrefs: 0041B353, 0041B3CB

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: CommandEnvironmentHandleLineModuleStrings
String ID: @3O
API String ID: 1584138308-2647879139
Opcode ID: e6017f7ab082a5a4d2e50590958008fce340485f06153e9b2fa526acebc32c48
Instruction ID: 65cd2ee007ac636b7045d2a9173efb36a5798c14885be1cb4df2e39278447cb9
Opcode Fuzzy Hash: e6017f7ab082a5a4d2e50590958008fce340485f06153e9b2fa526acebc32c48
Instruction Fuzzy Hash: 4C3127B0A043089ADB309F658C817EB37A5EB06304F54415BE8A18B392D77C98D2CBDE

Function 01325930 Relevance: 6.1, APIs: 4, Instructions: 85COMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32(?,00000000,00000001,00000000), ref: 01325987
freeaddrinfo.WS2_32(00000000), ref: 013259AE
RtlIpv4AddressToStringA.NTDLL(?,?), ref: 013259E3
freeaddrinfo.WS2_32(00000000,?,?), ref: 01325A08

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: freeaddrinfo$AddressIpv4Stringgetaddrinfo
String ID:
API String ID: 1652273897-0
Opcode ID: 92bee078804525b0f685456edefbb75c42096b0974b234fca82447c5241572c0
Instruction ID: b1230abf897f3ec4581b48441590d19cb87f34b26b8f75ab69de02550711224d
Opcode Fuzzy Hash: 92bee078804525b0f685456edefbb75c42096b0974b234fca82447c5241572c0
Instruction Fuzzy Hash: 9031E370E0020D9FDF14DFA8D944AEEB7B9FF5A318F104259E405BB115EB71AA85CB50

Function 012271B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 012271FD
GetFileType.KERNELBASE(00000000), ref: 0122720F

Strings

@GP, xrefs: 01227244

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: FileHandleType
String ID: @GP
API String ID: 3000768030-1535696100
Opcode ID: a626ef345b1358897be5dc3151bbd003324606da5cb09d770ff0053ebb60b5cb
Instruction ID: 366d393b676f604182dc2f0971ffbe4537d70eea6ddee94b81818ccb0eb1cfa4
Opcode Fuzzy Hash: a626ef345b1358897be5dc3151bbd003324606da5cb09d770ff0053ebb60b5cb
Instruction Fuzzy Hash: 5111E43112C7636AD7344D3E9C9C52A7E95ABA7230B380B1AF6B6C66F2C670D586C241

Function 01224735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 01226BBF: GetEnvironmentStringsW.KERNEL32 ref: 01226BC8
Part of subcall function 01226BBF: _free.LIBCMT ref: 01226C27
Part of subcall function 01226BBF: FreeEnvironmentStringsW.KERNEL32(00000000), ref: 01226C36

_free.LIBCMT ref: 01224775
_free.LIBCMT ref: 0122477C

Strings

xO, xrefs: 01224735, 0122476E

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: _free$EnvironmentStrings$Free
String ID: xO
API String ID: 2490078468-4170594468
Opcode ID: 11a364c618111a38071e8aab01b05c9bb92d3e508106b40d6acba31c8d3726da
Instruction ID: 99b9a1f4ccb48167dbadd6726367de4544c341e8d742d167988530f5c75d88b4
Opcode Fuzzy Hash: 11a364c618111a38071e8aab01b05c9bb92d3e508106b40d6acba31c8d3726da
Instruction Fuzzy Hash: 02E02B239369B379D239373D7C806BD16494B92270F11032AED30C70C1DFB8444249D5

Function 013338BC Relevance: 4.6, APIs: 3, Instructions: 51threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,Function_000136D2,00000000,00000000,00000000), ref: 01333905
GetLastError.KERNEL32(?,?,?,0132A754,00000000,00000000), ref: 01333911
__dosmaperr.LIBCMT ref: 01333918

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: 5439d0efbf7f609896b83819b27710e3a0fb3a55751de23a1dfc8ddc011a6f6a
Instruction ID: ffc3a787303e8a6f35c908065f667cc9e92f6d2ebfe314ef05bc6eae92522a1e
Opcode Fuzzy Hash: 5439d0efbf7f609896b83819b27710e3a0fb3a55751de23a1dfc8ddc011a6f6a
Instruction Fuzzy Hash: CC01B17250020AEFDF169FA9DC05BAF3BA9FF80369F008158F801A6250DB34DA10DB98

Function 0132A5A0 Relevance: 4.5, APIs: 3, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(0000EA60), ref: 0132A5BA
GetCurrentProcessId.KERNEL32 ref: 0132A5D5
ExitProcess.KERNEL32 ref: 0132A5E6

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Process$CurrentExitSleep
String ID:
API String ID: 4116356188-0
Opcode ID: 6e97861924b91695c3f4481a14cf2f38bf9a92adc1058ab5f6cd5e096b2bcb84
Instruction ID: 9bd20a4a53928e5b5333128021a119e5af63278b911fab37eae15d989e7643d0
Opcode Fuzzy Hash: 6e97861924b91695c3f4481a14cf2f38bf9a92adc1058ab5f6cd5e096b2bcb84
Instruction Fuzzy Hash: 14E08C38900230CFDB316B74A40C75B3EAABF5A32AF015425E40577599CF706404CFA1

Function 01328060 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 504COMMON

Download Yara Rule

APIs

Part of subcall function 01325A20: StrStrA.SHLWAPI(00000031,32k1-jk-f-12121482014902184021jf0j10jf031jf01,?,?,?,?,?,?,?,?,?,?,?,0132850F,?,00000000), ref: 01325AEF

Part of subcall function 01325A20: lstrlenA.KERNEL32(32k1-jk-f-12121482014902184021jf0j10jf031jf01,?,?,?,?,?,?,?,?,?,?,?,0132850F,?,00000000), ref: 01325B09

std::_Xinvalid_argument.LIBCPMT ref: 013286D7

Part of subcall function 0132ECE2: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0132ECEE
Part of subcall function 0132ECE2: __CxxThrowException@8.LIBVCRUNTIME ref: 0132ECFC

Strings

list<T> too long, xrefs: 013286D2

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentlstrlenstd::_std::invalid_argument::invalid_argument
String ID: list<T> too long
API String ID: 882462350-4027344264
Opcode ID: e0dd6d7a0be129661cde273daaab803c8090f80d5221494767dd519e4c465c00
Instruction ID: ec324595413f4bba27d4748eb357e2473264eb65fc1b3bc7213504d988c4264d
Opcode Fuzzy Hash: e0dd6d7a0be129661cde273daaab803c8090f80d5221494767dd519e4c465c00
Instruction Fuzzy Hash: 9D129071910229DFDB18EF58CD80BAEBBB6BF54318F1482D8D509A7385D730AA85CF51

Function 0041AC48 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,00D220A0,000000FF), ref: 0041AC78

Strings

Out of memory in _setargv0, xrefs: 0041AC60

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: FileModuleName
String ID: Out of memory in _setargv0
API String ID: 514040917-2942948061
Opcode ID: b130977185ede6975fc81d0e498ff539f6ff8050e4efa39814ce17f4fecb8756
Instruction ID: 8a7ad9b2d21991a1cb191d9ba2d548ed6a3c143766770e086a5f2f1e622fcc32
Opcode Fuzzy Hash: b130977185ede6975fc81d0e498ff539f6ff8050e4efa39814ce17f4fecb8756
Instruction Fuzzy Hash: 77D05EB13893122AE2146AD96EC3F7112498714709F50002BF7044A1D1DAD80DE0411D

Function 00406D02 Relevance: 3.2, APIs: 2, Instructions: 171libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406A78: lstrcmpiA.KERNEL32(00000000,?), ref: 00406AE5

GetModuleHandleA.KERNEL32(?), ref: 00406D9F
LoadLibraryA.KERNEL32(?,?,00008000), ref: 00406DE5

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: HandleLibraryLoadModulelstrcmpi
String ID:
API String ID: 1807310131-0
Opcode ID: 65269b10310d135794c3f9778b72bdcdfff03c5285d6f81311c37d00341f240e
Instruction ID: dbd80ae6ca460460c6c685332eb3614416d1502347f7d3d9015c66c16be920aa
Opcode Fuzzy Hash: 65269b10310d135794c3f9778b72bdcdfff03c5285d6f81311c37d00341f240e
Instruction Fuzzy Hash: 17615075D04208EFCB04DFA4D885B9EBBB5BF45304F1081AEE815AB381DB39AA45CF95

Function 013370D0 Relevance: 3.1, APIs: 2, Instructions: 67COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 0133711C
GetFileType.KERNELBASE(00000000), ref: 0133712E

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: FileHandleType
String ID:
API String ID: 3000768030-0
Opcode ID: f8b7932761701d4068e97f9a5a855c4f2b75feb4e6f382095bdc33d869235744
Instruction ID: a0a7dfe90f06062a98c69da66501a2c2f18608db4aa4ddb5a172193dbe992f5c
Opcode Fuzzy Hash: f8b7932761701d4068e97f9a5a855c4f2b75feb4e6f382095bdc33d869235744
Instruction Fuzzy Hash: DE11ECF790479147D7304E3D8C88A22BEAAA7D6238F24071AE6B6D65F2D730D445D248

Function 0133739C Relevance: 3.1, APIs: 2, Instructions: 57COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47426f0a99a9ae0b765c2024be68fea99a6ef9775fef4e67f7e51cb592b18550
Instruction ID: 8eb5367055503b9645777a1b4983ca9471419231227fab5f31a21fac5a6c47ab
Opcode Fuzzy Hash: 47426f0a99a9ae0b765c2024be68fea99a6ef9775fef4e67f7e51cb592b18550
Instruction Fuzzy Hash: 4301B5777102255FEB269D6EEC8095A3BAAABC43347148120FA14EB148DB31E4018794

Function 013336D2 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(01349A28,0000000C), ref: 013336E5
ExitThread.KERNEL32 ref: 013336EC

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: dea0784346f93db8dd479dd0023ca46dfc4495208ef2ae1260f6d06ddd0cac98
Instruction ID: 9aeafd35ab94ee4ae45eefc41ae8aef831810e2f0257edb29c82d5b4fc9ed951
Opcode Fuzzy Hash: dea0784346f93db8dd479dd0023ca46dfc4495208ef2ae1260f6d06ddd0cac98
Instruction Fuzzy Hash: 12F0C2759002069FDB11BFB8D849A6E3B75FF84728F104248F006A7651CB346941DFA5

Function 0132DEDC Relevance: 3.0, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 0132E441

Part of subcall function 0132F437: RaiseException.KERNEL32(?,?,?,0132E463,?,?,?,?,?,?,?,?,0132E463,?,013497BC), ref: 0132F497

__CxxThrowException@8.LIBVCRUNTIME ref: 0132E45E

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID:
API String ID: 3476068407-0
Opcode ID: 89363efe53cf2840974abcd4474f6e625b6ac01f82a30f79710f927faed61f9d
Instruction ID: 858037ecd8b7f064a28b7dc7566e6972f5b9c9f0d8d50ac087a55f6ad101c9b1
Opcode Fuzzy Hash: 89363efe53cf2840974abcd4474f6e625b6ac01f82a30f79710f927faed61f9d
Instruction Fuzzy Hash: 29F0B43180021E77CB04FAEDE849D9E3B6C592012CB908175EA28A1490EB70E65682D0

Function 01221BA0 Relevance: 3.0, APIs: 2, Instructions: 30COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 01221BE3
ExitProcess.KERNEL32 ref: 01221C11

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 3ca24af4ab2577f874c32e62f6a3d0441db063e56d9d03d5cca0fa4daa7c8df9
Instruction ID: d6fddb3ffa3d6922ece75a31ac1cc23740a418bb4390fcc70fa72849c2d78220
Opcode Fuzzy Hash: 3ca24af4ab2577f874c32e62f6a3d0441db063e56d9d03d5cca0fa4daa7c8df9
Instruction Fuzzy Hash: 01F049B451430ABBDB30EFA4F849B5DBBE4BB44354F004418EA54832A4E734E61ADBA6

Function 0132DAE0 Relevance: 3.0, APIs: 2, Instructions: 16COMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(?), ref: 0132DAFB
CommandLineToArgvW.SHELL32(00000000), ref: 0132DB02

Part of subcall function 0132DB10: lstrcpyA.KERNEL32(00000000,askg-9dwkaJU90TAE4320-FOKE904116FSAG156JEWG), ref: 0132DB69
Part of subcall function 0132DB10: ReleaseMutex.KERNEL32(?), ref: 0132DB84
Part of subcall function 0132DB10: CloseHandle.KERNEL32(?), ref: 0132DB8C
Part of subcall function 0132DB10: CreateMutexA.KERNELBASE(00000000,00000001,00000000), ref: 0132DBA1
Part of subcall function 0132DB10: GetLastError.KERNEL32 ref: 0132DBB1
Part of subcall function 0132DB10: ReleaseMutex.KERNEL32(?), ref: 0132DBD8
Part of subcall function 0132DB10: CloseHandle.KERNEL32(?), ref: 0132DBE0
Part of subcall function 0132DB10: CreateMutexA.KERNELBASE(00000000,00000000,00000000), ref: 0132DC09

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Mutex$CloseCommandCreateHandleLineRelease$ArgvErrorLastlstrcpy
String ID:
API String ID: 2550419470-0
Opcode ID: 571543bbde7795d2a397e14597f35a3d58182bc5d70590e4e06ca39c8e1922d5
Instruction ID: da5770ca2bbae9b78daf8cfed6ec23ff5e37e9bc9a30b754d66ce3b33e27b5b3
Opcode Fuzzy Hash: 571543bbde7795d2a397e14597f35a3d58182bc5d70590e4e06ca39c8e1922d5
Instruction Fuzzy Hash: 2CD09E7890020CABC724AFF9ED4C64EBBBCEF04701F604965E601A7504DE34B6048B65

Function 01321180 Relevance: 1.7, APIs: 1, Instructions: 159networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 013211BE

Part of subcall function 0132A5F0: InitializeCriticalSection.KERNEL32(00000020,7B2C007C,00000004,?,00000000), ref: 0132A637
Part of subcall function 0132A5F0: wsprintfA.USER32 ref: 0132A6D7
Part of subcall function 0132A5F0: CreateSemaphoreA.KERNEL32(00000000,00000000,7FFFFFFF,?), ref: 0132A6F0
Part of subcall function 0132A5F0: InitializeCriticalSection.KERNEL32(00000040), ref: 0132A705
Part of subcall function 0132A5F0: Sleep.KERNELBASE(0000000A), ref: 0132A759

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CriticalInitializeSection$CreateSemaphoreSleepStartupwsprintf
String ID:
API String ID: 3317758546-0
Opcode ID: 4c81feced85962bf8b62701cd1180b5fb970b65f0d34985ca3941e4a9c15baea
Instruction ID: edbf412dcd36a821c88790b92d921fbcb0de391923f7dbe01b605b84474fe9bd
Opcode Fuzzy Hash: 4c81feced85962bf8b62701cd1180b5fb970b65f0d34985ca3941e4a9c15baea
Instruction Fuzzy Hash: 2251B471D00319ABEB10EF98CC85BDEBBB8FF29708F144159E504BB281E7755648CBA0

Function 0133A432 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

Part of subcall function 01337210: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01335B98,00000001,00000364,00000008,000000FF,?,?,01335CC6,01335CFA,?,?,01335318), ref: 01337251

_free.LIBCMT ref: 0133A4A1

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 4f0f330ebff77c45126fbbde768a9c9102f7250cbf911937bfa4c27d9d66663d
Instruction ID: bf9d2f10a591cb8a1fc6adfd50a062f382ff7457d8e25ae5c5f9cfc849a84c6d
Opcode Fuzzy Hash: 4f0f330ebff77c45126fbbde768a9c9102f7250cbf911937bfa4c27d9d66663d
Instruction Fuzzy Hash: 140149726043176FD321CF6CC88599AFB98FB843B4F140629E595F76C0E770A810C7A8

Function 0132D660 Relevance: 1.5, APIs: 1, Instructions: 43networkCOMMON

Download Yara Rule

APIs

send.WS2_32(00000000,?,?,00000000), ref: 0132D68C

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: ce92ef8ce3c56a1c7a3a299b16c27714ff06663fa5f8d34e63d89ea573728392
Instruction ID: 17d4033c8aa1af6e2066c15b942fe28f5980432f899d2cdda4ba7a8a3b21eee6
Opcode Fuzzy Hash: ce92ef8ce3c56a1c7a3a299b16c27714ff06663fa5f8d34e63d89ea573728392
Instruction Fuzzy Hash: 50F0E9327011286BD3306AADAD84AB7F7ACDFC5675F61436AFD0CD7280E562DC4142E0

Function 01337210 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,01335B98,00000001,00000364,00000008,000000FF,?,?,01335CC6,01335CFA,?,?,01335318), ref: 01337251

