Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PRODUKTY.EXE.exe

Overview

General Information

Sample name:PRODUKTY.EXE.exe
Analysis ID:1590553
MD5:b41bf2658e924e0ede6906f35759e28d
SHA1:44a3666f49f49bda109a9c6fc0969698668d3789
SHA256:dda88b2f3e4fc0dd679df66662d77aaedaeed19d542fab5171f54e0b01869461
Tags:exeuser-julianmckein
Infos:

Detection

AsyncRAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected AsyncRAT
Yara detected PureLog Stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PRODUKTY.EXE.exe (PID: 1892 cmdline: "C:\Users\user\Desktop\PRODUKTY.EXE.exe" MD5: B41BF2658E924E0EDE6906F35759E28D)
    • PRODUKTY.EXE.exe (PID: 4464 cmdline: "C:\Users\user\Desktop\PRODUKTY.EXE.exe" MD5: B41BF2658E924E0EDE6906F35759E28D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "quin.ydns.eu,185.38.142.240", "Ports": "1962,1940", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "windowsBook.exe", "Install_File": "R1FLVk5xdzVTc1lsdnB3bTJRaEFwOXpqQTYxY3RybUE="}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0x97c5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    00000000.00000002.1673212977.0000000003FD9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
      00000000.00000002.1675364688.0000000005870000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Click to see the 9 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.PRODUKTY.EXE.exe.300c478.3.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            0.2.PRODUKTY.EXE.exe.300c478.3.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
            • 0x7b33:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
            • 0x8e38:$a2: Stub.exe
            • 0x8ec8:$a2: Stub.exe
            • 0x48f6:$a3: get_ActivatePong
            • 0x7d4b:$a4: vmware
            • 0x7bc3:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            • 0x5648:$a6: get_SslClient
            0.2.PRODUKTY.EXE.exe.300c478.3.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
            • 0x48f6:$str01: get_ActivatePong
            • 0x5648:$str02: get_SslClient
            • 0x5664:$str03: get_TcpClient
            • 0x3f0e:$str04: get_SendSync
            • 0x3f5e:$str05: get_IsConnected
            • 0x468d:$str06: set_UseShellExecute
            • 0x7e69:$str07: Pastebin
            • 0x7eeb:$str08: Select * from AntivirusProduct
            • 0x8e38:$str09: Stub.exe
            • 0x8ec8:$str09: Stub.exe
            • 0x7c43:$str10: timeout 3 > NUL
            • 0x7b33:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
            • 0x7bc3:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            0.2.PRODUKTY.EXE.exe.300c478.3.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
            • 0x7bc5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
            0.2.PRODUKTY.EXE.exe.5870000.8.raw.unpackJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
              Click to see the 25 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-14T09:16:15.500975+010020355951Domain Observed Used for C2 Detected185.38.142.2401940192.168.2.449735TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-14T09:16:15.500975+010020356071Domain Observed Used for C2 Detected185.38.142.2401940192.168.2.449735TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-14T09:16:15.500975+010028424781Malware Command and Control Activity Detected185.38.142.2401940192.168.2.449735TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "quin.ydns.eu,185.38.142.240", "Ports": "1962,1940", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "windowsBook.exe", "Install_File": "R1FLVk5xdzVTc1lsdnB3bTJRaEFwOXpqQTYxY3RybUE="}
              Multi AV Scanner detection for submitted file
              Source: PRODUKTY.EXE.exeReversingLabs: Detection: 26%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Machine Learning detection for sample
              Source: PRODUKTY.EXE.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: 1962,1940
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: quin.ydns.eu,185.38.142.240
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: 0.5.8
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: false
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: dLOEY8XRq1oB
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: MIIE8jCCAtqgAwIBAgIQAPnGs5slz1dGQ8fzrIrp6TANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQxMDE2MTYwMzUwWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALPSaGJ43pnYhDkxuIVHTZ7hUQnEBXAUwMEfQSnF3e3FTXnagkMxu3BcPIHjLMsAFmamC8l4oG4MJozFIWhGetllox67t4QdBCLa1wwDOW6lcUeMeAMvcHs2QSDUIhmA34oB4qHCYGFvrbtZZ4gY5K365bU01LSOZAKGQa/9l1ObOaaaWk8YLCqt4ooDDq7yaPHDfwFHVYNgm747fXR0v84c+qEFVcqrwGdIFinSApxsiHyMA9fYINvxuM/fsmaDc3pAiVU4AxZGKXPC1t0myOkdqHHYTt45hyUWxA+dSdHiv0kdjWyhSRLTmr8hqorzBtJxrdxg3OvizGm+tVXDMPwxTsYCU+KXgK9dnE2wzVKczzrsk7veeUBRMdicbIr+AfqH9rlKavplcv9Dhias6+J87iM+A/slLzq62+BNpyCtugseWXpOm8DthXsTZahPX+FhKElGEQn+kiUYllfl8BxTIgCtcFTTUAWtuBMDtVco2fAF1aHbK5hoTuHLgDX//yoiVy2X2L94XDvOUTjcbdJbyGNfuCnmKkBqWxIPVDVY+3pGRoFgiYF4+Sps96NVZaYnYYgFTzmq4shtlDCMcCKFnp0LBOV8eJ3VSmrSj7Pf53Zb4Jt8x04MBXGr5qWU6GejYdy6G2SDNFBN3iNLEuodHMPJM+3QD3HK0C9G/WXxAgMBAAGjMjAwMB0GA1UdDgQWBBQVLOTdCIKpuXoVUThejuHyhAdyfDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCSYJtTeoFxHG6V6pIc/1VuHp4yKAQfeI36maU1yaQZxxn6KV8PZPjRGWrV8jZVvfzE0Joc2lQInpbLOBm6eiShkuseH3uWfEGPyh6NXj6xMxyG0yEwSPUb6p4qFzQf++SxhLYP1kQ/W6DYGmexCHx5nqYkI1KcU/cz6xwNPCHS6kRzXIZjKLK315C1VWAqOcpj0hd56gfcxT3mrjZGqFc9hGAuxB/d4crCx06M72n6IK5YBfhsz9x/zcmzt/9S/I4LanIVZIBaI23iofKpGt2OqywJfwkqCc2ri60CMFct24sK31kjdb1ayGXyJ3luS6CNx7T1w/4abU6ni+RCnL7FEZOo1T7xe1pwh7ocMykUcsR/YO7DuzYBQJO156GrGgJg6dodwiEHkyBUf9YPEQotlAH5uce9cQF31b2jS79VDvOUtPR5yt+0fgkRqSMKToI001uuY8n33slTLebomvffZiEHeLIr4jL1qs/4f3Q30pKhmyEsx0P8ixf1vNBIZFzVR96c2iCk7OHUKxQTSIW0iO7W2nwRIJzKzXU6AH7GCpcLam3Mf9v4nJ3rFCaTqSZ9ynknrPW7R5A0+a6Dp4eHEdyfcdYFBcT2mWlS8trOnvH0hi3dL6ilZzZNny1Ypk4OQXGVi4jLiKVvIRFeBUBrh16pRxugmIeBc6M1buYJNg==
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: qnpWsOyHEfeUrjWHXwz7VuEcmBwms1QqFL/RSnw5+JJfvwK8mMXylIPIlNGhr4V/FnYJVzWjKs1s6bGmx++zITxC5egaCdyyjka2XcPfllI2pn8u+ch5GVbsYRUA7AqxaJJGdNynxP43gyHIuGRKIT2vY9xPE+whw/LSLWrqHuI0NdYtKdTlI64kVlPdndiQ2obaZO6XFf/85MKTnTucIsaXRFssOPYa05MMdCwuLCxisDA9oKt/jR+tpdhx1xEEGx6c0ynLi5eIjdh8K5HgD0x3mYYzWXEz+SW13lDhWfPaSSxiEcMtdMKHFqQzWXSotZQK4daqayp9UT+ZJaekTSaHjRROrIKKytdwVvJ5FmyEUM3yQX8qqiv5eBwn9/D4rbuwUNr0VdDeSYjxjUy9EPB+Rhn/+RDddOnJjL81WYUtg3klQ8Lelvv9d08FIcuvIs6aHdRPZCJ+eCfdXE20C+XZpa0GNj7HcqkrC4XDTa4otN1yQhSMYAVs0WH9KHHOGqJxPzriYAjLUYcc7BApoP2KGKyaKRi59XmY5yb0VKxHQGvUzJz2+3m5VjNUI7jnyf0C6TMadLpJbfzgv1NKOqaC8PMpyRaCFtBmRMd3jJdGOeOM2RfF1ocJNOV7WwKWmswbO5VLEdjzupdu0dAmYgYHm6v2Smx4V3GAqywAC48=
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: false
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: null
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: false
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpackString decryptor: COKE
              Source: PRODUKTY.EXE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: PRODUKTY.EXE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: EzDE.pdb source: PRODUKTY.EXE.exe
              Source: Binary string: EzDE.pdbSHA256 source: PRODUKTY.EXE.exe