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 062865fdea024dc7dfd2e5db7a6a34cc3258e963db5cdbb19335f55d32cc2247
Instruction ID: d289ac25eee2510c81f2024fda546871248a1e006a52efeaf4b14a105fee3f47
Opcode Fuzzy Hash: 062865fdea024dc7dfd2e5db7a6a34cc3258e963db5cdbb19335f55d32cc2247
Instruction Fuzzy Hash: 07F0E2B1601229A7EB311A6E9844B5A7B4CAFC27B8B188112FE14F6184CF20E40186EC

Function 01335D0E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,013339DF,?,?,01333B05,?,?,01333AD8,?,00000000,?,?,?,?,013339DF,?), ref: 01335D40

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b5fd08a50633f6ea2b0c6674437db1abd57bc3dd1f4e9634f27b53a78c19cc75
Instruction ID: 5f2320dd6a8753aa74aa4b130a1c809ae7e9ff7c887679c277be71be64ac5b96
Opcode Fuzzy Hash: b5fd08a50633f6ea2b0c6674437db1abd57bc3dd1f4e9634f27b53a78c19cc75
Instruction Fuzzy Hash: C5E02275100626A7EB312A6D9C0CB9FBE5C9FD13B9F080120ED14AA490CF20D8438AEC

Function 004105F0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32 ref: 0041060C

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: FileType
String ID:
API String ID: 3081899298-0
Opcode ID: 855b6c7354ddf3431956d7bb09b244747a57efe484c7028d1ad1b2b387a83e7a
Instruction ID: ece91d78cbcfa15b7b69ddd655c9d6869e5b97ae9f703c7545144adfe790bb62
Opcode Fuzzy Hash: 855b6c7354ddf3431956d7bb09b244747a57efe484c7028d1ad1b2b387a83e7a
Instruction Fuzzy Hash: 13D0A7332582085A9A10DBF1FCC180A735DF281238B904112E00C82515C67BB5D189A8

Function 00419E74 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GlobalMemoryStatus.KERNEL32 ref: 00419E7F

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: caea38b1e1c07932f35114d039bd7da8db6486b9ea794cca1521de716290f2de
Instruction ID: dc1190e6d1d7193cfc3b50af8069e1585b856c148f341bb7123317756b66f15c
Opcode Fuzzy Hash: caea38b1e1c07932f35114d039bd7da8db6486b9ea794cca1521de716290f2de
Instruction Fuzzy Hash: D0B092344046106BE2106B29CD82B5EB290AB84728FC44608B4F8463C2E77D52A48B8B

Function 0041931C Relevance: 1.3, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,004108A6,00002000,00000001,00D20000,?,00419812,0040F8A8,00000004,004108A7,00000000,004108A7,004108AA), ref: 00419368

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 86a125e0cd4dfdb7b2e82ac6f3cfd80f3c3788dbbc83177cf6d2894eb4e25684
Instruction ID: 4604f6e08d200e8b283d5d0738b7955d8eabfef7505b35234b0acc47fb15d85f
Opcode Fuzzy Hash: 86a125e0cd4dfdb7b2e82ac6f3cfd80f3c3788dbbc83177cf6d2894eb4e25684
Instruction Fuzzy Hash: FCF01D703983089FEB20DF95ECD5BA677E5FB54318F504532E9148B3A5D3B9ACC18618

Function 00419388 Relevance: 1.3, APIs: 1, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000004,00001000,00001000,00000004,0040E8A8,0040E8A8,00D20000,?,00419924,00000004,0040E8A8,00000000,004108A7,004108AA), ref: 004193A7

Part of subcall function 004193DC: VirtualFree.KERNEL32(00D20000,004199EF,00004000,?,004199EF,00D20000,0041B356,0041B452,00000000), ref: 004193EC

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 4d27b5ec2ced0ea1a562c02fa45f95318fd3b614bc5d91e31200cd29130165be
Instruction ID: beb6835c91bf043c98e0cbc95115ed4b284aba5560e972d4f03f207468a66b83
Opcode Fuzzy Hash: 4d27b5ec2ced0ea1a562c02fa45f95318fd3b614bc5d91e31200cd29130165be
Instruction Fuzzy Hash: 59E06572A4035826E62114659CA1BDBA64CCB49BF5F140126FE549A7C4D1E9AD8180A8

Function 0041931B Relevance: 1.3, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,004108A6,00002000,00000001,00D20000,?,00419812,0040F8A8,00000004,004108A7,00000000,004108A7,004108AA), ref: 00419368

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 80775a99b22b372225d3981e10d81926afe722e07feb01a3dd8d2f6286754185
Instruction ID: deda021343847105b1e30ba58a0d79ed6ba3bf1789be43f8b9147956badc29a3
Opcode Fuzzy Hash: 80775a99b22b372225d3981e10d81926afe722e07feb01a3dd8d2f6286754185
Instruction Fuzzy Hash: 59F0A7303883089EEB30CBA0ECD5BA637E4EB54308F100136F814CB2E1C2B49CC1C618

Non-executed Functions

Function 01323700 Relevance: 35.3, APIs: 15, Strings: 5, Instructions: 290stringprocessmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 013241E0: WideCharToMultiByte.KERNEL32(00000000,00000000,-00000005,000000FF,00000000,00000000,00000000,00000000,00000008,00000006), ref: 013242F4

AllocateAndInitializeSid.ADVAPI32 ref: 0132377D
CheckTokenMembership.ADVAPI32(00000000,00000000,?), ref: 01323794
FreeSid.ADVAPI32(00000000), ref: 0132379E
WTSEnumerateSessionsA.WTSAPI32(00000000,00000000,00000001,00000000,00000000), ref: 01323805
WTSQuerySessionInformationA.WTSAPI32(00000000,?,00000005,?,?,?,?,?), ref: 01323877
lstrcpyA.KERNEL32(?,?), ref: 013238A7
WTSFreeMemory.WTSAPI32(?), ref: 013238B4
lstrcmpA.KERNEL32(?,?), ref: 013238C6
WTSFreeMemory.WTSAPI32(00000000), ref: 013238FD
GetCurrentProcess.KERNEL32 ref: 01323918
WTSQueryUserToken.WTSAPI32(?,00000000), ref: 01323932
DuplicateTokenEx.ADVAPI32(?,02000000,00000000,00000001,00000001,00000000), ref: 0132396C
SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 01323986
CreateProcessAsUserA.ADVAPI32(?,00000044,00000000,00000000,00000000,00000000,00000430,00000000,00000000,00000012,?), ref: 01323A10

Strings

GetSessionByUserName Error!, xrefs: 01323A50
SYSTEM, xrefs: 013237B5
D, xrefs: 013239A0
Start Clnt program error!, xrefs: 01323AE2
StartBeCtrlAsUser Error!, xrefs: 01323A39, 01323A7C

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Token$Free$InformationMemoryProcessQueryUser$AllocateByteCharCheckCreateCurrentDuplicateEnumerateInitializeMembershipMultiSessionSessionsWidelstrcmplstrcpy
String ID: D$GetSessionByUserName Error!$SYSTEM$Start Clnt program error!$StartBeCtrlAsUser Error!
API String ID: 3661800896-3660129879
Opcode ID: 03943313209ce52f0e71d4d8bab6b691c83ee96388ce8eb06697238a1f8fd26d
Instruction ID: 49c251c370f1fca392b13906c6b74af529c6b124a7ff69ae573699423777cab6
Opcode Fuzzy Hash: 03943313209ce52f0e71d4d8bab6b691c83ee96388ce8eb06697238a1f8fd26d
Instruction Fuzzy Hash: 17B18F75608355AFE7709F29D845B9BBBE9FFC8B08F04491EF98896240DB71E404CB92

Function 0132A880 Relevance: 12.2, APIs: 8, Instructions: 223sleepnetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(005197C8,?,?,759230D0), ref: 0132AA9C
select.WS2_32(00000000,00000000,?,00000000,00000000), ref: 0132AAD6
GetLastError.KERNEL32(?,?,759230D0), ref: 0132AAE0
Sleep.KERNEL32(00000064,?,?,759230D0), ref: 0132AAF0
send.WS2_32(?,?,?,00000000), ref: 0132AB0D
shutdown.WS2_32(?,00000002), ref: 0132AB34
LeaveCriticalSection.KERNEL32(00000000,?,?,759230D0), ref: 0132AB40
LeaveCriticalSection.KERNEL32(00000000,?,?,759230D0), ref: 0132AB6A

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CriticalSection$Leave$EnterErrorLastSleepselectsendshutdown
String ID:
API String ID: 3229098634-0
Opcode ID: 770a0e7ad6b0ae6c7a709bcf36d363e90eebd679f00d78227a8ca66ea277d74b
Instruction ID: 72efd6e800d16f8f62d84e649d80807f521f33b01990a07b7c874e0280aec309
Opcode Fuzzy Hash: 770a0e7ad6b0ae6c7a709bcf36d363e90eebd679f00d78227a8ca66ea277d74b
Instruction Fuzzy Hash: 5291F872A002698FDB249F2CCC857D9BBF4AF19304F0541E9E949DB642D635DE86CF90

Function 004113F4 Relevance: 6.1, APIs: 4, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ef900633e176a05decd4d65eaf5a432056b18d8361148eece7bfb8d0319df1
Instruction ID: 8e9b97f1082dd26b644dec1bf0b54e36b4df78435e7100c98221bc0ab041b9b5
Opcode Fuzzy Hash: 98ef900633e176a05decd4d65eaf5a432056b18d8361148eece7bfb8d0319df1
Instruction Fuzzy Hash: 2441FC316006145ACB64CB38CCC05DB77A6AF84734B14C75EEA7ACB2E5DB78D9818754

Function 0040B703 Relevance: 6.1, APIs: 4, Instructions: 55timefileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 0040B716
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0040B78D
FileTimeToDosDateTime.KERNEL32(?,?,?), ref: 0040B7A4
FindClose.KERNEL32(?,?,?), ref: 0040B7AC

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: FileTime$Find$CloseDateFirstLocal
String ID:
API String ID: 2659516521-0
Opcode ID: dea8fbccc65a181ac425a463d04661afa5eba7fac8154edd41207b22717e1493
Instruction ID: 4929490dea871780ca7be77c83795aa3982875203bf53442b6df949735526af2
Opcode Fuzzy Hash: dea8fbccc65a181ac425a463d04661afa5eba7fac8154edd41207b22717e1493
Instruction Fuzzy Hash: 6E117C75904208ABCB00DB54CC85BEEB779EF84314F04C1AAF8186B282D7759A959B98

Function 0040A155 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00409D04), ref: 0040A17A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0040A1CE

Strings

DllGetClassObject, xrefs: 0040A1C3

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: DllGetClassObject
API String ID: 2574300362-1075368562
Opcode ID: f5f30b048913f1e9f425c9767ad0071fb0976a97aa455a6337e709e40ac58349
Instruction ID: b1edd1a73f61097262ab9e8d0ddc22597cbed8dd85478b753700806d9e88f448
Opcode Fuzzy Hash: f5f30b048913f1e9f425c9767ad0071fb0976a97aa455a6337e709e40ac58349
Instruction Fuzzy Hash: 9B313071A40308BAEB20DB91DC43FDD7775AB48B04F10857AF905792C0E7B6AA64CB69

Function 00405918 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00405922

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9fb9587b60405596d460b12b6166390c64b8876fc0ab6e5e20dc957524d17fc8
Instruction ID: 5870528404904ba449a60c71dc331c2b8c4045fc2800e8edcf186cf51ddcd41c
Opcode Fuzzy Hash: 9fb9587b60405596d460b12b6166390c64b8876fc0ab6e5e20dc957524d17fc8
Instruction Fuzzy Hash: 54E0A0F2204805C6D71054BCE949767AA45C341330F5882338501B2AC9D13C8E291E4F

Function 0040596F Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 00405972

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: Version
String ID:
API String ID: 1889659487-0
Opcode ID: 7a2138aa7d4df6c13af0f123527adcc838332f574bafe668b30a7c3000a8475f
Instruction ID: 0d6a264ec3b851e270e6285b47e00a54ca44b1e0e399a80f758534443d972ac8
Opcode Fuzzy Hash: 7a2138aa7d4df6c13af0f123527adcc838332f574bafe668b30a7c3000a8475f
Instruction Fuzzy Hash: BEC092B2184A088AE211224A9456773B24DC710320F50403B6E589A2D2D96ED9929DDE

Function 012270E0 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32 ref: 012270E0

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: HeapProcess
String ID:
API String ID: 54951025-0
Opcode ID: 31462a421bdd72fd5bcf83c965c8c5ce2810c701f0a64081e847c965bf3d349d
Instruction ID: a445e37f1c3de6d7e4d8d87b48e98492d8f806958bc7a0f2f0780632db88022f
Opcode Fuzzy Hash: 31462a421bdd72fd5bcf83c965c8c5ce2810c701f0a64081e847c965bf3d349d
Instruction Fuzzy Hash: A4A02470100100DFC7304F34F10C30D37DCF5047C03044015F404C0014D7354144D700

Function 0132A090 Relevance: 31.8, APIs: 9, Strings: 9, Instructions: 253librarystringloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(Kernel32.dll,00000000,00000000,7B2C007C,?,00000000), ref: 0132A11C
GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 0132A137
WTSQuerySessionInformationA.WTSAPI32(00000000,00000000,00000005,00000000,?), ref: 0132A244
lstrcpyA.KERNEL32(?,00000000), ref: 0132A271
WTSFreeMemory.WTSAPI32(00000000), ref: 0132A27D
WTSFreeMemory.WTSAPI32(00000000), ref: 0132A347

Strings

Load Wtsapi32.dll error!, xrefs: 0132A153
GetProcAddress WTSGetActiveConsoleSessionId error!, xrefs: 0132A13F
GetProcAddress WTSQueryUserToken error!, xrefs: 0132A168
Load Kernel32.dll error!, xrefs: 0132A124
Kernel32.dll, xrefs: 0132A117
WTSGetActiveConsoleSessionId, xrefs: 0132A131
WTSEnumerateSessionsA error!, xrefs: 0132A1A3
WTSQueryUserToken, xrefs: 0132A15A
Wtsapi32.dll, xrefs: 0132A146

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: FreeMemory$AddressInformationLibraryLoadProcQuerySessionlstrcpy
String ID: GetProcAddress WTSGetActiveConsoleSessionId error!$GetProcAddress WTSQueryUserToken error!$Kernel32.dll$Load Kernel32.dll error!$Load Wtsapi32.dll error!$WTSEnumerateSessionsA error!$WTSGetActiveConsoleSessionId$WTSQueryUserToken$Wtsapi32.dll
API String ID: 1218814447-111287784
Opcode ID: 3077d194e725dea77941fe1a3968c86255c91babeb95c96822873cbaadfad974
Instruction ID: 806ccedac02ab2244d11530838cb3c873054e421c8508225ca5a5f62e2380d57
Opcode Fuzzy Hash: 3077d194e725dea77941fe1a3968c86255c91babeb95c96822873cbaadfad974
Instruction Fuzzy Hash: F1A1B971900239ABDB25EB64CC45FDEB7B8EF58708F1041D9E608B7691DB716A84CF90

Function 01327A70 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 208networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 01327B25
connect.WS2_32(00000000,?,00000010), ref: 01327B3D
setsockopt.WS2_32(00000000,0000FFFF,00001006,?,00000004), ref: 01327B63
recv.WS2_32(00000000,00002000,00002000,00000000), ref: 01327BC1
StrStrA.SHLWAPI(00000000,), ref: 01327BD3
shutdown.WS2_32(00000000,00000002), ref: 01327BED
closesocket.WS2_32(00000000), ref: 01327BF4

Strings

, xrefs: 01327BCB
HTTP, xrefs: 01327C29
lish, xrefs: 01327C3E

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: closesocketconnectrecvsetsockoptshutdownsocket
String ID: $HTTP$lish
API String ID: 12264450-1280769669
Opcode ID: 992a438a5a648760d6fb54446f7348117f7264a4b1d2bd401f21f41e75879fa0
Instruction ID: 662e17d8ff7517e5bbcb4d0d5f0df6a47bcbee4a9504e49c51c5a395eebbebd0
Opcode Fuzzy Hash: 992a438a5a648760d6fb54446f7348117f7264a4b1d2bd401f21f41e75879fa0
Instruction Fuzzy Hash: C1612671A002299BEB10AFBCAC84BBEBB7CBF25714F044125F905A7281EB309545C7A1

Function 01324B00 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 389synchronizationnetworkCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 01324B15
LeaveCriticalSection.KERNEL32(?), ref: 01324BA5
LeaveCriticalSection.KERNEL32(?), ref: 01324C48
std::_Xinvalid_argument.LIBCPMT ref: 01324C5E

Part of subcall function 0132ECE2: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0132ECEE
Part of subcall function 0132ECE2: __CxxThrowException@8.LIBVCRUNTIME ref: 0132ECFC

WaitForSingleObject.KERNEL32(FFFFFFFF,00000001,0000002E,01000005,?,?,0000000E,00000000,FFFFFFFF,?,?,?,?), ref: 01324D8C
select.WS2_32(00000000,?,00000000,00000000,01000005), ref: 01324DD2
recv.WS2_32(FFFFFFFF,?,0000FFEB,00000000), ref: 01324DEA
WaitForSingleObject.KERNEL32(00000064,00000001,?,?,?), ref: 01324E0F

Part of subcall function 01324F60: EnterCriticalSection.KERNEL32(?,?,?,FFFFFFFF,?,01324E31,?,00000000,?,?,?), ref: 01324F78
Part of subcall function 01324F60: LeaveCriticalSection.KERNEL32(00000000,?,?,?,01324E31,?,00000000,?,?,?), ref: 0132500C

shutdown.WS2_32(FFFFFFFF,00000002), ref: 01324E60
closesocket.WS2_32(FFFFFFFF), ref: 01324E67

Strings

list<T> too long, xrefs: 01324C59
d, xrefs: 01324DC4

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CriticalSection$Leave$EnterObjectSingleWait$Exception@8ThrowXinvalid_argumentclosesocketrecvselectshutdownstd::_std::invalid_argument::invalid_argument
String ID: d$list<T> too long
API String ID: 3101977790-3395611635
Opcode ID: 52dc604cb6e11f569a63571f77cebccd0bb6289566a44a279f7417c17784ec82
Instruction ID: 6de691d19ec8edd51238539719917f55efb2e55925856108f5369a058e3ed153
Opcode Fuzzy Hash: 52dc604cb6e11f569a63571f77cebccd0bb6289566a44a279f7417c17784ec82
Instruction Fuzzy Hash: 47E1D471A00228DFDB24DF58C884BAEBBF5FF88314F144169E95AAB391D770A940CF90

Function 0132CDB0 Relevance: 21.1, APIs: 14, Instructions: 134sleepfilepipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0132CDBE

Part of subcall function 0132D370: SetEvent.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D385
Part of subcall function 0132D370: SetEvent.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D392
Part of subcall function 0132D370: SetEvent.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D39F
Part of subcall function 0132D370: SetEvent.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D3AC
Part of subcall function 0132D370: TerminateThread.KERNEL32(?,00000000,?,00000000,7B2C007C,?,00000000), ref: 0132D3DC
Part of subcall function 0132D370: TerminateThread.KERNEL32(?,00000000,?,00000000,7B2C007C,?,00000000), ref: 0132D40F
Part of subcall function 0132D370: CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D425
Part of subcall function 0132D370: CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D432
Part of subcall function 0132D370: CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D43F
Part of subcall function 0132D370: CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D44C
Part of subcall function 0132D370: CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D459
Part of subcall function 0132D370: CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D466

CloseHandle.KERNEL32(?), ref: 0132CDEA
CloseHandle.KERNEL32(?), ref: 0132CE06
WaitNamedPipeA.KERNEL32(00000104,00000000), ref: 0132CE22
CreateFileA.KERNEL32(00000104,40000000,00000000,00000000,00000003,00000080,00000000), ref: 0132CE50
CloseHandle.KERNEL32(?), ref: 0132CE78
Sleep.KERNEL32(00000064), ref: 0132CE88
WaitNamedPipeA.KERNEL32(00000000,00000000), ref: 0132CE91
CreateFileA.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000080,00000000), ref: 0132CEB3
Sleep.KERNEL32(00000064), ref: 0132CECD
GetTickCount.KERNEL32 ref: 0132CED3
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0132CEFB
CreateThread.KERNEL32(00000000,00000000,0132CFF0,?,00000000,00000000), ref: 0132CF16
CloseHandle.KERNEL32(?), ref: 0132CF26

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CloseHandle$Event$Create$Thread$CountFileNamedPipeSleepTerminateTickWait
String ID:
API String ID: 1774339238-0
Opcode ID: 1c77733e1f2c2cab38984c341acf0d78afac0bd676560c3ea8c211c09900e628
Instruction ID: b49b55ca5e2b26df8a566dfbecdbc0756673d3e1523c87f1ca94e51ca41c8189
Opcode Fuzzy Hash: 1c77733e1f2c2cab38984c341acf0d78afac0bd676560c3ea8c211c09900e628
Instruction Fuzzy Hash: 9341B071640710ABE7306B38AC49B5F7BA9AF01B35F204B19F679F61D0CBB0B9458B58

Function 0132D370 Relevance: 21.1, APIs: 14, Instructions: 98threadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D385
SetEvent.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D392
SetEvent.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D39F
SetEvent.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D3AC
TerminateThread.KERNEL32(?,00000000,?,00000000,7B2C007C,?,00000000), ref: 0132D3DC
CloseHandle.KERNEL32(?,?,00000000,7B2C007C,?,00000000), ref: 0132D3E5
TerminateThread.KERNEL32(?,00000000,?,00000000,7B2C007C,?,00000000), ref: 0132D40F
CloseHandle.KERNEL32(?,?,00000000,7B2C007C,?,00000000), ref: 0132D418
CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D425
CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D432
CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D43F
CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D44C
CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D459
CloseHandle.KERNEL32(?,75922EE0,00000000,0132CFA9,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132D466

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CloseHandle$Event$TerminateThread
String ID:
API String ID: 1027209558-0
Opcode ID: 1ccad4e13d1fd7746222f89fa609f2828c5ac5e3e3da311510e9cb97c9b65a67
Instruction ID: 68aca0aa52c9d9eb28127e08365084e86fab3821db937ddaad0f2e708780e37a
Opcode Fuzzy Hash: 1ccad4e13d1fd7746222f89fa609f2828c5ac5e3e3da311510e9cb97c9b65a67
Instruction Fuzzy Hash: BC31EB706407159BE734BBBAD888B97B7EDAF64704F15481DE55AE3290CFB4F440CA60

Function 0133AAFA Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0133AB3E

Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A6F4
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A706
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A718
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A72A
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A73C
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A74E
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A760
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A772
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A784
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A796
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A7A8
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A7BA
Part of subcall function 0133A6D7: _free.LIBCMT ref: 0133A7CC

_free.LIBCMT ref: 0133AB33

Part of subcall function 01335CD4: HeapFree.KERNEL32(00000000,00000000,?,01335318), ref: 01335CEA
Part of subcall function 01335CD4: GetLastError.KERNEL32(?,?,01335318), ref: 01335CFC

_free.LIBCMT ref: 0133AB55
_free.LIBCMT ref: 0133AB6A
_free.LIBCMT ref: 0133AB75
_free.LIBCMT ref: 0133AB97
_free.LIBCMT ref: 0133ABAA
_free.LIBCMT ref: 0133ABB8
_free.LIBCMT ref: 0133ABC3
_free.LIBCMT ref: 0133ABFB
_free.LIBCMT ref: 0133AC02
_free.LIBCMT ref: 0133AC1F
_free.LIBCMT ref: 0133AC37

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: d7fd11fdf193229c95e423969b03f3e36d90427df2c296dbaa0c81a637d23bba
Instruction ID: 4ae255e86a7e6f4049cdebd48e29054b3da73465e710037dda377e21f28c23d2
Opcode Fuzzy Hash: d7fd11fdf193229c95e423969b03f3e36d90427df2c296dbaa0c81a637d23bba
Instruction Fuzzy Hash: CB31A1316047059FEF25AA3CD984B9AB7F9EF8035CF244919E295DB1A0DFB5E880C718

Function 01227EBC Relevance: 19.6, APIs: 13, Instructions: 113COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 01227F00

Part of subcall function 01229DE7: _free.LIBCMT ref: 01229E04
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229E16
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229E28
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229E3A
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229E4C
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229E5E
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229E70
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229E82
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229E94
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229EA6
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229EB8
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229ECA
Part of subcall function 01229DE7: _free.LIBCMT ref: 01229EDC

_free.LIBCMT ref: 01227EF5

Part of subcall function 012257D7: HeapFree.KERNEL32(00000000,00000000,?,01224A34), ref: 012257ED
Part of subcall function 012257D7: GetLastError.KERNEL32(?,?,01224A34), ref: 012257FF

_free.LIBCMT ref: 01227F17
_free.LIBCMT ref: 01227F2C
_free.LIBCMT ref: 01227F37
_free.LIBCMT ref: 01227F59
_free.LIBCMT ref: 01227F6C
_free.LIBCMT ref: 01227F7A
_free.LIBCMT ref: 01227F85
_free.LIBCMT ref: 01227FBD
_free.LIBCMT ref: 01227FC4
_free.LIBCMT ref: 01227FE1
_free.LIBCMT ref: 01227FF9

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: b4d5be496ced77409db7bfd69a5b4472b426a41061743106462fef63569e94de
Instruction ID: b5bd0f40bf312fcaf1eb0cdff868e41fbaf6a1053ce2424f17f09122fc1370f7
Opcode Fuzzy Hash: b4d5be496ced77409db7bfd69a5b4472b426a41061743106462fef63569e94de
Instruction Fuzzy Hash: 5B313031529623FFEB25AA39DC44FBE77E8AF20210F208419F699D7590DB75E940CB60

Function 01323F10 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 182stringCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,7B2C007C,?,?), ref: 01324005
lstrcpyA.KERNEL32(00000000,5C2E5C5C,?,?,?,?,?,?,?,?,?,?,?,?,?,7B2C007C), ref: 013240B6
lstrcatA.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,7B2C007C), ref: 013240C4
lstrcpyA.KERNEL32(-00000104,5C2E5C5C,?,?,?,?,?,?,?,?,?,?,?,?,?,7B2C007C), ref: 013240D1
lstrcatA.KERNEL32(-00000104,?,?,?,?,?,?,?,?,?,?,?,?,?,?,7B2C007C), ref: 013240DE
LeaveCriticalSection.KERNEL32(?), ref: 013241AD

Strings

wirte_pipe_session%d, xrefs: 01323FB7
\\.\, xrefs: 0132409D
pipe, xrefs: 013240A7
read_pipe_session%d, xrefs: 01323F74

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CriticalSectionlstrcatlstrcpy$EnterLeave
String ID: \\.\$pipe$read_pipe_session%d$wirte_pipe_session%d
API String ID: 2748643047-1936593525
Opcode ID: 9e2a7482bfa33662fa1be4df7979a429a6d0055a26ecc180f97eb300a203098f
Instruction ID: a644279fea0697b3450cd263c16e026cca2270d3ce27438fa6cdf08db0126bfd
Opcode Fuzzy Hash: 9e2a7482bfa33662fa1be4df7979a429a6d0055a26ecc180f97eb300a203098f
Instruction Fuzzy Hash: 3A71C0B18003149BE721EF28DC44BEABBB8FF18708F1401ADE5596B281D7B57695CB94

Function 0133A0CA Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 203COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0133A0F4
_free.LIBCMT ref: 0133A1CD
_free.LIBCMT ref: 0133A1FA

Strings

H/Q, xrefs: 0133A11B, 0133A15A, 0133A167, 0133A19E, 0133A266

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: _free$___from_strstr_to_strchr
String ID: H/Q
API String ID: 3409252457-2411224165
Opcode ID: 1b5dd56b267a3849da2324e7c3abdd1a0c1392e415c62b3bc518964108112f4f
Instruction ID: cc493da6f09a177443ffdd3b2a88fcd3249d60d5a58908db6cbb5d7f0de08194
Opcode Fuzzy Hash: 1b5dd56b267a3849da2324e7c3abdd1a0c1392e415c62b3bc518964108112f4f
Instruction Fuzzy Hash: 26510971D05316AFEF21AFBCC840A6DBBA8AF9531CF04426DE690D7291EA729540CB5C

Function 013358DE Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 013358F4

Part of subcall function 01335CD4: HeapFree.KERNEL32(00000000,00000000,?,01335318), ref: 01335CEA
Part of subcall function 01335CD4: GetLastError.KERNEL32(?,?,01335318), ref: 01335CFC

_free.LIBCMT ref: 01335900
_free.LIBCMT ref: 0133590B
_free.LIBCMT ref: 01335916
_free.LIBCMT ref: 01335921
_free.LIBCMT ref: 0133592C
_free.LIBCMT ref: 01335937
_free.LIBCMT ref: 01335942
_free.LIBCMT ref: 0133594D
_free.LIBCMT ref: 0133595B

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1dc3eb7a6c15011a52b0d20b8678eaa2137d9c968b4ae4c8d5a5555bc171689e
Instruction ID: ad8011d039e9fab09595ca860196251c156ceeab8435819ccc5815ae5ef3f6b3
Opcode Fuzzy Hash: 1dc3eb7a6c15011a52b0d20b8678eaa2137d9c968b4ae4c8d5a5555bc171689e
Instruction Fuzzy Hash: EB21877690410DAFCF41EF98C880DDD7BB9BF58258F114165A615DF120EB71EA44CB84

Function 01225097 Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 012250AD

Part of subcall function 012257D7: HeapFree.KERNEL32(00000000,00000000,?,01224A34), ref: 012257ED
Part of subcall function 012257D7: GetLastError.KERNEL32(?,?,01224A34), ref: 012257FF

_free.LIBCMT ref: 012250B9
_free.LIBCMT ref: 012250C4
_free.LIBCMT ref: 012250CF
_free.LIBCMT ref: 012250DA
_free.LIBCMT ref: 012250E5
_free.LIBCMT ref: 012250F0
_free.LIBCMT ref: 012250FB
_free.LIBCMT ref: 01225106
_free.LIBCMT ref: 01225114

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 90f2110b7c8a4b3d87876adf4f7262b6fe29ed00af9aac651c079666d3635641
Instruction ID: 2d7f6e54a688a5f351334a15fb82712b6679a4331bdf9dd5f3de9da166bd5df9
Opcode Fuzzy Hash: 90f2110b7c8a4b3d87876adf4f7262b6fe29ed00af9aac651c079666d3635641
Instruction Fuzzy Hash: FB21A77A91015DFFCB45EF94C880DEE7BB9BF18240B1081A5F6159B560EB31DA44CF80

Function 01328FA0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 295COMMON

Download Yara Rule

APIs

WinHttpSendRequest.WINHTTP(?,00000000,00000000,00000000,00000000,00000000,00000000,7B2C007C,00000000,00000000,00000000), ref: 01328FEE
WinHttpReceiveResponse.WINHTTP(?,00000000), ref: 01329002
WinHttpQueryDataAvailable.WINHTTP(?,?,00000000,00000000,00000000), ref: 01329089
WinHttpReadData.WINHTTP(?,?,?,?), ref: 013290F0

Strings

list<T> too long, xrefs: 013292DE

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Http$Data$AvailableQueryReadReceiveRequestResponseSend
String ID: list<T> too long
API String ID: 1320465519-4027344264
Opcode ID: b3cd7fa492b81bd94b1f6d13c34b7b8a424b838b3a19b8ea9b12dd88d4d12725
Instruction ID: ffb6d00882a6227f47c6adbf10f1c3214b9e0b4cb649c75e88296dcb89e9edc1
Opcode Fuzzy Hash: b3cd7fa492b81bd94b1f6d13c34b7b8a424b838b3a19b8ea9b12dd88d4d12725
Instruction Fuzzy Hash: AFB19375A00226EFDB10EFA8D884B9AFBF5FF59718F244168E515AB344D731B904CBA0

Function 00411CA4 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000103,?,?,?,?,?,00411C9E,00000000,?,?), ref: 00411CC6
GetLogicalDrives.KERNEL32 ref: 00411D2F
GetFullPathNameA.KERNEL32(?,00000103,?,?,?,?,?,?,00411C9E,00000000,?,?), ref: 00411D68

Strings

\, xrefs: 00411D12
., xrefs: 00411D55
:, xrefs: 00411D0B
:, xrefs: 00411D51

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: CurrentDirectoryDrivesFullLogicalNamePath
String ID: .$:$:$\
API String ID: 3194430532-3772505838
Opcode ID: ddf981ba07639a143628a9e050639d1ae56430046a539d517d2774fd35372d29
Instruction ID: 907cad0c699b0da60b69837769f1e6e4ba428848692302a1e1449a7497e7268b
Opcode Fuzzy Hash: ddf981ba07639a143628a9e050639d1ae56430046a539d517d2774fd35372d29
Instruction Fuzzy Hash: D131BC317042489ECB10DB74DC817DF77A4AF61344F1481ABEA4197281DABCDAC6CBA9