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.38.142.240:1940 -> 192.168.2.4:49735
              Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 185.38.142.240:1940 -> 192.168.2.4:49735
              Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 185.38.142.240:1940 -> 192.168.2.4:49735
              Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 185.38.142.240:1940 -> 192.168.2.4:49735
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: quin.ydns.eu
              Yara detected Generic Downloader
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPE
              Source: global trafficTCP traffic: 192.168.2.4:49735 -> 185.38.142.240:1940
              Source: Joe Sandbox ViewASN Name: NETSOLUTIONSNL NETSOLUTIONSNL
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: unknownTCP traffic detected without corresponding DNS query: 185.38.142.240
              Source: global trafficDNS traffic detected: DNS query: quin.ydns.eu
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2913925643.0000000000A96000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2913925643.0000000000A96000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enac
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.0000000002831000.00000004.00000800.00020000.00000000.sdmp, PRODUKTY.EXE.exe, 00000002.00000002.2915159034.000000000289B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: PRODUKTY.EXE.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.300c478.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3017958.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2915159034.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PRODUKTY.EXE.exe PID: 1892, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PRODUKTY.EXE.exe PID: 4464, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: Process Memory Space: PRODUKTY.EXE.exe PID: 1892, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: Process Memory Space: PRODUKTY.EXE.exe PID: 4464, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_016842040_2_01684204
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_016870180_2_01687018
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_0168D8EC0_2_0168D8EC
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061FD5B00_2_061FD5B0
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061FD5C00_2_061FD5C0
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061FD1880_2_061FD188
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061F51800_2_061F5180
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061FEE000_2_061FEE00
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061F9E410_2_061F9E41
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061F8EA00_2_061F8EA0
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061F3F700_2_061F3F70
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061F3F600_2_061F3F60
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061FCD320_2_061FCD32
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061FCD500_2_061FCD50
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061FE9B70_2_061FE9B7
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 0_2_061FE9C80_2_061FE9C8
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 2_2_00CD68682_2_00CD6868
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 2_2_00CD5F982_2_00CD5F98
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 2_2_00CDA7182_2_00CDA718
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeCode function: 2_2_00CD5C502_2_00CD5C50
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1673212977.0000000003FD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1673212977.0000000004017000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1667729593.00000000014EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1675364688.0000000005870000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exe, 00000000.00000000.1646768934.0000000000C22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameEzDE.exeB vs PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1676989264.0000000009270000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1671714813.000000000307D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2913349574.000000000040E000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exeBinary or memory string: OriginalFilenameEzDE.exeB vs PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 0.2.PRODUKTY.EXE.exe.3017958.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: Process Memory Space: PRODUKTY.EXE.exe PID: 1892, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: Process Memory Space: PRODUKTY.EXE.exe PID: 4464, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: PRODUKTY.EXE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: classification engineClassification label: mal100.troj.evad.winEXE@3/3@2/1
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRODUKTY.EXE.exe.logJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMutant created: NULL
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMutant created: \Sessions\1\BaseNamedObjects\dLOEY8XRq1oB
              Source: PRODUKTY.EXE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: PRODUKTY.EXE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: PRODUKTY.EXE.exe, 00000000.00000000.1646768934.0000000000C22000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO users (first_name, last_name, email, [password]) VALUES (@firstName, @lastName, @email, @password);
              Source: PRODUKTY.EXE.exeReversingLabs: Detection: 26%
              Source: unknownProcess created: C:\Users\user\Desktop\PRODUKTY.EXE.exe "C:\Users\user\Desktop\PRODUKTY.EXE.exe"
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess created: C:\Users\user\Desktop\PRODUKTY.EXE.exe "C:\Users\user\Desktop\PRODUKTY.EXE.exe"
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess created: C:\Users\user\Desktop\PRODUKTY.EXE.exe "C:\Users\user\Desktop\PRODUKTY.EXE.exe"Jump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: PRODUKTY.EXE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: PRODUKTY.EXE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: PRODUKTY.EXE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: EzDE.pdb source: PRODUKTY.EXE.exe
              Source: Binary string: EzDE.pdbSHA256 source: PRODUKTY.EXE.exe
              Source: PRODUKTY.EXE.exeStatic PE information: 0xC09A7FD9 [Tue May 24 21:25:45 2072 UTC]
              Source: PRODUKTY.EXE.exeStatic PE information: section name: .text entropy: 7.576343223802916