Function 0041A53C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 86filewindowCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000050,Semaphore error ,?), ref: 0041A565
MessageBoxA.USER32(00000000,0041C5DF,00000001,00000000), ref: 0041A5A7
GetStdHandle.KERNEL32(000000F4,Semaphore error ,?), ref: 0041A5B0
WriteFile.KERNEL32(00000000,00421FC0,00000002,?,00000000,000000F4,Semaphore error ,?), ref: 0041A5C5
WriteFile.KERNEL32(00000000,0041C5DF,00000000,?,00000000,00000000,00421FC0,00000002,?,00000000,000000F4,Semaphore error ,?), ref: 0041A5DA
WriteFile.KERNEL32(00000000,00421FC3,00000002,?,00000000,00000000,0041C5DF,00000000,?,00000000,00000000,00421FC0,00000002,?,00000000,000000F4), ref: 0041A5ED

Strings

Semaphore error , xrefs: 0041A54A

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: File$Write$HandleMessageModuleName
String ID: Semaphore error
API String ID: 1009477876-2356287382
Opcode ID: 8919c9ba0c548a3917a9b5e10e387ab53b232c0197472c344645c2999ab0dba4
Instruction ID: 3f577c9411447908690673fd36e9594b8fc9cd7cb36b6ef1ffcd97bd9945a508
Opcode Fuzzy Hash: 8919c9ba0c548a3917a9b5e10e387ab53b232c0197472c344645c2999ab0dba4
Instruction Fuzzy Hash: 9E21077064530479E620E2F19DCAFFB7B5C8B04318F54411BB514691C2EBBC9E9586BF

Function 0132B1E0 Relevance: 12.3, APIs: 8, Instructions: 274sleepCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,00000000), ref: 0132B257

Part of subcall function 0132C2C0: InitializeCriticalSection.KERNEL32(?,7B2C007C,00000000,00000000), ref: 0132C3CA

Part of subcall function 0132C6C0: CreateSemaphoreW.KERNEL32(00000000,00000000,01FFFFFF,00000000,00000000,00000000,0132B2FA), ref: 0132C6D6

Part of subcall function 0132AEF0: Sleep.KERNELBASE(0000000A,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0132AE89,?), ref: 0132AF22
Part of subcall function 0132AEF0: recv.WS2_32(?,?,00000005,00000000), ref: 0132AF47
Part of subcall function 0132AEF0: recv.WS2_32(?,00000000,00000000,00000000), ref: 0132AFBC

EnterCriticalSection.KERNEL32(00000020,?,00000000,00000000,?,00000000,00000000), ref: 0132B38B
LeaveCriticalSection.KERNEL32(?), ref: 0132B422
shutdown.WS2_32(?,00000002), ref: 0132BE09
closesocket.WS2_32(?), ref: 0132BE12
EnterCriticalSection.KERNEL32(00000000,?,00000000,00000000), ref: 0132BE28
LeaveCriticalSection.KERNEL32(?), ref: 0132BE66
Sleep.KERNEL32(00000000), ref: 0132BE82

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CriticalSection$CreateEnterLeaveSleeprecv$EventInitializeSemaphoreclosesocketshutdown
String ID:
API String ID: 3003696879-0
Opcode ID: 729bb134ebfc701674b4d5d9077a2602274ea2695e1c5ea86eb966786c9a1dc9
Instruction ID: 2fd95c4bd49db3bc0a4d260f04ba9f518f6711513e59fa4811180148929295de
Opcode Fuzzy Hash: 729bb134ebfc701674b4d5d9077a2602274ea2695e1c5ea86eb966786c9a1dc9
Instruction Fuzzy Hash: 6CB17F7190022A9BDB34EB18DC50BEDB7B9FF14308F4441A9E55AA7694EB706E84CF90

Function 0132D270 Relevance: 12.1, APIs: 8, Instructions: 83threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,00000000,0132CE19), ref: 0132D282
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0132D292
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0132D2A2
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0132D2B2
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0132D2C2
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 0132D2D2
CreateThread.KERNEL32(00000000,00000000,0132D5B0,00000000,00000000,00000000), ref: 0132D2EE
CreateThread.KERNEL32(00000000,00000000,0132D4C0,00000000,00000000,00000000), ref: 0132D304

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Create$Event$Thread
String ID:
API String ID: 2525963256-0
Opcode ID: 16c80d83f0e4ef41818f0d5a5feec753e278b93a6ec87df25f56a7f685944f79
Instruction ID: 48b521f54f05d52ee9814ae03338b6243408dc3b5637a402c9852bb93d11e85b
Opcode Fuzzy Hash: 16c80d83f0e4ef41818f0d5a5feec753e278b93a6ec87df25f56a7f685944f79
Instruction Fuzzy Hash: 5F21CA70BC0725BAFA356AB99C4EFD6A9A0AB44B14F240116F3186E1D0C7F5B094CAC8

Function 0133EFC7 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,?,?,7FFFFFFF,?,H/Q,0133F283,?,?,?,?,?,?,?,?,H/Q), ref: 0133F06A
__alloca_probe_16.LIBCMT ref: 0133F120
__alloca_probe_16.LIBCMT ref: 0133F1B6
__freea.LIBCMT ref: 0133F221
__freea.LIBCMT ref: 0133F22D

Strings

H/Q, xrefs: 0133EFC9

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: __alloca_probe_16__freea$Info
String ID: H/Q
API String ID: 2330168043-2411224165
Opcode ID: 94a4e1c1e6d8677e8ebd4c5209d51cc47306a70cc6d455ba1798e81d432806d4
Instruction ID: 1ab7ce98f58fb8606a396a37022f9ae0c700473b3cea6737ef16a40083849da6
Opcode Fuzzy Hash: 94a4e1c1e6d8677e8ebd4c5209d51cc47306a70cc6d455ba1798e81d432806d4
Instruction Fuzzy Hash: FA81D776D0020A9BEF209E6CD840EEFBFBD9FD921CF980155E904E7250D725C845CBAA

Function 01324600 Relevance: 10.7, APIs: 7, Instructions: 200synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0132479C
WaitForSingleObject.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?), ref: 013247C8
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 013247D4
shutdown.WS2_32(000002FC,00000002), ref: 013247ED
closesocket.WS2_32(000002FC), ref: 013247F6
ReleaseSemaphore.KERNEL32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0132480A
CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01324813

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CloseHandleObjectSingleWait$ReleaseSemaphoreclosesocketshutdown
String ID:
API String ID: 3217053743-0
Opcode ID: 8a51621f2c2b0a392adf1be37c0416e700b68534d0ddeddf5258288efd9e5d6a
Instruction ID: c8fa59b3fde7957629b1e4f2e275ed4dd4c74dd1d0230c76e6a69434195a59e7
Opcode Fuzzy Hash: 8a51621f2c2b0a392adf1be37c0416e700b68534d0ddeddf5258288efd9e5d6a
Instruction Fuzzy Hash: 6D610972600115EFCB24AFACDD419AEBBBAFF94324F14423AE525E7250DB31A911CB90

Function 01325A20 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 194stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(00000031,32k1-jk-f-12121482014902184021jf0j10jf031jf01,?,?,?,?,?,?,?,?,?,?,?,0132850F,?,00000000), ref: 01325AEF
lstrlenA.KERNEL32(32k1-jk-f-12121482014902184021jf0j10jf031jf01,?,?,?,?,?,?,?,?,?,?,?,0132850F,?,00000000), ref: 01325B09

Strings

0j10jf031jf01, xrefs: 01325BFB
1jf01, xrefs: 01325B18, 01325B48, 01325B7E
32k1-jk-f-12121482014902184021jf0j10jf031jf01, xrefs: 01325AE8, 01325AEB

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: lstrlen
String ID: 0j10jf031jf01$1jf01$32k1-jk-f-12121482014902184021jf0j10jf031jf01
API String ID: 1659193697-1419504729
Opcode ID: 65623f42a82125cc4325222500f54e9e1f46caf2665b57bbe902c2b1f557762c
Instruction ID: 8b05c40699af5142ea1d412d78f70c2a0b17989bc7b398246d03ea9812e02e8a
Opcode Fuzzy Hash: 65623f42a82125cc4325222500f54e9e1f46caf2665b57bbe902c2b1f557762c
Instruction Fuzzy Hash: 7BA1B230D08298DFDF02DBA8D4847DDBFF5AF16348F54408AE451BB242D3BA5A4ACB65

Function 0132F2E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0132F30B
___except_validate_context_record.LIBVCRUNTIME ref: 0132F313
_ValidateLocalCookies.LIBCMT ref: 0132F3A1
__IsNonwritableInCurrentImage.LIBCMT ref: 0132F3CC
_ValidateLocalCookies.LIBCMT ref: 0132F421

Strings

csm, xrefs: 0132F3B6

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 8ab7c86629445aadefa4e71db4d7e942228d33a23c980702df96828c9b69981e
Instruction ID: d93ce6ce13fcd468a2c268646e03698d932328f5d6d2f246e8bebc9469814d9e
Opcode Fuzzy Hash: 8ab7c86629445aadefa4e71db4d7e942228d33a23c980702df96828c9b69981e
Instruction Fuzzy Hash: 6B41D634A002199BCF10EF6DC844A9EBBB9EF8532CF148255EA15AB355D731EA05CF91

Function 012228D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 012228FB
___except_validate_context_record.LIBVCRUNTIME ref: 01222903
_ValidateLocalCookies.LIBCMT ref: 01222991
__IsNonwritableInCurrentImage.LIBCMT ref: 012229BC
_ValidateLocalCookies.LIBCMT ref: 01222A11

Strings

csm, xrefs: 012229A6

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9ecf99eebf57c4624058f904409324758e09dc5ea94c5de8fcb4b7ead76b8e50
Instruction ID: fe44f7592b02444534f9a82e68a16a93dc5d6f79d467aabae35e5d6baa04df5d
Opcode Fuzzy Hash: 9ecf99eebf57c4624058f904409324758e09dc5ea94c5de8fcb4b7ead76b8e50
Instruction Fuzzy Hash: 8F419234F2022AFBCB20DF68C844AAEBFA5BF44364F248155E915AB351D772DA11CB91

Function 0132D0D0 Relevance: 10.6, APIs: 7, Instructions: 112sleepfilepipeCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0132D11C
PeekNamedPipe.KERNEL32(?,?,00010000,?,?,?,?,?,?,01323CEB,00000000,?,?,00010000), ref: 0132D167
Sleep.KERNEL32(00000001,?,?,?,01323CEB,00000000,?,?,00010000), ref: 0132D173
SetEvent.KERNEL32(?,?,?,?,01323CEB,00000000,?,?,00010000), ref: 0132D192
ReadFile.KERNEL32(?,00010000,00010000,?,00000000,01323CEB,00000000,?,?,00010000), ref: 0132D1DB
SetEvent.KERNEL32(?,?,00010000), ref: 0132D1FF
SetEvent.KERNEL32(?,?,00010000), ref: 0132D24C

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Event$CountFileNamedPeekPipeReadSleepTick
String ID:
API String ID: 1884357934-0
Opcode ID: 6854af779aa8e73dbec5541697e4b533a99996dad573bacfda51bffad24264c5
Instruction ID: 72f5957d32ec52c875c84e84e5d0d048921595e5a7ffc7371451c92ff9d68d72
Opcode Fuzzy Hash: 6854af779aa8e73dbec5541697e4b533a99996dad573bacfda51bffad24264c5
Instruction Fuzzy Hash: 2E411C71A002299BDB25DF58DC84FDAB7A9FF4C344F1000A5F948A7154CBB0AAD4DB94

Function 0132CCB0 Relevance: 10.6, APIs: 7, Instructions: 80processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(0000000F,00000000,00519788,00000000,005128F8), ref: 0132CCEE
Process32FirstW.KERNEL32(00000000,0000022C), ref: 0132CD02
OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0132CD60
TerminateProcess.KERNEL32(00000000,00000000), ref: 0132CD6D
Process32NextW.KERNEL32(?,0000022C), ref: 0132CD7C

Part of subcall function 0132CCB0: CloseHandle.KERNEL32(?), ref: 0132CD31

CloseHandle.KERNEL32(?), ref: 0132CD8C

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 3e2fcc3e226e836e5b904d46b6fb281b44dbc51f4c4f864199dcf84edc12daf3
Instruction ID: 86b74a9fa418236b543e066b1dc407e332879551355b5fc10e959d310dcdbb35
Opcode Fuzzy Hash: 3e2fcc3e226e836e5b904d46b6fb281b44dbc51f4c4f864199dcf84edc12daf3
Instruction Fuzzy Hash: C021A435A41228ABDB30BF68BC49BAE7BB9EF05714F1001D9E909A7180DB356E45CF50

Function 01226CFE Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

Strings

api-ms-, xrefs: 01226D55
ext-ms-, xrefs: 01226D69

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 703b94b9943000f9d02adc948eeb2abe70db5e9cdfb999fad222c8981467fe59
Instruction ID: 2b4e0c78a1a434adc30977a8a02e904e947ebfd3b1f7ec1be207b73f0e5e8a23
Opcode Fuzzy Hash: 703b94b9943000f9d02adc948eeb2abe70db5e9cdfb999fad222c8981467fe59
Instruction Fuzzy Hash: 29210A33A6523EBBDB324E689C49B6E3B589F01BA0F150510EE06E7285D674ED41C6E0

Function 0132D4C0 Relevance: 10.6, APIs: 7, Instructions: 70synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,0000000A), ref: 0132D4CF
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0132D4E8
WaitForSingleObject.KERNEL32(?,0000000A,?), ref: 0132D518
WaitForSingleObject.KERNEL32(?,000003E8), ref: 0132D52D
CloseHandle.KERNEL32(?), ref: 0132D562
CloseHandle.KERNEL32(?), ref: 0132D57E
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0132D592

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: ObjectSingleWait$CloseHandle
String ID:
API String ID: 1103153922-0
Opcode ID: f7cc57f42988277ad00e453ad9e4d4c63afb224ab850f37857e5075b889470e5
Instruction ID: 362f38761e55b68e8b7cc8ef04045343f0966989bdb4038830c762165037a95c
Opcode Fuzzy Hash: f7cc57f42988277ad00e453ad9e4d4c63afb224ab850f37857e5075b889470e5
Instruction Fuzzy Hash: BC21A571300616ABE7746AB9EC88B56F799BB1031DF344724FA29E11E4DBA0E4D1CA80

Function 0133A876 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0133A83E: _free.LIBCMT ref: 0133A863

_free.LIBCMT ref: 0133A8C4

Part of subcall function 01335CD4: HeapFree.KERNEL32(00000000,00000000,?,01335318), ref: 01335CEA
Part of subcall function 01335CD4: GetLastError.KERNEL32(?,?,01335318), ref: 01335CFC

_free.LIBCMT ref: 0133A8CF
_free.LIBCMT ref: 0133A8DA
_free.LIBCMT ref: 0133A92E
_free.LIBCMT ref: 0133A939
_free.LIBCMT ref: 0133A944
_free.LIBCMT ref: 0133A94F

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 36ae34d8c498a0ee66199fbf192589ce521e20ed501f52a735bdbc3930427aff
Instruction ID: 21a3a16bde6ee4a295cac477706dca2f1298a656de0ad67f5756c5e7b5ae9de9
Opcode Fuzzy Hash: 36ae34d8c498a0ee66199fbf192589ce521e20ed501f52a735bdbc3930427aff
Instruction Fuzzy Hash: E8115171580B05AAE920BBB4CC45FCBBFEC5F91708F400915A3DDEF090DA65B5058794

Function 01229F86 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 01229F4E: _free.LIBCMT ref: 01229F73

_free.LIBCMT ref: 01229FD4

Part of subcall function 012257D7: HeapFree.KERNEL32(00000000,00000000,?,01224A34), ref: 012257ED
Part of subcall function 012257D7: GetLastError.KERNEL32(?,?,01224A34), ref: 012257FF

_free.LIBCMT ref: 01229FDF
_free.LIBCMT ref: 01229FEA
_free.LIBCMT ref: 0122A03E
_free.LIBCMT ref: 0122A049
_free.LIBCMT ref: 0122A054
_free.LIBCMT ref: 0122A05F

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b348e3f783d6a82b4bb9dd030ff3c08d20ef0319aa47b717d37a187bcb2f7b16
Instruction ID: 4205006c5e697a81742937365857255ca4b3ef28aa849fe782551afebeba2522
Opcode Fuzzy Hash: b348e3f783d6a82b4bb9dd030ff3c08d20ef0319aa47b717d37a187bcb2f7b16
Instruction Fuzzy Hash: CF1156319A5B35FADA60BBB0CC45FEFB79CAF12700F404814F39AA6490EB35A5448B50

Function 00410F70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(?,?,00000104), ref: 00410FA8
SetEnvironmentVariableA.KERNEL32(0000003D,?,?,?,00000104), ref: 00410FC7

Part of subcall function 00412240: GetLastError.KERNEL32(00410D49,?,?,00410BE1,00000000,00000000,?,?,00410BE1,?,?,00000000), ref: 00412240