              Boot Survival

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.300c478.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3017958.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2915159034.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PRODUKTY.EXE.exe PID: 1892, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PRODUKTY.EXE.exe PID: 4464, type: MEMORYSTR
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: PRODUKTY.EXE.exe PID: 1892, type: MEMORYSTR
              Yara detected AsyncRAT
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.300c478.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3017958.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2915159034.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PRODUKTY.EXE.exe PID: 1892, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PRODUKTY.EXE.exe PID: 4464, type: MEMORYSTR
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: PRODUKTY.EXE.exe, 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, PRODUKTY.EXE.exe, 00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: 1640000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: 2FD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: 4FD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: 9400000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: A400000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: A610000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: 7910000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: CD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: 2830000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: 4830000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeWindow / User API: threadDelayed 4439Jump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeWindow / User API: threadDelayed 5304Jump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exe TID: 2496Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exe TID: 2692Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exe TID: 1312Thread sleep time: -13835058055282155s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exe TID: 6756Thread sleep count: 4439 > 30Jump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exe TID: 6756Thread sleep count: 5304 > 30Jump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2914476487.0000000000B4A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWeB
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2913925643.0000000000A96000.00000004.00000020.00020000.00000000.sdmp, PRODUKTY.EXE.exe, 00000002.00000002.2914514509.0000000000B58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeMemory written: C:\Users\user\Desktop\PRODUKTY.EXE.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeProcess created: C:\Users\user\Desktop\PRODUKTY.EXE.exe "C:\Users\user\Desktop\PRODUKTY.EXE.exe"Jump to behavior
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.0000000002893000.00000004.00000800.00020000.00000000.sdmp, PRODUKTY.EXE.exe, 00000002.00000002.2915159034.000000000289B000.00000004.00000800.00020000.00000000.sdmp, PRODUKTY.EXE.exe, 00000002.00000002.2915159034.00000000028C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^q
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.00000000028C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^qTG
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.00000000028C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q4I
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.0000000002893000.00000004.00000800.00020000.00000000.sdmp, PRODUKTY.EXE.exe, 00000002.00000002.2915159034.000000000289B000.00000004.00000800.00020000.00000000.sdmp, PRODUKTY.EXE.exe, 00000002.00000002.2915159034.00000000028C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.0000000002898000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q`
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.0000000002898000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q@
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.0000000002893000.00000004.00000800.00020000.00000000.sdmp, PRODUKTY.EXE.exe, 00000002.00000002.2915159034.00000000028C1000.00000004.00000800.00020000.00000000.sdmp, PRODUKTY.EXE.exe, 00000002.00000002.2915159034.0000000002898000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^q%
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.0000000002893000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q<D
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.0000000002893000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2915159034.000000000289B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,^q
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Users\user\Desktop\PRODUKTY.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Users\user\Desktop\PRODUKTY.EXE.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.300c478.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3017958.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.300c478.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3017958.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.PRODUKTY.EXE.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2915159034.0000000002831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: PRODUKTY.EXE.exe PID: 1892, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: PRODUKTY.EXE.exe PID: 4464, type: MEMORYSTR
              Source: PRODUKTY.EXE.exe, 00000002.00000002.2918150900.0000000004FF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\PRODUKTY.EXE.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.5870000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3ff7590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.5870000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3ff7590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3109db8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.30ad8a4.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.307f650.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1673212977.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1675364688.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1671714813.000000000307D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Remote Access Functionality

              barindex
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.5870000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3ff7590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.5870000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3ff7590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.3109db8.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.30ad8a4.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.PRODUKTY.EXE.exe.307f650.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.1673212977.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1675364688.0000000005870000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1671714813.000000000307D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              Scheduled Task/Job              		112
              Process Injection              		1
              Masquerading              		OS Credential Dumping1
              Query Registry              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Scheduled Task/Job              		1
              DLL Side-Loading              		1
              Scheduled Task/Job              		1
              Disable or Modify Tools              		LSASS Memory121
              Security Software Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Standard Port              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		Security Account Manager1
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
              Process Injection              		NTDS31
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput Capture11
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Obfuscated Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Software Packing              		Cached Domain Credentials13
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Timestomp              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              PRODUKTY.EXE.exe26%ReversingLabsByteCode-MSIL.Trojan.Sonbokli
              PRODUKTY.EXE.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              quin.ydns.eu0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              bg.microsoft.map.fastly.net
              		199.232.210.172
              		truefalse
                		high
                quin.ydns.eu
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  quin.ydns.eutrue
                  • Avira URL Cloud: safe
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://www.apache.org/licenses/LICENSE-2.0PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.fontbureau.comPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://www.fontbureau.com/designersGPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.fontbureau.com/designers/?PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://www.founder.com.cn/cn/bThePRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers?PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://tempuri.org/DataSet1.xsdPRODUKTY.EXE.exefalse
                                		high
                                http://www.tiro.comPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.fontbureau.com/designersPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.goodfont.co.krPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://www.carterandcone.comlPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.sajatypeworks.comPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.typography.netDPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.fontbureau.com/designers/cabarga.htmlNPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.founder.com.cn/cn/cThePRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.galapagosdesign.com/staff/dennis.htmPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.founder.com.cn/cnPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.fontbureau.com/designers/frere-user.htmlPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.jiyu-kobo.co.jp/PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.galapagosdesign.com/DPleasePRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.fontbureau.com/designers8PRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://www.fonts.comPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              http://www.sandoll.co.krPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.urwpp.deDPleasePRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.zhongyicts.com.cnPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namePRODUKTY.EXE.exe, 00000002.00000002.2915159034.0000000002831000.00000004.00000800.00020000.00000000.sdmp, PRODUKTY.EXE.exe, 00000002.00000002.2915159034.000000000289B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.sakkal.comPRODUKTY.EXE.exe, 00000000.00000002.1676224634.0000000007432000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high

                                                                        World Map of Contacted IPs

                                                                        • No. of IPs < 25%
                                                                        • 25% < No. of IPs < 50%
                                                                        • 50% < No. of IPs < 75%
                                                                        • 75% < No. of IPs

                                                                        Public IPs

                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                        185.38.142.240
                                                                        		unknownPortugal
                                                                        		47674NETSOLUTIONSNLtrue

                                                                        General Information

                                                                        Joe Sandbox version:42.0.0 Malachite
                                                                        Analysis ID:1590553
                                                                        Start date and time:2025-01-14 09:15:08 +01:00
                                                                        Joe Sandbox product:CloudBasic
                                                                        Overall analysis duration:0h 4m 56s
                                                                        Hypervisor based Inspection enabled:false
                                                                        Report type:full
                                                                        Cookbook file name:default.jbs
                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                        Number of analysed new started processes analysed:7
                                                                        Number of new started drivers analysed:0
                                                                        Number of existing processes analysed:0
                                                                        Number of existing drivers analysed:0
                                                                        Number of injected processes analysed:0
                                                                        Technologies:
                                                                        • HCA enabled
                                                                        • EGA enabled
                                                                        • AMSI enabled
                                                                        Analysis Mode:default
                                                                        Analysis stop reason:Timeout
                                                                        Sample name:PRODUKTY.EXE.exe
                                                                        Detection:MAL
                                                                        Classification:mal100.troj.evad.winEXE@3/3@2/1
                                                                        EGA Information:
                                                                        • Successful, ratio: 50%
                                                                        HCA Information:
                                                                        • Successful, ratio: 100%
                                                                        • Number of executed functions: 74
                                                                        • Number of non-executed functions: 12
                                                                        Cookbook Comments:
                                                                        • Found application associated with file extension: .exe

                                                                        Warnings

                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                        • Excluded IPs from analysis (whitelisted): 199.232.210.172, 184.28.90.27, 20.109.210.53, 13.107.253.45
                                                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                                                        • Execution Graph export aborted for target PRODUKTY.EXE.exe, PID 4464 because it is empty
                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                        • VT rate limit hit for: PRODUKTY.EXE.exe

                                                                        Simulations

                                                                        Behavior and APIs

                                                                        TimeTypeDescription
                                                                        03:15:58API Interceptor2x Sleep call for process: PRODUKTY.EXE.exe modified

                                                                        Joe Sandbox View / Context

                                                                        IPs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        185.38.142.240zapytanie 2025.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                          PRESUPUEST.exeGet hashmaliciousAsyncRATBrowse
                                                                            Aviso de transferencia.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                              rUAE_LPO.com.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse

                                                                                Domains

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                bg.microsoft.map.fastly.net2330118683179179335.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                • 199.232.210.172
                                                                                G7T8lHJWWM.exeGet hashmaliciousLummaCBrowse
                                                                                • 199.232.210.172
                                                                                009.vbeGet hashmaliciousAgentTeslaBrowse
                                                                                • 199.232.210.172
                                                                                577119676170175151.jsGet hashmaliciousStrela DownloaderBrowse
                                                                                • 199.232.210.172
                                                                                RFQ.exeGet hashmaliciousQuasar, PureLog StealerBrowse
                                                                                • 199.232.210.172
                                                                                possible SPAM## Msig Insurance Europe Complete via-Sign Monday January 2025.msgGet hashmaliciousUnknownBrowse
                                                                                • 199.232.214.172
                                                                                3ClBcOpPUX.exeGet hashmaliciousCyberGateBrowse
                                                                                • 199.232.210.172
                                                                                40#U0433.docGet hashmaliciousUnknownBrowse
                                                                                • 199.232.214.172
                                                                                KymUijfvKi.docGet hashmaliciousUnknownBrowse
                                                                                • 199.232.210.172
                                                                                Rev5_ Joint Declaration C5 GER_track changes.docGet hashmaliciousUnknownBrowse
                                                                                • 199.232.210.172

                                                                                ASNs

                                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                NETSOLUTIONSNLzapytanie 2025.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                • 185.38.142.240
                                                                                46VHQmFDxC.exeGet hashmaliciousRedLineBrowse
                                                                                • 185.38.142.167
                                                                                ds1bfe33xg.exeGet hashmaliciousRedLineBrowse
                                                                                • 185.38.142.167
                                                                                PRESUPUEST.exeGet hashmaliciousAsyncRATBrowse
                                                                                • 185.38.142.240
                                                                                Aviso de transferencia.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                • 185.38.142.240
                                                                                rUAE_LPO.com.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                                                                                • 185.38.142.240
                                                                                A9BripDhRY.lnkGet hashmaliciousUnknownBrowse
                                                                                • 185.38.142.128
                                                                                93.123.85.253-bot.armv4l-2024-08-28T17_49_11.elfGet hashmaliciousUnknownBrowse
                                                                                • 188.93.233.79
                                                                                a591d3d035cf90395ad1078a415a46b5b44dd813496291b702fe36cfb22dee36_dump.exeGet hashmaliciousRedLineBrowse
                                                                                • 185.38.142.10
                                                                                b3u71vBG0u.exeGet hashmaliciousRedLineBrowse
                                                                                • 185.38.142.10

                                                                                JA3 Fingerprints

                                                                                No context

                                                                                Dropped Files

                                                                                No context

                                                                                Created / dropped Files

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\PRODUKTY.EXE.exe
                                                                                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                Category:dropped
                                                                                Size (bytes):71954
                                                                                Entropy (8bit):7.996617769952133
                                                                                Encrypted:true
                                                                                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                Malicious:false
                                                                                Reputation:high, very likely benign file
                                                                                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\PRODUKTY.EXE.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):328
                                                                                Entropy (8bit):3.253995428229512
                                                                                Encrypted:false
                                                                                SSDEEP:6:kK1ll99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:t/kDImsLNkPlE99SNxAhUe/3
                                                                                MD5:B55BDF67F0E3765605379BA4E4E73625
                                                                                SHA1:BFE505BE5BC803C9E35E9B72197C8E502686754B
                                                                                SHA-256:1D7F32381E9D19AB0FA99A6115EB87C78F87A80A0037661B99038BE671B9DB1F
                                                                                SHA-512:25BC263112EB796BA635CB50B111E550618A00514BF2B1CCBA6B42F2159375DFEB5056418708CD4CBA6BDE630CA3CA9D7F7A160ABF8C9B6B5F3C60011DB33C20
                                                                                Malicious:false
                                                                                Reputation:low
                                                                                Preview:p...... ...........\f..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PRODUKTY.EXE.exe.log

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\PRODUKTY.EXE.exe
                                                                                File Type:ASCII text, with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):1216
                                                                                Entropy (8bit):5.34331486778365
                                                                                Encrypted:false
                                                                                SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                Malicious:true
                                                                                Reputation:high, very likely benign file
                                                                                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                Entropy (8bit):7.565767776886805
                                                                                TrID:
                                                                                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                • DOS Executable Generic (2002/1) 0.01%
                                                                                File name:PRODUKTY.EXE.exe
                                                                                File size:515'072 bytes
                                                                                MD5:b41bf2658e924e0ede6906f35759e28d
                                                                                SHA1:44a3666f49f49bda109a9c6fc0969698668d3789
                                                                                SHA256:dda88b2f3e4fc0dd679df66662d77aaedaeed19d542fab5171f54e0b01869461
                                                                                SHA512:258828419fbac1282f734b1d29e47c0ff6a38a7c164cb3b579dbc4c43deb79e87503c1bedd99e04ce7fdfe04bdff92ba8f75aa3b95ce505489cc08eabbbef917
                                                                                SSDEEP:12288:KYRxA4Y5lyA/BxSPC8a1iSN8PppYLJRbPoiNMirHoQtqgjfmHcP9:FRi1iSN0YLHwHgHhdjKc1
                                                                                TLSH:1FB4E0582259E807D0931BB42922D3F967799E89EA11C307CFEA3EFFBC367452541392
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.............v.... ........@.. .......................@............@................................