SetCurrentDirectoryA.KERNEL32(?,?,?,00000104), ref: 00410FD7

Strings

=, xrefs: 00410F8C
:, xrefs: 00410F99

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: EnvironmentVariable$CurrentDirectoryErrorLast
String ID: :$=
API String ID: 2603090644-2134709475
Opcode ID: 3333373e7f2a2e62c7d39c8f06278b636757890a912a2a3d75bc94472799b3f5
Instruction ID: de6e492b85b864edf4cc986593a57bca3a3f60b318ef2d687048410b08edfedb
Opcode Fuzzy Hash: 3333373e7f2a2e62c7d39c8f06278b636757890a912a2a3d75bc94472799b3f5
Instruction Fuzzy Hash: D71127304083C7A8D72287798841BDBFF645F16348F1481CBD59496283D7FD9ACAD36A

Function 0132CF40 Relevance: 10.6, APIs: 7, Instructions: 53synchronizationthreadCOMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(00000000,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132CF57
WaitForSingleObject.KERNEL32(00000000,000003E8,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132CF6A
TerminateThread.KERNEL32(00000000,00000000,?,00000000,7B2C007C,?,00000000), ref: 0132CF7C
CloseHandle.KERNEL32(00000000,?,00000000,7B2C007C,?,00000000), ref: 0132CF85
CloseHandle.KERNEL32(00000000,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132CF96
CloseHandle.KERNEL32(?,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132CFB9
CloseHandle.KERNEL32(?,00519788,00000000,0132AC3B,?,00000000,7B2C007C,?,00000000), ref: 0132CFD5

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CloseHandle$EventObjectSingleTerminateThreadWait
String ID:
API String ID: 3210639814-0
Opcode ID: d4c656ebb46d4093dd1d3103a2a4734690053752f4ec9217c4103f63a5c13e3f
Instruction ID: 9b906ec42569b28a7a6f3f6511e6f9fc8789014738052572e06025da53916e16
Opcode Fuzzy Hash: d4c656ebb46d4093dd1d3103a2a4734690053752f4ec9217c4103f63a5c13e3f
Instruction Fuzzy Hash: 301130702007116BEB34AB3ED848F1BBBE9AF00314F158A19E569D32E0DB74E889CB50

Function 00410DF8 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47COMMON

Download Yara Rule

APIs

SetCurrentDirectoryA.KERNEL32(?,?,0040B065,?), ref: 00410E05
GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,0040B065,?), ref: 00410E20

Part of subcall function 00412240: GetLastError.KERNEL32(00410D49,?,?,00410BE1,00000000,00000000,?,?,00410BE1,?,?,00000000), ref: 00412240

Strings

=, xrefs: 00410E58
:, xrefs: 00410E65
:, xrefs: 00410E4F

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: CurrentDirectory$ErrorLast
String ID: :$:$=
API String ID: 1128942804-2191499938
Opcode ID: b0aa4e63f355d2f5778741a7c3e2e632ad7bfc9513194cda444bfe7fb904ee19
Instruction ID: e0c2c857becbd3c8f47ed9a43efd6d2c68a516e6a8bcae1fca0655ced50fd386
Opcode Fuzzy Hash: b0aa4e63f355d2f5778741a7c3e2e632ad7bfc9513194cda444bfe7fb904ee19
Instruction Fuzzy Hash: B801FC7188838954CB31A3B68C417DF77785B11348F0444CBA48495252DBFD8BC5C76F

Function 0041A700 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0041A70C
GetProcAddress.KERNEL32(00000000,GetProcAddress), ref: 0041A719
GetVersionExA.KERNEL32 ref: 0041A73E

Strings

kernel32.dll, xrefs: 0041A707
Borland32, xrefs: 0041A71E
GetProcAddress, xrefs: 0041A713

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: AddressHandleModuleProcVersion
String ID: Borland32$GetProcAddress$kernel32.dll
API String ID: 3310240892-88975745
Opcode ID: a428a6786f6c01b51ee1a8eeaef24e5087bee44a3e217bedb3c3b6c5caf7210d
Instruction ID: ed6b18fe7ce9bf2566eea959f4d369b0ed1d1afbb2c80f75fe456d9b0f56b118
Opcode Fuzzy Hash: a428a6786f6c01b51ee1a8eeaef24e5087bee44a3e217bedb3c3b6c5caf7210d
Instruction Fuzzy Hash: 7EF096B43C630146D3206F20AE85BA27AF4A710305FA8401774714B2E2D7BCC7D69A6F

Function 01338097 Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(00000000,00000000,?), ref: 013380DF
__fassign.LIBCMT ref: 013382C4
__fassign.LIBCMT ref: 013382E1
WriteFile.KERNEL32(?,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01338329
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 01338369
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 01338411

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 5c70d388a937d0f1cb313994b1dc1f834c884c4be83e067baea4087e91747b55
Instruction ID: c45ca3d1121d8eb7b5ee6e6e3b5f97ff39c7ae29d2c7ac22a05d90b6c03df023
Opcode Fuzzy Hash: 5c70d388a937d0f1cb313994b1dc1f834c884c4be83e067baea4087e91747b55
Instruction Fuzzy Hash: B7C19175D002598FDB11CFE8C8809EDBBB5EF88318F2842AAE955F7341D631A946CF64

Function 0122909F Relevance: 9.3, APIs: 6, Instructions: 317fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleOutputCP.KERNEL32(?,00000001,?), ref: 012290E7
__fassign.LIBCMT ref: 012292CC
__fassign.LIBCMT ref: 012292E9
WriteFile.KERNEL32(?,01227887,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 01229331
WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 01229371
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000), ref: 01229419

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: FileWrite__fassign$ConsoleErrorLastOutput
String ID:
API String ID: 1735259414-0
Opcode ID: 5ec113d05914b9ffb1da4e5d88f502a0ccf6af9f5008b9c2bdd74c660db52322
Instruction ID: c306cedc411372ae6223ce99dca873a069e2a783d6aaf3d63ba6381e407fba01
Opcode Fuzzy Hash: 5ec113d05914b9ffb1da4e5d88f502a0ccf6af9f5008b9c2bdd74c660db52322
Instruction Fuzzy Hash: 41C1D271D10269AFCF15CFE8D8809EDBBB9FF08308F28416AE915B7241D6319A46CF60

Function 0132F6B4 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,0132F6AB,0132EE90), ref: 0132F6C2
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0132F6D0
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0132F6E9
SetLastError.KERNEL32(00000000,?,0132F6AB,0132EE90), ref: 0132F73B

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 0a575d0d5b5322cf82298b5c9043e7b6636bb8bba584d763eaccae5e1bc2d40c
Instruction ID: e66fe9fa77e011f505d2316ce5df9e4a4dc8359138a3f70ab91373e5dec80695
Opcode Fuzzy Hash: 0a575d0d5b5322cf82298b5c9043e7b6636bb8bba584d763eaccae5e1bc2d40c
Instruction Fuzzy Hash: 4101D83A5097266FE639397CBC8452B2E6CEB557BDB200329F520D81F5EF5198059344

Function 01222E26 Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000001,?,01222A78,012222B0,01221E0B,?,01222028,?,00000001,?,?,00000001,?,01231E28,0000000C,0122211C), ref: 01222E34
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 01222E42
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 01222E5B
SetLastError.KERNEL32(00000000,01222028,?,00000001,?,?,00000001,?,01231E28,0000000C,0122211C,?,00000001,?), ref: 01222EAD

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 1f4506ca36e195de2674a1ff479408c53a8851a5725046b6a999284a285cdae3
Instruction ID: 135da10e59da89699518801eea82664579c7b78b2f82f481eea8151688d09e2c
Opcode Fuzzy Hash: 1f4506ca36e195de2674a1ff479408c53a8851a5725046b6a999284a285cdae3
Instruction Fuzzy Hash: 1B01FC32538337FDE73575BCBD88A7F6B55FB156757300229E610850E5EF5A5802A340

Function 0132D5B0 Relevance: 9.1, APIs: 6, Instructions: 54synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,00000001), ref: 0132D5C6
WaitForSingleObject.KERNEL32(?,000000FF), ref: 0132D5D8
WaitForSingleObject.KERNEL32(?,?), ref: 0132D5EA
WaitForSingleObject.KERNEL32(?,00000001), ref: 0132D5FB
CloseHandle.KERNEL32(?), ref: 0132D624
CloseHandle.KERNEL32(?), ref: 0132D640

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: ObjectSingleWait$CloseHandle
String ID:
API String ID: 1103153922-0
Opcode ID: 84a8b8a2daec6048a15555b0f736a9420a8b65f826eaa13e3067d740365f126f
Instruction ID: b65595ec7aab836e163f5d45d578d0b78d4f411aa0d4d3805a2f932fe5c5d727
Opcode Fuzzy Hash: 84a8b8a2daec6048a15555b0f736a9420a8b65f826eaa13e3067d740365f126f
Instruction Fuzzy Hash: EA01F97220071556EB307AFDEC04F97BBEAAF90774F210625E679D21E0DB71E4418B60

Function 00411BB8 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92COMMON

Download Yara Rule

APIs

GetFullPathNameA.KERNEL32(?,00000104,00000000,?,?,004112C1,00000000), ref: 00411BEA

Strings

:, xrefs: 00411C08
:, xrefs: 00411C16
\, xrefs: 00411C1A

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: FullNamePath
String ID: :$:$\
API String ID: 608056474-3089822572
Opcode ID: 0f7d0844f87900af5a3f9987fe86b541753271bfd51b48c8026395d9f879259a
Instruction ID: 18e07f53c16697aaca46239d161a3705be786d2aab2814a16cf95fef61e3ccd5
Opcode Fuzzy Hash: 0f7d0844f87900af5a3f9987fe86b541753271bfd51b48c8026395d9f879259a
Instruction Fuzzy Hash: 77219E327882592ADB2897359C819DF669D5F51364F24061FFA53972C1F8BCCDC082AD

Function 01339685 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\Logs\logs\brcc.exe, xrefs: 0133968A

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID:
String ID: C:\Windows\Logs\logs\brcc.exe
API String ID: 0-3000847071
Opcode ID: 67b8d65ed9cdf5d5a2f65cb0f49d0615cd01b34144122aa8e5f40f00e62bc55c
Instruction ID: 3c8b48ab4bfea7309768074153c7f15ea2706bc0964cb396910e144a9f42df9c
Opcode Fuzzy Hash: 67b8d65ed9cdf5d5a2f65cb0f49d0615cd01b34144122aa8e5f40f00e62bc55c
Instruction Fuzzy Hash: F121A47160020AEFDB22AF799C80AAB77ADEFD037CB104614F86597191DB71EC40C7A8

Function 01226043 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

C:\Windows\Logs\logs\brcc.exe, xrefs: 01226048

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID:
String ID: C:\Windows\Logs\logs\brcc.exe
API String ID: 0-3000847071
Opcode ID: 9a290b65175a7a6c39f4a2c086f516b77d5878265cc32e1712357ac6728fb662
Instruction ID: f0a46e281d341107a19ffa5ede419c6450a9e5ac13f97bf839eb2de8279ce75b
Opcode Fuzzy Hash: 9a290b65175a7a6c39f4a2c086f516b77d5878265cc32e1712357ac6728fb662
Instruction Fuzzy Hash: 22219F72620237BFDB21AF658D80D7E77ADEF002A47208614FD25A7252EB75ED40C7A0

Function 01221C20 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39injectionCOMMON

Download Yara Rule

APIs

FreeConsole.KERNEL32 ref: 01221C30
GetCurrentProcess.KERNEL32(00000000), ref: 01221C58
GetModuleHandleA.KERNEL32(00000000), ref: 01221C62
WriteProcessMemory.KERNEL32(00000000,00006DEA,01233860,00002890,?), ref: 01221C7E

Strings

d, xrefs: 01221C3C

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: Process$ConsoleCurrentFreeHandleMemoryModuleWrite
String ID: d
API String ID: 749819067-2564639436
Opcode ID: 637d19cbce9da3e2baa4d6030bdedb21607a36059f498ac4e4f40c5ac5a0b55a
Instruction ID: 0ece0021f5064b1a82269039f0adf2d968b387b4930c9af4424f9dea56722fa1
Opcode Fuzzy Hash: 637d19cbce9da3e2baa4d6030bdedb21607a36059f498ac4e4f40c5ac5a0b55a
Instruction Fuzzy Hash: 8AF0A435A2021CFBCB34EFB4E80DFAE7764EB14301F40416DE9065B180DA799A14CB95

Function 01333D16 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,01333D0B,?,?,01333CD3,?,?,?), ref: 01333D2B
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 01333D3E
FreeLibrary.KERNEL32(00000000,?,?,01333D0B,?,?,01333CD3,?,?,?), ref: 01333D61

Strings

mscoree.dll, xrefs: 01333D24
CorExitProcess, xrefs: 01333D36

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 87302ef7f3b20dbf94efd7b32bc6b8b3f20365e1635deaa9ea0c50403112069d
Instruction ID: 69749b7acf9d291085188502c8496f9b8e48da5b6cbb7b9f0f8f33fd3281ff8a
Opcode Fuzzy Hash: 87302ef7f3b20dbf94efd7b32bc6b8b3f20365e1635deaa9ea0c50403112069d
Instruction Fuzzy Hash: 06F08238640218FBEB219B55E80DB9E7FA9FF4075AF104154F604B2250CB709A04DB94

Function 012243A2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,01224354,?,?,0122431C,?,00000001,?), ref: 012243B7
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 012243CA
FreeLibrary.KERNEL32(00000000,?,?,01224354,?,?,0122431C,?,00000001,?), ref: 012243ED

Strings

mscoree.dll, xrefs: 012243B0
CorExitProcess, xrefs: 012243C2

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 711a73f43e4e10523e911cfbb88b4df0ff9cd213febf61f5f3d054ee7027d489
Instruction ID: ec29639d76b478cae5d048f481bcc6b5ae82d36cad1a4b11fc5186e6f3c76aad
Opcode Fuzzy Hash: 711a73f43e4e10523e911cfbb88b4df0ff9cd213febf61f5f3d054ee7027d489
Instruction Fuzzy Hash: 64F0123161122DFBDB31AF95E90DB9D7E69EF04756F200064F605A1164CB788B01DB90

Function 0132C740 Relevance: 7.7, APIs: 5, Instructions: 217COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,00000000,76EBFFB0), ref: 0132C765
LeaveCriticalSection.KERNEL32(?), ref: 0132C7ED
ReleaseSemaphore.KERNEL32(?,00000001,00000000), ref: 0132C7FA
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF,00000000,76EBFFB0), ref: 0132C81D
CloseHandle.KERNEL32(?), ref: 0132C958

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CriticalSection$CloseEnterHandleLeaveMultipleObjectsReleaseSemaphoreWait
String ID:
API String ID: 3612733447-0
Opcode ID: 5562cb64c155ddc59bb9663b2d3dc8d3a1d0ce6dd15ddaeeda7b40f4bf68318b
Instruction ID: b4a521bbabab758300a3ed7d082e85075aea90e95aba0ec42b926561afb325f8
Opcode Fuzzy Hash: 5562cb64c155ddc59bb9663b2d3dc8d3a1d0ce6dd15ddaeeda7b40f4bf68318b
Instruction Fuzzy Hash: E7813939700B168FD724DF29C580A2AB7F6FF88314B15966CD9468BB51EB70F841CB40

Function 013289E0 Relevance: 7.7, APIs: 5, Instructions: 216COMMON

Download Yara Rule

APIs

Part of subcall function 0132DEDC: __CxxThrowException@8.LIBVCRUNTIME ref: 0132E441
Part of subcall function 0132DEDC: __CxxThrowException@8.LIBVCRUNTIME ref: 0132E45E

Part of subcall function 01328870: StrStrA.SHLWAPI(00000000,0134832C,00000000,?,00000000,?,01328A67,?,00000000,00000000,?,00000000,00000000,759223A0,00000000,?), ref: 01328898

WinHttpConnect.WINHTTP(?,00000000,000001BB,00000000,?,00000000,00000000,?,00000000,00000000,759223A0), ref: 01328A8C
WinHttpConnect.WINHTTP(?,00000000,00000050,00000000,?,00000000,00000000,?,00000000,00000000,759223A0), ref: 01328AB9
WinHttpOpenRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000100), ref: 01328ADF
WinHttpCloseHandle.WINHTTP(?,?,?,?,?,00000000,00000000,?,00000000,00000000,759223A0,00000000,?,?,?,00000000), ref: 01328C26
WinHttpCloseHandle.WINHTTP(00000000,?,?,?,?,00000000,00000000,?,00000000,00000000,759223A0,00000000,?,?,?,00000000), ref: 01328C30