                                                                                File Icon

                                                                                Icon Hash:90cececece8e8eb0

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x47f076
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:false
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0xC09A7FD9 [Tue May 24 21:25:45 2072 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:4
                                                                                OS Version Minor:0
                                                                                File Version Major:4
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:4
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                jmp dword ptr [00402000h]
                                                                                call far 0000h : 003E9999h
                                                                                aas
                                                                                int CCh
                                                                                dec esp
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al
                                                                                add byte ptr [eax], al

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x7f0240x4f.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x800000x5e0.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x820000xc.reloc
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x7d8540x70.text
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x20000x7d08c0x7d2004bc5f9ad62debcb8e4acbcc753396255False0.8830720061188811data7.576343223802916IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rsrc0x800000x5e00x60098c81eb946d704b8f9f81850f6cf01f0False0.431640625data4.162906371389731IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0x820000xc0x20085e75bfaf517b4893b70abea30f2094eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_VERSION0x800900x350data0.4268867924528302
                                                                                RT_MANIFEST0x803f00x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                Imports

                                                                                DLLImport
                                                                                mscoree.dll_CorExeMain

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                2025-01-14T09:16:15.500975+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1185.38.142.2401940192.168.2.449735TCP
                                                                                2025-01-14T09:16:15.500975+01002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1185.38.142.2401940192.168.2.449735TCP
                                                                                2025-01-14T09:16:15.500975+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1185.38.142.2401940192.168.2.449735TCP
                                                                                2025-01-14T09:16:15.500975+01002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1185.38.142.2401940192.168.2.449735TCP

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jan 14, 2025 09:16:14.881244898 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:14.886296988 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:14.886398077 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:14.909874916 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:14.914829016 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:15.488363981 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:15.488384962 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:15.488462925 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:15.496227026 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:15.500974894 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:15.667226076 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:15.715138912 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:16.710828066 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:16.715718031 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:16.715815067 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:16.720753908 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:30.982120991 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:30.987045050 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:30.987133026 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:30.991887093 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:31.277374983 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:31.324537992 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:31.406534910 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:31.413532972 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:31.419369936 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:31.419420004 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:31.425106049 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:32.975344896 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:33.027733088 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:33.107592106 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:33.152709961 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:45.264013052 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:45.269498110 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:45.269690990 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:45.275002003 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:45.570681095 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:45.621491909 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:45.702924013 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:45.705924034 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:45.710978985 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:45.711085081 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:45.715893984 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:59.548295021 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:59.553117037 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:59.553174019 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:59.558037996 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:59.842147112 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:59.888170004 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:59.980283022 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:59.994122028 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:16:59.998960972 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:16:59.999037027 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:00.004112959 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:02.982950926 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:03.027725935 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:03.111140966 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:03.161825895 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:13.837449074 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:13.842359066 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:13.842437983 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:13.847284079 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:14.141560078 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:14.184009075 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:14.265603065 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:14.267688036 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:14.272520065 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:14.272591114 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:14.277540922 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:28.106585026 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:28.111689091 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:28.111908913 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:28.116873980 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:28.397732019 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:28.449753046 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:28.527286053 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:28.529351950 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:28.534358025 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:28.534439087 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:28.539344072 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:32.990000010 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:33.043519974 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:33.119103909 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:33.168390036 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:42.387686968 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:42.392504930 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:42.392565012 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:42.397337914 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:42.684880972 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:42.730926991 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:42.828649044 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:42.830418110 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:42.835338116 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:42.835410118 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:42.840130091 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:56.669548035 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:56.681015015 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:56.681129932 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:56.693911076 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:56.978008032 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:57.028052092 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:57.110232115 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:57.112278938 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:57.118915081 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:17:57.118983984 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:17:57.126455069 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:18:03.004045010 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:18:03.062369108 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:18:03.135230064 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:18:03.184160948 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:18:05.153373957 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:18:05.159502029 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:18:05.159573078 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:18:05.165550947 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:18:05.449604034 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:18:05.496598005 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:18:05.579588890 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:18:05.580471992 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:18:05.586029053 CET194049735185.38.142.240192.168.2.4
                                                                                Jan 14, 2025 09:18:05.587439060 CET497351940192.168.2.4185.38.142.240
                                                                                Jan 14, 2025 09:18:05.592343092 CET194049735185.38.142.240192.168.2.4

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jan 14, 2025 09:16:04.732261896 CET5207953192.168.2.41.1.1.1
                                                                                Jan 14, 2025 09:16:04.758951902 CET53520791.1.1.1192.168.2.4
                                                                                Jan 14, 2025 09:16:09.782707930 CET5187853192.168.2.41.1.1.1
                                                                                Jan 14, 2025 09:16:09.821094036 CET53518781.1.1.1192.168.2.4

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Jan 14, 2025 09:16:04.732261896 CET192.168.2.41.1.1.10x6402Standard query (0)quin.ydns.euA (IP address)IN (0x0001)false
                                                                                Jan 14, 2025 09:16:09.782707930 CET192.168.2.41.1.1.10x33f8Standard query (0)quin.ydns.euA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Jan 14, 2025 09:16:04.758951902 CET1.1.1.1192.168.2.40x6402Name error (3)quin.ydns.eunonenoneA (IP address)IN (0x0001)false
                                                                                Jan 14, 2025 09:16:09.821094036 CET1.1.1.1192.168.2.40x33f8Name error (3)quin.ydns.eunonenoneA (IP address)IN (0x0001)false
                                                                                Jan 14, 2025 09:16:15.806261063 CET1.1.1.1192.168.2.40xd9b0No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                Jan 14, 2025 09:16:15.806261063 CET1.1.1.1192.168.2.40xd9b0No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:03:15:57
                                                                                Start date:14/01/2025
                                                                                Path:C:\Users\user\Desktop\PRODUKTY.EXE.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\PRODUKTY.EXE.exe"
                                                                                Imagebase:0xc20000
                                                                                File size:515'072 bytes
                                                                                MD5 hash:B41BF2658E924E0EDE6906F35759E28D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1673212977.0000000003FD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1675364688.0000000005870000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1671714813.0000000003006000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                                                                • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.1671714813.000000000307D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:03:15:58
                                                                                Start date:14/01/2025
                                                                                Path:C:\Users\user\Desktop\PRODUKTY.EXE.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\PRODUKTY.EXE.exe"
                                                                                Imagebase:0x520000
                                                                                File size:515'072 bytes
                                                                                MD5 hash:B41BF2658E924E0EDE6906F35759E28D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000002.2913349574.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                                                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.2915159034.0000000002831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                Reputation:low
                                                                                Has exited:false

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:8.7%
                                                                                  Dynamic/Decrypted Code Coverage:100%
                                                                                  Signature Coverage:3.2%
                                                                                  Total number of Nodes:93
                                                                                  Total number of Limit Nodes:5
                                                                                  execution_graph 26825 1684668 26826 168467a 26825->26826 26827 1684686 26826->26827 26831 1684778 26826->26831 26836 1684204 26827->26836 26829 16846a5 26832 168479d 26831->26832 26840 1684878 26832->26840 26844 1684888 26832->26844 26837 168420f 26836->26837 26852 1685cc4 26837->26852 26839 1687083 26839->26829 26841 1684888 26840->26841 26842 168498c 26841->26842 26848 16844f0 26841->26848 26846 16848af 26844->26846 26845 168498c 26845->26845 26846->26845 26847 16844f0 CreateActCtxA 26846->26847 26847->26845 26849 1685918 CreateActCtxA 26848->26849 26851 16859db 26849->26851 26853 1685cc9 26852->26853 26856 1685ce4 26853->26856 26855 1687315 26855->26839 26857 1685cef 26856->26857 26860 1685d14 26857->26860 26859 16873fa 26859->26855 26861 1685d1f 26860->26861 26864 1685d44 26861->26864 26863 16874ed 26863->26859 26865 1685d4f 26864->26865 26867 16887eb 26865->26867 26871 168ae99 26865->26871 26866 1688829 26866->26863 26867->26866 26875 168cf90 26867->26875 26880 168cf80 26867->26880 26886 168aed0 26871->26886 26889 168aec1 26871->26889 26872 168aeae 26872->26867 26876 168cfb1 26875->26876 26877 168cfd5 26876->26877 26897 168d260 26876->26897 26901 168d250 26876->26901 26877->26866 26881 168cf35 26880->26881 26882 168cf86 26880->26882 26881->26866 26883 168cfd5 26882->26883 26884 168d260 GetModuleHandleW 26882->26884 26885 168d250 GetModuleHandleW 26882->26885 26883->26866 26884->26883 26885->26883 26887 168aedf 26886->26887 26892 168b3c1 26886->26892 26887->26872 26891 168b3c1 GetModuleHandleW 26889->26891 26890 168aedf 26890->26872 26891->26890 26893 168b404 26892->26893 26894 168b3e1 26892->26894 26893->26887 26894->26893 26895 168b608 GetModuleHandleW 26894->26895 26896 168b635 26895->26896 26896->26887 26899 168d26d 26897->26899 26898 168d2a7 26898->26877 26899->26898 26905 168b2e8 26899->26905 26902 168d260 26901->26902 26903 168d2a7 26902->26903 26904 168b2e8 GetModuleHandleW 26902->26904 26903->26877 26904->26903 26906 168b2f3 26905->26906 26908 168dfc0 26906->26908 26909 168d60c 26906->26909 26910 168d617 26909->26910 26911 1685d44 GetModuleHandleW 26910->26911 26912 168e02f 26911->26912 26912->26908 26925 168d378 26926 168d3be 26925->26926 26930 168d558 26926->26930 26933 168d547 26926->26933 26927 168d4ab 26937 168b3b0 26930->26937 26934 168d558 26933->26934 26935 168b3b0 DuplicateHandle 26934->26935 26936 168d586 26935->26936 26936->26927 26938 168d9c8 DuplicateHandle 26937->26938 26939 168d586 26938->26939 26939->26927 26913 61ff6d8 26914 61ff6d9 Wow64SetThreadContext 26913->26914 26916 61ff765 26914->26916 26940 61ff628 26941 61ff629 ResumeThread 26940->26941 26943 61ff699 26941->26943 26917 61ffc70 26918 61ffc71 WriteProcessMemory 26917->26918 26920 61ffd0f 26918->26920 26921 61ff7b0 26922 61ff7b1 VirtualAllocEx 26921->26922 26924 61ff82d 26922->26924 26944 61ffd60 26945 61ffd61 ReadProcessMemory 26944->26945 26947 61ffdef 26945->26947