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Http$CloseConnectException@8HandleThrow$OpenRequest
String ID:
API String ID: 2135166240-0
Opcode ID: 0ac4a04f5aa33bc51c43ced22fa03e9e470ecc267e4a1d45e66dcfcddc6f3049
Instruction ID: c4a37b8b1685a1ee118c966decf9de271831ac59f80281e91e9a3a285e728100
Opcode Fuzzy Hash: 0ac4a04f5aa33bc51c43ced22fa03e9e470ecc267e4a1d45e66dcfcddc6f3049
Instruction Fuzzy Hash: 3B71F370A10225AFEF18EF68DC89B6E7BE5EF44308F140199E501DB290DB74EA14CBA5

Function 0133DEA4 Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0133DF28
__alloca_probe_16.LIBCMT ref: 0133DFEE
__freea.LIBCMT ref: 0133E05A

Part of subcall function 01335D0E: RtlAllocateHeap.NTDLL(00000000,013339DF,?,?,01333B05,?,?,01333AD8,?,00000000,?,?,?,?,013339DF,?), ref: 01335D40

__freea.LIBCMT ref: 0133E063
__freea.LIBCMT ref: 0133E086

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: 3d18fbc41c818fd4b4b1eb191936589ddeedb0b90f54ad064e7ac064560d984a
Instruction ID: 5ee33f3ce1df8c83301baf2e38556f089f02052470a7f119305393b0a32fa36f
Opcode Fuzzy Hash: 3d18fbc41c818fd4b4b1eb191936589ddeedb0b90f54ad064e7ac064560d984a
Instruction Fuzzy Hash: 5251D57260020AAFEB319FADCC41FBB7AA9DFD4758F550129FE189B140DB34DC5186A8

Function 01324940 Relevance: 7.7, APIs: 5, Instructions: 151networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 01324A4B
socket.WS2_32(00000002,00000001,00000006), ref: 01324A91
connect.WS2_32(00000000,?,00000010), ref: 01324AA2
closesocket.WS2_32(00000000), ref: 01324AAD
freeaddrinfo.WS2_32(?,?,?,?,?,?,00000000,?), ref: 01324ACC

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: closesocketconnectfreeaddrinfogetaddrinfosocket
String ID:
API String ID: 1398928706-0
Opcode ID: d4fd7b31fa2b349862451dbcebc03854806f9f0ad6292478c32a7cd193fdde07
Instruction ID: 24b3b97e128d095bf275d7b9a62a2a9bfbd0f60bd14ecb62c86f3eb5760b21cf
Opcode Fuzzy Hash: d4fd7b31fa2b349862451dbcebc03854806f9f0ad6292478c32a7cd193fdde07
Instruction Fuzzy Hash: B941DE71604711ABE720DF2CD884B1ABBE8FF89318F044A1CF9559B291E770E984CB95

Function 01335137 Relevance: 7.6, APIs: 5, Instructions: 119COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 013351A5
_free.LIBCMT ref: 013351C5
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 01335226
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 01335238
__crt_fast_encode_pointer.LIBVCRUNTIME ref: 01335245

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: __crt_fast_encode_pointer$_free
String ID:
API String ID: 366466260-0
Opcode ID: 6a305aeed15514b657a669884c2994e37ce13c65123381dd19b468b5af9576f3
Instruction ID: d468369e029d9640bbe1850050fa3ce9d30c93295387128677cc658219883b00
Opcode Fuzzy Hash: 6a305aeed15514b657a669884c2994e37ce13c65123381dd19b468b5af9576f3
Instruction Fuzzy Hash: D2418F36A00214ABDB14DFACC880A5EB7F6EFC9718F2545A9E615EB341DB71ED01CB84

Function 013249E0 Relevance: 7.6, APIs: 5, Instructions: 96networkCOMMON

Download Yara Rule

APIs

getaddrinfo.WS2_32 ref: 01324A4B
socket.WS2_32(00000002,00000001,00000006), ref: 01324A91
connect.WS2_32(00000000,?,00000010), ref: 01324AA2
closesocket.WS2_32(00000000), ref: 01324AAD
freeaddrinfo.WS2_32(?,?,?,?,?,?,00000000,?), ref: 01324ACC

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: closesocketconnectfreeaddrinfogetaddrinfosocket
String ID:
API String ID: 1398928706-0
Opcode ID: feed61895aa170cb9edc7b65ba66a19dd89d008b690dff4aa8a45627ba6f6228
Instruction ID: b2092c6bb99a8c54427f3dce572537940597729597955df47a57983c650af3c3
Opcode Fuzzy Hash: feed61895aa170cb9edc7b65ba66a19dd89d008b690dff4aa8a45627ba6f6228
Instruction Fuzzy Hash: 1B3100716083109FE320DF28D884B5BBBE8FF99714F000A0DF9859B291D770E945CB96

Function 0133A7D5 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0133A7ED

Part of subcall function 01335CD4: HeapFree.KERNEL32(00000000,00000000,?,01335318), ref: 01335CEA
Part of subcall function 01335CD4: GetLastError.KERNEL32(?,?,01335318), ref: 01335CFC

_free.LIBCMT ref: 0133A7FF
_free.LIBCMT ref: 0133A811
_free.LIBCMT ref: 0133A823
_free.LIBCMT ref: 0133A835

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 1aa147fbbf0e2bffe7fb6cded79e8cb429f31c6d37cc316fdbcbfb4c66159509
Instruction ID: 9a1200189ee981dcc5899924072ae961dd61b7083bbd061edd7fa60c5b93c7c6
Opcode Fuzzy Hash: 1aa147fbbf0e2bffe7fb6cded79e8cb429f31c6d37cc316fdbcbfb4c66159509
Instruction Fuzzy Hash: C3F01876509201A7D520DA5CE5C5C55BFEDBB847187690905F249DB944CB70F881C758

Function 01229EE5 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 01229EFD

Part of subcall function 012257D7: HeapFree.KERNEL32(00000000,00000000,?,01224A34), ref: 012257ED
Part of subcall function 012257D7: GetLastError.KERNEL32(?,?,01224A34), ref: 012257FF

_free.LIBCMT ref: 01229F0F
_free.LIBCMT ref: 01229F21
_free.LIBCMT ref: 01229F33
_free.LIBCMT ref: 01229F45

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c9b46c344e3281aed4967c5b731080d169bcaf6ad7efc8062a6f7ce09b22c30b
Instruction ID: 2ec5efe928bbfd306409ec8fcedab3323c356c39a72fcc9a0810e34ab9b0ac11
Opcode Fuzzy Hash: c9b46c344e3281aed4967c5b731080d169bcaf6ad7efc8062a6f7ce09b22c30b
Instruction Fuzzy Hash: D5F06272429272BBDA74DA58F4C5D6E77D9BA10714F644809F314D7A44C734F8C08F94

Function 0041C130 Relevance: 7.5, APIs: 5, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?), ref: 0041C146
TlsAlloc.KERNEL32(?), ref: 0041C157
VirtualQuery.KERNEL32(?,?,0000001C,?), ref: 0041C16D
TlsSetValue.KERNEL32(00000002,?,?,?,0000001C,?), ref: 0041C17E
TlsAlloc.KERNEL32(00000002,?,?,?,0000001C,?), ref: 0041C183

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: Alloc$QueryValueVersionVirtual
String ID:
API String ID: 4111955057-0
Opcode ID: 06af007b4eec81452ad544054d6988d1de5616cc37aef503ea9709310145ea34
Instruction ID: 6bbdd2b4b5edf6af37150abd3708f4bab93e34a9a32bf9389af1dab8ffb81e0b
Opcode Fuzzy Hash: 06af007b4eec81452ad544054d6988d1de5616cc37aef503ea9709310145ea34
Instruction Fuzzy Hash: CBF05EB55843019AC310EFA1DCC2ACB72ECAB49305F408A2EB56846241D7BDD5898FAA

Function 013390FC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01339296

Strings

*?, xrefs: 0133913F

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: 41310788077ad84f73b088b4c690feec08b2184f50f61266a694a4dc006c81b4
Instruction ID: f96c1f06e233643eedd7339b4cc4229ed737eed7ef355dc43a7b18b76382e175
Opcode Fuzzy Hash: 41310788077ad84f73b088b4c690feec08b2184f50f61266a694a4dc006c81b4
Instruction Fuzzy Hash: 41611B75E0061ADFDF15CFACC8806EDFBF9EF88318B144169E815E7300D6759A418B94

Function 012259C7 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 206COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01225B61

Strings

*?, xrefs: 01225A0A

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: _free
String ID: *?
API String ID: 269201875-2564092906
Opcode ID: a6e5352a3b992cf3fca66862d0789d22ecaefdc5fee1cee6ce48d87a6a1b3f30
Instruction ID: 38ea9e1a859e755bf4d44d75277d4877a2be4b25c63d8d31f75bb3cf573b9ec0
Opcode Fuzzy Hash: a6e5352a3b992cf3fca66862d0789d22ecaefdc5fee1cee6ce48d87a6a1b3f30
Instruction Fuzzy Hash: 5A615F75D1022AAFDB15CFA8C8819EDFBF5EF48310B24816AE915E7340E775AE418F90

Function 01328D80 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 199COMMON

Download Yara Rule

APIs

Part of subcall function 01328C50: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,01328E0A,00000000,00000000,?,7B2C007C,?,00000000,00000000), ref: 01328C62

WinHttpOpen.WINHTTP(-00000038,00000003,00000000,00000000,00000000,?,00000000,?,?,00000001,00000000,01348334,00000001,00000000,00000000), ref: 01328EEB
WinHttpCloseHandle.WINHTTP(00000000,00000000,00000000,?,7B2C007C,?,00000000,00000000), ref: 01328F64

Strings

InsertDeal error ctrl_session : %d, xrefs: 01329AB9
ctrl_session is already alive!, xrefs: 01329B78

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Http$CloseHandleOpenlstrlen
String ID: InsertDeal error ctrl_session : %d$ctrl_session is already alive!
API String ID: 1037772175-4264306204
Opcode ID: f311ee870a5ed0a08da9bff246a0c92eb8cb7c99ad53bafa3142374391666bf9
Instruction ID: f2b1344bf26b894ef37e276653570a5dd82102bc41ec3af665e36cae08742747
Opcode Fuzzy Hash: f311ee870a5ed0a08da9bff246a0c92eb8cb7c99ad53bafa3142374391666bf9
Instruction Fuzzy Hash: F461E371A10314AFDB24EFA8DC44BAEB7F9FF44708F140A6DE5469B250DB70A509CB94

Function 013241E0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 155stringCOMMON

Download Yara Rule

APIs

Part of subcall function 01323F10: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,7B2C007C,?,?), ref: 01324005

WideCharToMultiByte.KERNEL32(00000000,00000000,-00000005,000000FF,00000000,00000000,00000000,00000000,00000008,00000006), ref: 013242F4
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 01324312
lstrcatA.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0132374D), ref: 0132431A

Strings

"%s" %s %s %d %d, xrefs: 01324350

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: ByteCharMultiWide$CriticalEnterSectionlstrcat
String ID: "%s" %s %s %d %d
API String ID: 596324024-3196185087
Opcode ID: d256c96e702131955ee5dc625a4b7cbd607c67a7453393834175f57c41b2fc26
Instruction ID: 489116f2d0358a3bb12ad211489cfca432e9fc98cd0c9a7e98d9a1f21691bb43
Opcode Fuzzy Hash: d256c96e702131955ee5dc625a4b7cbd607c67a7453393834175f57c41b2fc26
Instruction Fuzzy Hash: 3841E271A00314ABEB10EFA8DC82FAEBBB5EF48718F244168E6447B2D1DB717950CB54

Function 013348B5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

@3O, xrefs: 01334906
C:\Windows\Logs\logs\brcc.exe, xrefs: 013348F8, 013348FF, 01334935

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID:
String ID: @3O$C:\Windows\Logs\logs\brcc.exe
API String ID: 0-3154386147
Opcode ID: 81886e6fe0d4f553047e06526af0bf2a91a2269068e0921633464cbfacaa2499
Instruction ID: ad15ef870dd830518dd632278110a2b4216d5caa22fe4683955dd63b4928b69c
Opcode Fuzzy Hash: 81886e6fe0d4f553047e06526af0bf2a91a2269068e0921633464cbfacaa2499
Instruction Fuzzy Hash: 71418275E04219ABDB22DF9DDC80EAEBBFCEFD5718F100166E504D7210DAB09A40DB68

Function 01224430 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

C:\Windows\Logs\logs\brcc.exe, xrefs: 01224473, 0122447A, 012244B0
@3O, xrefs: 01224481

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID:
String ID: @3O$C:\Windows\Logs\logs\brcc.exe
API String ID: 0-3154386147
Opcode ID: 830a9fe7ad7286949d7bba66ae064b417ac6743cccbbfb7f666eb9511bc38ddc
Instruction ID: e0bdc260b3c537141a66f9fc1696666371517d2c2b6c7094df88eb682b125a2c
Opcode Fuzzy Hash: 830a9fe7ad7286949d7bba66ae064b417ac6743cccbbfb7f666eb9511bc38ddc
Instruction Fuzzy Hash: 7741B671A20266BFDB26EF9DEC809BEBBFCEB95310F504066E50097240D7B19A10CB50

Function 01334BE5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01334C2D

Strings

H/Q, xrefs: 01334C1F
H/Q, xrefs: 01334C18

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: _free
String ID: H/Q$H/Q
API String ID: 269201875-1185417446
Opcode ID: 098c20cf4a9cc529acbcc39069a154e860351e2190015f03fc3ac808fcd8915e
Instruction ID: b4b9f75ab0fb66198435d4b732f6bf01f478cae79d699b1df35f3f6a832ed1a1
Opcode Fuzzy Hash: 098c20cf4a9cc529acbcc39069a154e860351e2190015f03fc3ac808fcd8915e
Instruction Fuzzy Hash: A1E09B2650751262EF31777D7C447AA6AD96BD233DF120316E520CA4D0EFB84842876D

Function 01336489 Relevance: 6.3, APIs: 4, Instructions: 320COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 01336513

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 89d3867b82b0976fe1c776ff820cdd3daf15d77787b346fed046d1ffa351ffb1
Instruction ID: e4084fd7ccbd2ab656f93f11da106cc700211092b8d61bc2bccf7400c46d2b12
Opcode Fuzzy Hash: 89d3867b82b0976fe1c776ff820cdd3daf15d77787b346fed046d1ffa351ffb1
Instruction Fuzzy Hash: 3EB149B2900246AFEB128F2CC8827FEBFF5EFD5358F144169D545AB241E6349B41CB68

Function 004106BC Relevance: 6.2, APIs: 4, Instructions: 169fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,0041C5DF,0041C5DF,?), ref: 00410778
CreateFileA.KERNEL32(?,80000000,?,0000000C,00000005,00000000,00000000,?,0041C5DF,0041C5DF,?), ref: 00410830
GetLastError.KERNEL32(?,80000000,?,0000000C,00000005,00000000,00000000,?,0041C5DF,0041C5DF,?), ref: 0041083C
CloseHandle.KERNEL32(00000000,0041C5DF,?), ref: 004108A9

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: File$AttributesCloseCreateErrorHandleLast
String ID:
API String ID: 2927643983-0
Opcode ID: ba856a4ba6674f7f666218bb8a514c498d2c70971a12776e079357004a2ab543
Instruction ID: 5b3f846bcc3e3e30ac9713d5588641192f2f67c46af0342cde409f785cf179b9
Opcode Fuzzy Hash: ba856a4ba6674f7f666218bb8a514c498d2c70971a12776e079357004a2ab543
Instruction Fuzzy Hash: D251E9316042089AE724EE68C9457EE3794EB45324F24812BE9398A3D1C7FCAEC1CF4D

Function 00416BD4 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4864721a5a36102f9656ef6adb4d487c187f0451b2f6f95ee90f5b6b6c91afb
Instruction ID: 057414cafeacebd5dd18e033e89752da518073493b29a9c485ec140fde96b898
Opcode Fuzzy Hash: b4864721a5a36102f9656ef6adb4d487c187f0451b2f6f95ee90f5b6b6c91afb
Instruction Fuzzy Hash: 2C517430B00249EFDB20DE98D8D4BEA7375EB41318F21C66AE9614B2D0D778D9C5CB99

Function 01329C75 Relevance: 6.1, APIs: 4, Instructions: 123fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0132A4F0: EnterCriticalSection.KERNEL32(005197A8,?,?,00000000), ref: 0132A510
Part of subcall function 0132A4F0: LeaveCriticalSection.KERNEL32(00000000,?,?,00000000), ref: 0132A583

SetEvent.KERNEL32(?), ref: 01329D8E
WriteFile.KERNEL32(?,00010000,00010000,?,00000000), ref: 01329DCB
SetEvent.KERNEL32(?), ref: 01329DEF
SetEvent.KERNEL32(?), ref: 01329E25