                                                                                  Executed Functions

                                                                                  Function 01684204 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669992600.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1680000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Pp^q
                                                                                  • API String ID: 0-3179448734
                                                                                  • Opcode ID: 7f2c9f89fce2e10fb294dfdbca440537c7431cc4641f99a656b8542e1156995a
                                                                                  • Instruction ID: 50f7b590af2b7981386c357bdade56ef8cc27b47a22547ea8cbb882c0c5dccb7
                                                                                  • Opcode Fuzzy Hash: 7f2c9f89fce2e10fb294dfdbca440537c7431cc4641f99a656b8542e1156995a
                                                                                  • Instruction Fuzzy Hash: 16819274E012099FCB55DFA9D994ADDBBF2FF88300F20852AE519A7368DB305946CF50
                                                                                  Function 01687018 Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669992600.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1680000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Pp^q
                                                                                  • API String ID: 0-3179448734
                                                                                  • Opcode ID: 5d034fe318f160c004cc2a327cd11952baafa5b669d54d4018471162b1d07b70
                                                                                  • Instruction ID: 8b091e58c0c0ca7e1bfbd7deebc8d7a3b8a22cfc1618dc6f20bb251c01b1b652
                                                                                  • Opcode Fuzzy Hash: 5d034fe318f160c004cc2a327cd11952baafa5b669d54d4018471162b1d07b70
                                                                                  • Instruction Fuzzy Hash: B581A274E012099FCB15DFA9D994ADDBBF2FF88300F24852AE419A7369DB309946CF50
                                                                                  Function 061F9E41 Relevance: .1, Instructions: 108COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7edae55de9c5f3c41c6ada991be9cf2b99bf145dfd6eff1e27cdd13a1106bef9
                                                                                  • Instruction ID: 0b59051e37dce286d9ab3fc5d860d2988c59b4bab4fe6a54b01c20653bf64127
                                                                                  • Opcode Fuzzy Hash: 7edae55de9c5f3c41c6ada991be9cf2b99bf145dfd6eff1e27cdd13a1106bef9
                                                                                  • Instruction Fuzzy Hash: 21413370D14218CFEB48DFAAC8407EEBBB6AF89300F14C866D508BB255DB34594ACB90
                                                                                  Function 061F8EA0 Relevance: .1, Instructions: 106COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f284e511c761fca8555a3ba85a63d43d0c0a92d8ace8638b085d4a402ed0c060
                                                                                  • Instruction ID: 887216d15c0977e8fbc2e48f1e550168857a31e886b1e151612b93730bc887c7
                                                                                  • Opcode Fuzzy Hash: f284e511c761fca8555a3ba85a63d43d0c0a92d8ace8638b085d4a402ed0c060
                                                                                  • Instruction Fuzzy Hash: 1E4149B0D146888FDB84DFAAD8946DEFFB6BF89300F14846AD519AB355EB344806CB50
                                                                                  Function 0168B3C1 Relevance: 1.7, APIs: 1, Instructions: 201COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 318 168b3c1-168b3df 319 168b40b-168b40f 318->319 320 168b3e1-168b3ee call 1689f4c 318->320 322 168b411-168b41b 319->322 323 168b423-168b464 319->323 326 168b3f0 320->326 327 168b404 320->327 322->323 329 168b471-168b47f 323->329 330 168b466-168b46e 323->330 373 168b3f6 call 168b668 326->373 374 168b3f6 call 168b659 326->374 327->319 331 168b481-168b486 329->331 332 168b4a3-168b4a5 329->332 330->329 334 168b488-168b48f call 1689f58 331->334 335 168b491 331->335 337 168b4a8-168b4af 332->337 333 168b3fc-168b3fe 333->327 336 168b540-168b600 333->336 339 168b493-168b4a1 334->339 335->339 368 168b608-168b633 GetModuleHandleW 336->368 369 168b602-168b605 336->369 340 168b4bc-168b4c3 337->340 341 168b4b1-168b4b9 337->341 339->337 344 168b4d0-168b4d9 call 1689f68 340->344 345 168b4c5-168b4cd 340->345 341->340 349 168b4db-168b4e3 344->349 350 168b4e6-168b4eb 344->350 345->344 349->350 351 168b509-168b516 350->351 352 168b4ed-168b4f4 350->352 359 168b518-168b536 351->359 360 168b539-168b53f 351->360 352->351 354 168b4f6-168b506 call 1689f78 call 168afbc 352->354 354->351 359->360 370 168b63c-168b650 368->370 371 168b635-168b63b 368->371 369->368 371->370 373->333 374->333
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0168B626
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669992600.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1680000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: ecebcfc3673d45de7452103231cf8a9fe2797c85ff4b2813cf50bf62824b7a51
                                                                                  • Instruction ID: d6a3de64ea35d2a029157b4c49a6b2331351a2ecc4d3e3a4ee4db6eee21545fb
                                                                                  • Opcode Fuzzy Hash: ecebcfc3673d45de7452103231cf8a9fe2797c85ff4b2813cf50bf62824b7a51
                                                                                  • Instruction Fuzzy Hash: 7C8134B0A00B058FD724EF29D94179ABBF1BF88304F008A2ED48A97B55D734E846CB95
                                                                                  Function 0168590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 485 168590c-16859d9 CreateActCtxA 487 16859db-16859e1 485->487 488 16859e2-1685a3c 485->488 487->488 495 1685a4b-1685a4f 488->495 496 1685a3e-1685a41 488->496 497 1685a60 495->497 498 1685a51-1685a5d 495->498 496->495 499 1685a61 497->499 498->497 499->499
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 016859C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669992600.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1680000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: bd52cbcf860032dc3caacd26e49bfddf79ad661d3114b12b777a4af826cd7077
                                                                                  • Instruction ID: 085e673cc8604fd8942b2e273de2ec42ac6b6f8001e58f9e2631cb5bc641eb83
                                                                                  • Opcode Fuzzy Hash: bd52cbcf860032dc3caacd26e49bfddf79ad661d3114b12b777a4af826cd7077
                                                                                  • Instruction Fuzzy Hash: D041F0B0C00719CBDB24DFA9C8847DEFBB5BF48304F24819AD409AB255DBB5A985CF90
                                                                                  Function 016844F0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 501 16844f0-16859d9 CreateActCtxA 504 16859db-16859e1 501->504 505 16859e2-1685a3c 501->505 504->505 512 1685a4b-1685a4f 505->512 513 1685a3e-1685a41 505->513 514 1685a60 512->514 515 1685a51-1685a5d 512->515 513->512 516 1685a61 514->516 515->514 516->516
                                                                                  APIs
                                                                                  • CreateActCtxA.KERNEL32(?), ref: 016859C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669992600.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1680000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: Create
                                                                                  • String ID:
                                                                                  • API String ID: 2289755597-0
                                                                                  • Opcode ID: c9f991ddf724f9423df06390d4d4182b85c16c4d5ab287efa4f47015d0c147f0
                                                                                  • Instruction ID: f9def367b107d86ec11190a5bf9c63101ae3bdd74073276cb2a0f377d9e12f54
                                                                                  • Opcode Fuzzy Hash: c9f991ddf724f9423df06390d4d4182b85c16c4d5ab287efa4f47015d0c147f0
                                                                                  • Instruction Fuzzy Hash: FA41C1B0C00719CBDB24DFA9C884BDEBBB5BF49304F2481AAD409AB255DB756945CF90
                                                                                  Function 061FFC68 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 518 61ffc68-61ffc6a 519 61ffc6c-61ffc6f 518->519 520 61ffc71-61ffcbe 518->520 519->520 522 61ffcce-61ffd0d WriteProcessMemory 520->522 523 61ffcc0-61ffccc 520->523 525 61ffd0f-61ffd15 522->525 526 61ffd16-61ffd46 522->526 523->522 525->526
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 061FFD00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3559483778-0
                                                                                  • Opcode ID: c5f44dd3f4b75ceed99d29122d1634860d90cedd2aa86f3c9b2a28f8dc301f20
                                                                                  • Instruction ID: 3a8ce94ddc86f35e785f7f99df664143f0b31fa04a77c1a6d5bd1dba8153144d
                                                                                  • Opcode Fuzzy Hash: c5f44dd3f4b75ceed99d29122d1634860d90cedd2aa86f3c9b2a28f8dc301f20
                                                                                  • Instruction Fuzzy Hash: 312157B2D003599FCB10CFA9C881BEEBBF1FF48310F10842AE959A7241C7789550CBA0
                                                                                  Function 061FFC70 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 530 61ffc70-61ffcbe 533 61ffcce-61ffd0d WriteProcessMemory 530->533 534 61ffcc0-61ffccc 530->534 536 61ffd0f-61ffd15 533->536 537 61ffd16-61ffd46 533->537 534->533 536->537
                                                                                  APIs
                                                                                  • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 061FFD00
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessWrite
                                                                                  • String ID:
                                                                                  • API String ID: 3559483778-0
                                                                                  • Opcode ID: 147e904b80191a801cc58e64d6e7c678526e28aff7c8933410dc0c9e5984a90f
                                                                                  • Instruction ID: 5df233874d6a4f31d909d4c4054d71ec5b13a3752186e08a53ffbab2dd4e74a7
                                                                                  • Opcode Fuzzy Hash: 147e904b80191a801cc58e64d6e7c678526e28aff7c8933410dc0c9e5984a90f
                                                                                  • Instruction Fuzzy Hash: FF2155B1D003599FCB10DFA9C881BEEBBF5FF48310F10842AE958A7241C7789944CBA4
                                                                                  Function 061FFD58 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 541 61ffd58-61ffd5a 542 61ffd5c-61ffd5f 541->542 543 61ffd61-61ffded ReadProcessMemory 541->543 542->543 546 61ffdef-61ffdf5 543->546 547 61ffdf6-61ffe26 543->547 546->547
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 061FFDE0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID:
                                                                                  • API String ID: 1726664587-0
                                                                                  • Opcode ID: c8858c05a86f522fe983d939896b7711c5da36c18e41634f39c0493a5bbe42cb
                                                                                  • Instruction ID: 0b2aa9b6d90634bd800118701c1036cd19d1498f68bafb7c2d54c2c1d78a1a02
                                                                                  • Opcode Fuzzy Hash: c8858c05a86f522fe983d939896b7711c5da36c18e41634f39c0493a5bbe42cb
                                                                                  • Instruction Fuzzy Hash: 192136B6C002499FCB10DFA9C981AEEBBF5FF48320F10842AE958A7251C7789545CBA5
                                                                                  Function 061FF6D1 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 551 61ff6d1-61ff6d2 552 61ff6d9-61ff723 551->552 553 61ff6d4-61ff6d6 551->553 555 61ff725-61ff731 552->555 556 61ff733-61ff736 552->556 553->552 555->556 557 61ff73d-61ff763 Wow64SetThreadContext 556->557 558 61ff76c-61ff79c 557->558 559 61ff765-61ff76b 557->559 559->558
                                                                                  APIs
                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 061FF756
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: ContextThreadWow64
                                                                                  • String ID:
                                                                                  • API String ID: 983334009-0
                                                                                  • Opcode ID: f11dc086321b333bfd9d05229f99781c43d32af6c4ab36c53965f39164c50251
                                                                                  • Instruction ID: 65d5d849582dbb452d509abcfdc8748b5db58c2657e6a1043de66a02248c396e
                                                                                  • Opcode Fuzzy Hash: f11dc086321b333bfd9d05229f99781c43d32af6c4ab36c53965f39164c50251
                                                                                  • Instruction Fuzzy Hash: 6A2198B1C002488FDB10DFA9C5857EEFBF0EF88324F10842AD559A7240CB78A585CF95
                                                                                  Function 0168B3B0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 563 168b3b0-168da5c DuplicateHandle 565 168da5e-168da64 563->565 566 168da65-168da82 563->566 565->566
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0168D586,?,?,?,?,?), ref: 0168DA4F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669992600.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1680000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 28bd23d8aaa6b524655cb0449085aa6370e49fe7113baf0e7cbc212adb4c4b66
                                                                                  • Instruction ID: 2574690249724fd6c06e98c992e000e5a1903e2cebc6a688d03939e1742b680d
                                                                                  • Opcode Fuzzy Hash: 28bd23d8aaa6b524655cb0449085aa6370e49fe7113baf0e7cbc212adb4c4b66
                                                                                  • Instruction Fuzzy Hash: E921E6B5900208DFDB10DF99D984AEEFFF5EB48310F14845AE918A7351D374A950CFA5
                                                                                  Function 061FF6D8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 569 61ff6d8-61ff723 572 61ff725-61ff731 569->572 573 61ff733-61ff763 Wow64SetThreadContext 569->573 572->573 575 61ff76c-61ff79c 573->575 576 61ff765-61ff76b 573->576 576->575
                                                                                  APIs
                                                                                  • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 061FF756
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: ContextThreadWow64
                                                                                  • String ID:
                                                                                  • API String ID: 983334009-0
                                                                                  • Opcode ID: eee486b78a0be0ecbabf6bcefbe8742929565c6f8c9e1eb3212ace8d7dd0e92b
                                                                                  • Instruction ID: 0d245d91d1c78c9c0be1f50dae55d72944fd5eb47ecfb2a335c790f2947dde49
                                                                                  • Opcode Fuzzy Hash: eee486b78a0be0ecbabf6bcefbe8742929565c6f8c9e1eb3212ace8d7dd0e92b
                                                                                  • Instruction Fuzzy Hash: E72138B1D002098FDB10DFAAC4857EEFBF4EF88324F148429D559A7241C7789945CFA5
                                                                                  Function 061FFD60 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 580 61ffd60-61ffded ReadProcessMemory 584 61ffdef-61ffdf5 580->584 585 61ffdf6-61ffe26 580->585 584->585
                                                                                  APIs
                                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 061FFDE0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: MemoryProcessRead
                                                                                  • String ID:
                                                                                  • API String ID: 1726664587-0
                                                                                  • Opcode ID: 50e1e5a4906a43be368223307fa106174d81ca7cf18f6fd8a2c978136d85a744
                                                                                  • Instruction ID: 6f66222956327f9335e2d80afe5bb0c0117bd608cad9af338c7a17a9ed584f79
                                                                                  • Opcode Fuzzy Hash: 50e1e5a4906a43be368223307fa106174d81ca7cf18f6fd8a2c978136d85a744
                                                                                  • Instruction Fuzzy Hash: 7B2125B1C002599FCB10DFAAC880AEEFBF5FF48320F10842AE559A7250C7789945CBA5
                                                                                  Function 0168D9C1 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 589 168d9c1-168da5c DuplicateHandle 590 168da5e-168da64 589->590 591 168da65-168da82 589->591 590->591
                                                                                  APIs
                                                                                  • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0168D586,?,?,?,?,?), ref: 0168DA4F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669992600.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1680000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: DuplicateHandle
                                                                                  • String ID:
                                                                                  • API String ID: 3793708945-0
                                                                                  • Opcode ID: 05bdb950b2c53f93cbeb7bb05b05e137a1ae37644ea162d3fef91b000484b1a6
                                                                                  • Instruction ID: ff4dfd1da6611e0f1d474cd8205f3b39632f4e80fcec4f8af3b75ff7e66063d5
                                                                                  • Opcode Fuzzy Hash: 05bdb950b2c53f93cbeb7bb05b05e137a1ae37644ea162d3fef91b000484b1a6
                                                                                  • Instruction Fuzzy Hash: CC21DFB5D002189FDB10CFA9D984AEEBBF5EB48324F14841AE958A3350D378A950CFA5
                                                                                  Function 061FF7A8 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 594 61ff7a8-61ff7aa 595 61ff7ac-61ff7ae 594->595 596 61ff7b1-61ff7f3 594->596 595->596 598 61ff7fa-61ff82b VirtualAllocEx 596->598 599 61ff82d-61ff833 598->599 600 61ff834-61ff859 598->600 599->600
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 061FF81E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 7e7f03b008efb17b1f32f72ac567079f35ab3eee46228239b01908b2fe547f7f
                