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Event$CriticalSection$EnterFileLeaveWrite
String ID:
API String ID: 3153116817-0
Opcode ID: ed510b0654a540a7e4a05d32273dc46855f6ee1e9c3bb4ad277ec86e2a8d8344
Instruction ID: 5b0de11ba8fd945ef4d42940bf8a0eb268cabe1d7fa31a6424f3d53f86cf7080
Opcode Fuzzy Hash: ed510b0654a540a7e4a05d32273dc46855f6ee1e9c3bb4ad277ec86e2a8d8344
Instruction Fuzzy Hash: 04517F71E006399BDB649F28DC44BEAF7B4FF48708F0441A9E90DA7210DB30AA90CF90

Function 0133902D Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 01333A63: _free.LIBCMT ref: 01333A71

Part of subcall function 013378AE: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,00000000,00000000,?,0133E050,?,00000000,00000000), ref: 0133795A

GetLastError.KERNEL32 ref: 01339095
__dosmaperr.LIBCMT ref: 0133909C
GetLastError.KERNEL32 ref: 013390DB
__dosmaperr.LIBCMT ref: 013390E2

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: b9b66510cd4cfb388a6f207f440305b700e6777963762741d593904e11c99e7b
Instruction ID: f569c526d651e59e84948a563b8249180c7b6a332a9e1f29f1fee648b66f1897
Opcode Fuzzy Hash: b9b66510cd4cfb388a6f207f440305b700e6777963762741d593904e11c99e7b
Instruction Fuzzy Hash: 5921B371600616EFDB216F6D8CC0A6BF7ADFF803AC7108618F82697150DB71ED4187A8

Function 012258DB Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 01225EFD: _free.LIBCMT ref: 01225F0B

Part of subcall function 01226AD1: WideCharToMultiByte.KERNEL32(?,00000000,00000000,?,00000001,01227887,01229A27,0000FDE9,00000000,?,?,?,012297A0,0000FDE9,00000000,?), ref: 01226B7D

GetLastError.KERNEL32 ref: 01225943
__dosmaperr.LIBCMT ref: 0122594A
GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 01225989
__dosmaperr.LIBCMT ref: 01225990

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide_free
String ID:
API String ID: 167067550-0
Opcode ID: 72f7f95e1c4ce1deb4732fdcbc41a4a5bebca2fce00441c50fd54e177c084c4e
Instruction ID: 174287ac5c68fc70167b75b74f5dd685c2e1b64f3a50e3e66c72675f5f99b01f
Opcode Fuzzy Hash: 72f7f95e1c4ce1deb4732fdcbc41a4a5bebca2fce00441c50fd54e177c084c4e
Instruction Fuzzy Hash: 24216071720226BFDB215F69CC80DBEB7ACEF062B4714C518F92997250EB74EC508BA1

Function 0132CFF0 Relevance: 6.1, APIs: 4, Instructions: 74synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?), ref: 0132D024
WaitForSingleObject.KERNEL32(?,0000000A), ref: 0132D057
CloseHandle.KERNEL32(?), ref: 0132D092
CloseHandle.KERNEL32(?), ref: 0132D0AE

Part of subcall function 0132D0D0: GetTickCount.KERNEL32 ref: 0132D11C
Part of subcall function 0132D0D0: PeekNamedPipe.KERNEL32(?,?,00010000,?,?,?,?,?,?,01323CEB,00000000,?,?,00010000), ref: 0132D167
Part of subcall function 0132D0D0: Sleep.KERNEL32(00000001,?,?,?,01323CEB,00000000,?,?,00010000), ref: 0132D173
Part of subcall function 0132D0D0: SetEvent.KERNEL32(?,?,?,?,01323CEB,00000000,?,?,00010000), ref: 0132D192
Part of subcall function 0132D0D0: ReadFile.KERNEL32(?,00010000,00010000,?,00000000,01323CEB,00000000,?,?,00010000), ref: 0132D1DB
Part of subcall function 0132D0D0: SetEvent.KERNEL32(?,?,00010000), ref: 0132D1FF

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CloseEventHandleObjectSingleWait$CountFileNamedPeekPipeReadSleepTick
String ID:
API String ID: 908325608-0
Opcode ID: 218b43219776cf80e7dcaefb9c4956581374a8f16a9ac9db3f92062fe43ce1a7
Instruction ID: 3fe598879e108916f688e192ea9a528cffc00f8548aadc1d49ffa0416989762f
Opcode Fuzzy Hash: 218b43219776cf80e7dcaefb9c4956581374a8f16a9ac9db3f92062fe43ce1a7
Instruction Fuzzy Hash: 76210B712007116BE730BBB8CC44F6B77E8AF51798F14850CF669971E1D7B4E84687A1

Function 013359F6 Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,013336F7,01349A28,0000000C), ref: 013359FB
_free.LIBCMT ref: 01335A58
_free.LIBCMT ref: 01335A8E
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,013336F7,01349A28,0000000C), ref: 01335A99

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 7511718bacc9dfd4ae876d48e024805dd6efa933b327f848232c54722ed9ce62
Instruction ID: 854be8ef977e022f769334bfc342bb51739783b50cb0aa4fb08e0a47df8ca4a4
Opcode Fuzzy Hash: 7511718bacc9dfd4ae876d48e024805dd6efa933b327f848232c54722ed9ce62
Instruction Fuzzy Hash: 6011EC7531434BABF622657D6CC4E2B369D9BD167EF240224F320961D4FF60D8026358

Function 012251DB Relevance: 6.1, APIs: 4, Instructions: 72COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,012294E7,?,00000001,012278F8,?,012299A1,00000001,?,?,?,01227887,?,00000000), ref: 012251E0
_free.LIBCMT ref: 0122523D
_free.LIBCMT ref: 01225273
SetLastError.KERNEL32(00000000,00000005,000000FF,?,012299A1,00000001,?,?,?,01227887,?,00000000,00000000,01232068,0000002C,012278F8), ref: 0122527E

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 93b00154dd29ef3286a04bfb158993943074ebd743ac498b58e6773cf81918c6
Instruction ID: 6ed7d4cb6e16707b4b29e019504305c1494137ea8ff748478dad013a42e524fa
Opcode Fuzzy Hash: 93b00154dd29ef3286a04bfb158993943074ebd743ac498b58e6773cf81918c6
Instruction Fuzzy Hash: 7E11E9333342337BEA2176B86C89EBE7659EBD25747248324FB31831D4EE658D414610

Function 01335B4D Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,01335CC6,01335CFA,?,?,01335318), ref: 01335B52
_free.LIBCMT ref: 01335BAF
_free.LIBCMT ref: 01335BE5
SetLastError.KERNEL32(00000000,00000008,000000FF,?,?,01335CC6,01335CFA,?,?,01335318), ref: 01335BF0

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 727e50de1e19432e66de7a353c9c8391ed3d1b073a41acbab83dfff69769e9ca
Instruction ID: 1e9c08a26497005ef26af11cddc843d6702c873125f882f896da90692f588849
Opcode Fuzzy Hash: 727e50de1e19432e66de7a353c9c8391ed3d1b073a41acbab83dfff69769e9ca
Instruction Fuzzy Hash: 49112F75304106AFE729257DAC80E2B355DABD037EF240324F720D61D4FF60D8008758

Function 01225332 Relevance: 6.1, APIs: 4, Instructions: 69COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00000001,0122576C,012257FD,?,?,01224A34), ref: 01225337
_free.LIBCMT ref: 01225394
_free.LIBCMT ref: 012253CA
SetLastError.KERNEL32(00000000,00000005,000000FF,?,00000001,0122576C,012257FD,?,?,01224A34), ref: 012253D5

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: c5b68ebf7c34e62099409075148896fca789dc237f5efb9c22f999f8746c4d9f
Instruction ID: 64cc96173639e8ee232808007d6df161efc3b91ca22b38e79e2ff1299e7ea59c
Opcode Fuzzy Hash: c5b68ebf7c34e62099409075148896fca789dc237f5efb9c22f999f8746c4d9f
Instruction Fuzzy Hash: BF1104333242267BDA2177786C89EBE665AABC0674F249224FB25831D4DFF589018620

Function 0133382E Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,01333652,00000000,00000004,00000000), ref: 0133387D
GetLastError.KERNEL32 ref: 01333889
__dosmaperr.LIBCMT ref: 01333890

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CreateErrorLastThread__dosmaperr
String ID:
API String ID: 2744730728-0
Opcode ID: bb848506ca2723a63c24a605b83d7c74cbb0746c2383420fe191ca58359f3ffb
Instruction ID: d48937f6f911d48c9af18d64e9f8729873cbcb8e499656b66f2da5586b7ce26a
Opcode Fuzzy Hash: bb848506ca2723a63c24a605b83d7c74cbb0746c2383420fe191ca58359f3ffb
Instruction Fuzzy Hash: A901F976500204BBDB119BA9DC08B9E7F69FFC077EF208218F5249A1D0DB708505D768

Function 0132F96C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 0132F986

Part of subcall function 0132F8D3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0132F902
Part of subcall function 0132F8D3: ___AdjustPointer.LIBCMT ref: 0132F91D

_UnwindNestedFrames.LIBCMT ref: 0132F99B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 0132F9AC
CallCatchBlock.LIBVCRUNTIME ref: 0132F9D4

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: d1ff13375782963b9c6c1124d02b77f3f50474ec2c23615fea1de197643b66f0
Instruction ID: c16d936361c73f1144788638896dd69a5fce59c731fe6094518347ddeb1ce37e
Opcode Fuzzy Hash: d1ff13375782963b9c6c1124d02b77f3f50474ec2c23615fea1de197643b66f0
Instruction Fuzzy Hash: 83012932100159BBDF126E99CC41EEB7F7EEF99658F044514FE18A6120C732E861DBA1

Function 0041C3AB Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 0041C3CD
TlsSetValue.KERNEL32(00000003,?,00000094), ref: 0041C3E7
VirtualQuery.KERNEL32(?,?,0000001C,00000003,?,00000094), ref: 0041C3F6
TlsSetValue.KERNEL32(00000002,?,?,?,0000001C,00000003,?,00000094), ref: 0041C405

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: Value$QueryVersionVirtual
String ID:
API String ID: 1147312274-0
Opcode ID: 05b99272e1f7fa28c4f7c056833ca456ac0a007e085184139376298a1694e65e
Instruction ID: f53e77bdb3d30e614163ca60a242a541072e5fffff5c71255776e4b12b71440a
Opcode Fuzzy Hash: 05b99272e1f7fa28c4f7c056833ca456ac0a007e085184139376298a1694e65e
Instruction Fuzzy Hash: B101A1B2940218AACB14EFA4CCC1DCA77BCAF0C310F50869AF508A7141CA79D984CBA4

Function 0041C3AC Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(00000094), ref: 0041C3CD
TlsSetValue.KERNEL32(00000003,?,00000094), ref: 0041C3E7
VirtualQuery.KERNEL32(?,?,0000001C,00000003,?,00000094), ref: 0041C3F6
TlsSetValue.KERNEL32(00000002,?,?,?,0000001C,00000003,?,00000094), ref: 0041C405

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: Value$QueryVersionVirtual
String ID:
API String ID: 1147312274-0
Opcode ID: 37dc084dc31a775af5f02958d199a4feab22e60c1e1b8fbc08b1da4ba42f0a99
Instruction ID: f44fca277b9ab546f8f5088c1b41583c9e82d91f162c3e9efeb8084cd4e279a7
Opcode Fuzzy Hash: 37dc084dc31a775af5f02958d199a4feab22e60c1e1b8fbc08b1da4ba42f0a99
Instruction Fuzzy Hash: 060184B2940218ABCB54EFA5DCC1DDA73BCAF0C314F50859AF508A7141DA79E984CBA5

Function 0133EF56 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,00000000,?,0133D8BC,00000000,00000001,00000000,00000000,?,0133846E,?,00000000,00000000), ref: 0133EF6D
GetLastError.KERNEL32(?,0133D8BC,00000000,00000001,00000000,00000000,?,0133846E,?,00000000,00000000,?,00000000,?,013389BA,00000000), ref: 0133EF79

Part of subcall function 0133EF3F: CloseHandle.KERNEL32(FFFFFFFE,0133EF89,?,0133D8BC,00000000,00000001,00000000,00000000,?,0133846E,?,00000000,00000000,?,00000000), ref: 0133EF4F

___initconout.LIBCMT ref: 0133EF89

Part of subcall function 0133EF01: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0133EF30,0133D8A9,00000000,?,0133846E,?,00000000,00000000,?), ref: 0133EF14

WriteConsoleW.KERNEL32(00000000,0000000C,00000000,00000000,?,0133D8BC,00000000,00000001,00000000,00000000,?,0133846E,?,00000000,00000000,?), ref: 0133EF9E

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 55fcd746f7d7170e05ee6a7bfdeca0207eecff826d7fa124f720dcf2ff34019e
Instruction ID: 0decef523556855cbeb67271863e20efe6f880d556b03c0941fab24e86a4ce33
Opcode Fuzzy Hash: 55fcd746f7d7170e05ee6a7bfdeca0207eecff826d7fa124f720dcf2ff34019e
Instruction Fuzzy Hash: CCF01C3A010159BBCF322FA5EC0899A7F6AFF487B1F024020FA1995124CA729820DB94

Function 0122A736 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,0122A190,?,00000001,?,00000001,?,01229476,?,?,00000001), ref: 0122A74D
GetLastError.KERNEL32(?,0122A190,?,00000001,?,00000001,?,01229476,?,?,00000001,?,00000001,?,012299C2,01227887), ref: 0122A759

Part of subcall function 0122A71F: CloseHandle.KERNEL32(FFFFFFFE,0122A769,?,0122A190,?,00000001,?,00000001,?,01229476,?,?,00000001,?,00000001), ref: 0122A72F

___initconout.LIBCMT ref: 0122A769

Part of subcall function 0122A6E1: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,0122A710,0122A17D,00000001,?,01229476,?,?,00000001,?), ref: 0122A6F4

WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,0122A190,?,00000001,?,00000001,?,01229476,?,?,00000001,?), ref: 0122A77E

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 81167de571e0afefedbd7e13af25da3d9414e74faf57ea1ede39bb8959878d5c
Instruction ID: 8152c97cc750c5d807a60738d59abcb7d8514e2e0d0c50d00f9e75ab936e80e9
Opcode Fuzzy Hash: 81167de571e0afefedbd7e13af25da3d9414e74faf57ea1ede39bb8959878d5c
Instruction Fuzzy Hash: 73F01236510129BBCF322FD5EC0CEAE3F65FB087B0B104010FA1986924C6318920EB94

Function 01335456 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0133545F

Part of subcall function 01335CD4: HeapFree.KERNEL32(00000000,00000000,?,01335318), ref: 01335CEA
Part of subcall function 01335CD4: GetLastError.KERNEL32(?,?,01335318), ref: 01335CFC

_free.LIBCMT ref: 01335472
_free.LIBCMT ref: 01335483
_free.LIBCMT ref: 01335494

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 9d0b2ad16a8f443079dbac6a5a0671e3d4975246b0600b95ceec22aaa7fd7bbf
Instruction ID: 8f94f50012a0caf8c6315dc2268bd4d56a0398c411e82550d090350e707bc814
Opcode Fuzzy Hash: 9d0b2ad16a8f443079dbac6a5a0671e3d4975246b0600b95ceec22aaa7fd7bbf
Instruction Fuzzy Hash: 89E0867E406161ABEB312F28B8914897E7DF79571CB112106F50047218DF7A28529F94

Function 01224B2C Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01224B35

Part of subcall function 012257D7: HeapFree.KERNEL32(00000000,00000000,?,01224A34), ref: 012257ED
Part of subcall function 012257D7: GetLastError.KERNEL32(?,?,01224A34), ref: 012257FF

_free.LIBCMT ref: 01224B48
_free.LIBCMT ref: 01224B59
_free.LIBCMT ref: 01224B6A

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 79c04c67c7e3887176655fd781a79f31311d967b5135d07c3888cae18c217034
Instruction ID: 298a6c2a870448bfa63d379d100c2ca06c7c9db401a0806edd4456a41f2ee735
Opcode Fuzzy Hash: 79c04c67c7e3887176655fd781a79f31311d967b5135d07c3888cae18c217034
Instruction Fuzzy Hash: 8FE0B671862132FAC66A6F15B9685A93B69EB64610B518006F50013A5CDB320752EF91

Function 0040E2B2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON

Download Yara Rule

APIs

Part of subcall function 0040E13D: RaiseException.KERNEL32(0EEDFAE6,00000000,?,?,00000000,?,0040E43F,00000001,0000000B,?,00000000,00000000,?,00000000,?,?), ref: 0040E152

RaiseException.KERNEL32(0EEFFACE,00000001,00000003,?), ref: 0040E4D9

Strings

XX.CPP, xrefs: 0040E453
cctrAddr, xrefs: 0040E458

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: ExceptionRaise
String ID: XX.CPP$cctrAddr
API String ID: 3997070919-3056909104
Opcode ID: f502531a7f4b68a852c8015dd49ecd5b3480a123fa58a4e8fc4d5afd5a7c92f6
Instruction ID: 59198e6ce4ee755e88744a3d3d06fce599bb44c9ede2b901157bac37f3e679a4
Opcode Fuzzy Hash: f502531a7f4b68a852c8015dd49ecd5b3480a123fa58a4e8fc4d5afd5a7c92f6
Instruction Fuzzy Hash: D3712974A01218EFCB14DF55D981E9EBBB2FF48314F14816AF808AB391D735E891CB94

Function 013253F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

SetEvent.KERNEL32(?,7B2C007C), ref: 01325433
CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 013254D0

Strings

CreateEvent Error, xrefs: 013254E3

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Event$Create
String ID: CreateEvent Error
API String ID: 1287507382-4283065084
Opcode ID: fe554454e57894d5ab5878fb91aa1826713971d9299962d689520f15be862a0c
Instruction ID: a93ed69e7f0790d9111a0bc44b31acd8fd7527fb2fe437a90242ca6af0e69710
Opcode Fuzzy Hash: fe554454e57894d5ab5878fb91aa1826713971d9299962d689520f15be862a0c
Instruction Fuzzy Hash: 82517B71601615EFDB10DF58C984BADFBF2FF48325F248619E526AB790E735AA00CB80

Function 013222B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 01322404

Part of subcall function 0132ECE2: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0132ECEE
Part of subcall function 0132ECE2: __CxxThrowException@8.LIBVCRUNTIME ref: 0132ECFC

__CxxThrowException@8.LIBVCRUNTIME ref: 01322415

Part of subcall function 0132F437: RaiseException.KERNEL32(?,?,?,0132E463,?,?,?,?,?,?,?,?,0132E463,?,013497BC), ref: 0132F497

Strings

list<T> too long, xrefs: 013223FF

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaiseXinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: list<T> too long
API String ID: 3797282997-4027344264
Opcode ID: b891f914bf5b6091b45759e7be8323b9363d49a5a225def5ec3fa428f759fb45
Instruction ID: 92de3169a2c2c9bbcff9fc1aaaf432a4d2ade990887b4ec7a1028a94d6a0a0d3
Opcode Fuzzy Hash: b891f914bf5b6091b45759e7be8323b9363d49a5a225def5ec3fa428f759fb45
Instruction Fuzzy Hash: CB41AF71A002259FCB14EF5CC880B6EBBF4FF59314F148569EA59AB740D730B9408B90

Function 01322190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 01322297
__CxxThrowException@8.LIBVCRUNTIME ref: 013222A8

Strings

list<T> too long, xrefs: 01322292

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_
String ID: list<T> too long
API String ID: 3614006799-4027344264
Opcode ID: 151031efe3f0986967280054c32762e0a31101119aae8e47519e4598b7f9ec9a
Instruction ID: 43013a71a07d7e637559b814cd6572c3e00d6e5cd2eb53b9544db570b2e40d3a
Opcode Fuzzy Hash: 151031efe3f0986967280054c32762e0a31101119aae8e47519e4598b7f9ec9a
Instruction Fuzzy Hash: A9416975A00229EFCB14EF5CC880B6ABBF4FF59314F20856AE959AB350D731B940CB90

Function 0133A308 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0133A36A
_free.LIBCMT ref: 0133A398

Part of subcall function 013355B1: IsProcessorFeaturePresent.KERNEL32(00000017,01335AB2,?,?,013336F7,01349A28,0000000C), ref: 013355CD

Part of subcall function 0133182D: IsProcessorFeaturePresent.KERNEL32(00000017,013317FF,?,?,?,?,?,?,?,0133180C,00000000,00000000,00000000,00000000,00000000,0133B0DB), ref: 0133182F
Part of subcall function 0133182D: GetCurrentProcess.KERNEL32(C0000417), ref: 01331852
Part of subcall function 0133182D: TerminateProcess.KERNEL32(00000000), ref: 01331859

Strings

H/Q, xrefs: 0133A3B8, 0133A3CC

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: FeaturePresentProcessProcessor_free$CurrentTerminate
String ID: H/Q
API String ID: 1729132349-2411224165
Opcode ID: c32fc29c056ad027d203d05067e27ea2b33b4d2413d52a1891f010999b77ab6e
Instruction ID: 4d9cac8963325db6a2cf388ce9d3a31bf18778156d33f18b3b7999f0f1f20eb4
Opcode Fuzzy Hash: c32fc29c056ad027d203d05067e27ea2b33b4d2413d52a1891f010999b77ab6e
Instruction Fuzzy Hash: 672105766052069BEF259FBCD840B6977A9EFC432CF240129E985CB145EBF2D841C758

Function 0040349A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?), ref: 004034DB
@EVENTMGRINIT$QUL.BRCC(01000000,?), ref: 004034E5

Part of subcall function 00402E89: InitializeCriticalSection.KERNEL32(-00000040), ref: 00402EC8

Strings

o1@, xrefs: 004034B0

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: CriticalInitializeSection
String ID: o1@
API String ID: 32694325-206246701
Opcode ID: 95c70d083bb7a214ec142bc811512dcef1438259e6f59556f280b6426e62e402
Instruction ID: b1543bbf13176710c529c61918718738c2fc3db57c3651038861ef567cd7352e
Opcode Fuzzy Hash: 95c70d083bb7a214ec142bc811512dcef1438259e6f59556f280b6426e62e402
Instruction Fuzzy Hash: 92311974A00209EBCB04DF94C98599DBBB5FF48345F10816AF9486B3A1DB75DA81CF98

Function 0040DA8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,___CPPdebugHook), ref: 0040DABF
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040DAC5

Strings

___CPPdebugHook, xrefs: 0040DAB8

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ___CPPdebugHook
API String ID: 1646373207-76456168
Opcode ID: 287a6b333046123f1858be82b54ae64867af626ad00b8413832972d0f5747850
Instruction ID: cac64b625be94977cf7515171d509fe3c1ea65b8af14518d2d1145854148ca72
Opcode Fuzzy Hash: 287a6b333046123f1858be82b54ae64867af626ad00b8413832972d0f5747850
Instruction Fuzzy Hash: D321C7349093C08ED713ABA099567953F71BF03718F1A81FBD0846A1F3C67D098ACB6A

Function 01227A14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 01227A42
_free.LIBCMT ref: 01227A68

Strings

@GP, xrefs: 01227A3D, 01227A4A, 01227A63, 01227A70, 01227A96

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: _free
String ID: @GP
API String ID: 269201875-1535696100
Opcode ID: 3a911180a06b6d2b36f5abaf44188d48892b60d8158f7ef11c48083f495b44a4
Instruction ID: f7635ee93f662285045a7bc1e199e2789a6523dad4341e0d2e17e3c0488a8797
Opcode Fuzzy Hash: 3a911180a06b6d2b36f5abaf44188d48892b60d8158f7ef11c48083f495b44a4
Instruction Fuzzy Hash: CA11C871A242227BEB349A7DBC49BAD3799B761730F284616F622CB6C4D371C6474B80

Function 01229AE6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

Part of subcall function 0122546E: EnterCriticalSection.KERNEL32(?,?,01224195,?,01231EA8,00000008,0122430C,00000001,?,?), ref: 0122547D

DeleteCriticalSection.KERNEL32(01233618,?,?,?,?,01232128,00000010,01227AE9), ref: 01229B49
_free.LIBCMT ref: 01229B57

Strings

@GP, xrefs: 01229B10, 01229B27, 01229B3D, 01229B4F, 01229B5D

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: CriticalSection$DeleteEnter_free
String ID: @GP
API String ID: 1836352639-1535696100
Opcode ID: 75bbebc0874767e50b888b1122cc7347dad92efb13a69c862f93c993c3cc449b
Instruction ID: 0b48a6e6fe42946be30934602406513085b5cdd6036ee35ba89a9cdb0acc2aba
Opcode Fuzzy Hash: 75bbebc0874767e50b888b1122cc7347dad92efb13a69c862f93c993c3cc449b
Instruction Fuzzy Hash: FB11E032620232EFDB20DF99E449BACB7B0FB09724F508106E612DB6D0CB75E542CB04

Function 0040C612 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(BRCC32,0041F0EC,00000104), ref: 0040C62D
GetModuleFileNameA.KERNEL32(00000000,BRCC32,0041F0EC,00000104), ref: 0040C633

Strings

BRCC32, xrefs: 0040C628

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: Module$FileHandleName
String ID: BRCC32
API String ID: 4146042529-1983932053
Opcode ID: bb2b271d77e38dff5e7b391816342d185b57991bd0eb3710a4d9690fd15eefec
Instruction ID: a37f0b661a05946a262a0a393fff8bb036f745d6e25c814e50e47cd4ef111798
Opcode Fuzzy Hash: bb2b271d77e38dff5e7b391816342d185b57991bd0eb3710a4d9690fd15eefec
Instruction Fuzzy Hash: 86112130640104EFC700DF54DC85FC93BA9AF49709F14C175F9499B2A2C676A9D9CB99

Function 00410EB8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,00000000), ref: 00410EE2

Strings

A, xrefs: 00410F04
Z, xrefs: 00410F09

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: CurrentDirectory
String ID: A$Z
API String ID: 1611563598-4098844585
Opcode ID: 634a1577d351043f3a428ca60013a7c1ce4cd3ada01c53e2bbc73d4084fa08ef
Instruction ID: 0d841c5518bc233b6d3ef3ce057666f5c9254ccc47b631ce3bedcb6927d85a67
Opcode Fuzzy Hash: 634a1577d351043f3a428ca60013a7c1ce4cd3ada01c53e2bbc73d4084fa08ef
Instruction Fuzzy Hash: 1AF0E2B27097550AE630217A2CC66CB1A88DF027B9F24066BF651C52C2CBEDCDC2816D

Function 01227ADC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON

Download Yara Rule

APIs

Part of subcall function 01229AE6: DeleteCriticalSection.KERNEL32(01233618,?,?,?,?,01232128,00000010,01227AE9), ref: 01229B49
Part of subcall function 01229AE6: _free.LIBCMT ref: 01229B57

Part of subcall function 01229B91: _free.LIBCMT ref: 01229BB5

DeleteCriticalSection.KERNEL32(00504720), ref: 01227B05
_free.LIBCMT ref: 01227B19

Strings

@GP, xrefs: 01227AEB, 01227AF8, 01227B1E

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: _free$CriticalDeleteSection
String ID: @GP
API String ID: 1906768660-1535696100
Opcode ID: c69be17e98e006fc58e361a9ad60b3d48c085a0b1bd5224fd8c0b537c2fae070
Instruction ID: 3d82c140177d6890984a552360a2d078231fbfd60ed5754d849bec62a2ba6bfc
Opcode Fuzzy Hash: c69be17e98e006fc58e361a9ad60b3d48c085a0b1bd5224fd8c0b537c2fae070
Instruction Fuzzy Hash: 8AE0D833824132BBCB31AB9DF808A5E33D9AF19320B15C814E442C3044CB316D458F44

Function 0040DEA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 10libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,___CPPdebugHook), ref: 0040DEAF
GetProcAddress.KERNEL32(00000000,00000000), ref: 0040DEB5

Strings

___CPPdebugHook, xrefs: 0040DEA8

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: ___CPPdebugHook
API String ID: 1646373207-76456168
Opcode ID: fde9424a57caf3c6f118d46f5f668d899efe892cb6852b9fda161fadb51bae4f
Instruction ID: e9fac35ffdc13730c2a5cdd90867b2163e931cc03d56ebb25d2ecdeab5880e1a
Opcode Fuzzy Hash: fde9424a57caf3c6f118d46f5f668d899efe892cb6852b9fda161fadb51bae4f
Instruction Fuzzy Hash: FBC012B4B40308E9D7107F609CC67403670A304B1EF90017A90519A1E1C7BC11C68A2C

Function 01334F1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 01334F1E
GetCommandLineW.KERNEL32 ref: 01334F29

Strings

@3O, xrefs: 01334F24

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CommandLine
String ID: @3O
API String ID: 3253501508-2647879139
Opcode ID: 1105f6c10648b5d0b8d7e42b09751a4920973c02526dfc7a1e2523bd555f7852
Instruction ID: eedc6af00d592ed812dbfd08b4d7a16420c1b0011ece1a7549f01ae3b23c911a
Opcode Fuzzy Hash: 1105f6c10648b5d0b8d7e42b09751a4920973c02526dfc7a1e2523bd555f7852
Instruction Fuzzy Hash: 93B092BC802200CFD7208F30F00D005BBB8B688302BC02156EA0AD3308DF342000DF20

Function 01226A3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON

Download Yara Rule

APIs

GetCommandLineA.KERNEL32 ref: 01226A3C
GetCommandLineW.KERNEL32 ref: 01226A47

Strings

@3O, xrefs: 01226A42

Memory Dump Source

Source File: 0000000E.00000002.3890376341.0000000001221000.00000020.00001000.00020000.00000000.sdmp, Offset: 01220000, based on PE: true

Associated: 0000000E.00000002.3890359285.0000000001220000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890414753.000000000122D000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001233000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890436508.0000000001313000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1220000_brcc.jbxd

Similarity

API ID: CommandLine
String ID: @3O
API String ID: 3253501508-2647879139
Opcode ID: 8eb8c162eac9e925f9ef6ee50e5382fbe54ffc0117a0c43bac8baca79e896bf3
Instruction ID: 975cc301da7bcde7607b8da555286d4eff423c015dcec35555d4daed4d2a8d75
Opcode Fuzzy Hash: 8eb8c162eac9e925f9ef6ee50e5382fbe54ffc0117a0c43bac8baca79e896bf3
Instruction Fuzzy Hash: D5B04878804204ABC7358FB0B01C1087AA5F2087423C0A45AD80183218E73A020ACF10

Function 00416A6C Relevance: 5.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.3889783164.0000000000401000.00000040.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000E.00000002.3889763013.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889808265.000000000041D000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889836260.0000000000429000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889856334.000000000042A000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000E.00000002.3889875780.000000000042D000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_400000_brcc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6482671da7de8cfdcedd33a01a2a71081be13d1fa2dcd55206946f7dc224d7a
Instruction ID: f8b09694432a2b6b888e91e60ec0dff31b9f07a23385d21866bb79e039dcde5b
Opcode Fuzzy Hash: f6482671da7de8cfdcedd33a01a2a71081be13d1fa2dcd55206946f7dc224d7a
Instruction Fuzzy Hash: 1C31A230348212ABD7209A698C90BF777A9EB46374F36462AE925C72D0D678E881C759

Function 0132AB90 Relevance: 5.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(005197A8,?,?,00000000,7B2C007C,?,00000000), ref: 0132ABA2
EnterCriticalSection.KERNEL32(00000000,?,00000000,7B2C007C,?,00000000), ref: 0132AC3C
LeaveCriticalSection.KERNEL32(00000000,?,00000000,7B2C007C,?,00000000), ref: 0132AC5D
LeaveCriticalSection.KERNEL32(?,?,00000000,7B2C007C,?,00000000), ref: 0132AC91

Memory Dump Source

Source File: 0000000E.00000002.3890557780.0000000001321000.00000020.00001000.00020000.00000000.sdmp, Offset: 01320000, based on PE: true

Associated: 0000000E.00000002.3890541212.0000000001320000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890630590.0000000001342000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134B000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 0000000E.00000002.3890667471.000000000134F000.00000004.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_1320000_brcc.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ca9da39f3eb3596556680b61783b4c5d0d959e4ecfa1afe84e7ba30b51ea154c
Instruction ID: 26477bb6c4a2facdd9f21a5284d18012cbda1545e65d9041b3b2ec342045a3b8
Opcode Fuzzy Hash: ca9da39f3eb3596556680b61783b4c5d0d959e4ecfa1afe84e7ba30b51ea154c
Instruction Fuzzy Hash: D7316E74600622AFDB18EF28D494A65FBE5FF48309F14856EE90ACBA51D731E880CB90

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report OPyF68i97j.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Windows\Logs\logs\Secur32.dll

C:\Windows\Logs\logs\brcc.exe

C:\Windows\Logs\logs\consent.exe

C:\Windows\Logs\logs\rw32core.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Exports

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Packets

Statistics

Windows Analysis Report
OPyF68i97j.exe

Function 004921C0 Relevance: 77.2, APIs: 34, Strings: 10, Instructions: 211
stringserviceregistryCOMMON

Function 00491930 Relevance: 36.2, APIs: 24, Instructions: 164
memorythreadCOMMON

Function 00491E90 Relevance: 33.4, APIs: 13, Strings: 6, Instructions: 135
processstringsynchronizationCOMMON

Function 00491B20 Relevance: 12.2, APIs: 8, Instructions: 160
serviceCOMMON

Function 004912B0 Relevance: 9.0, APIs: 6, Instructions: 36
synchronizationCOMMON

Function 004913D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre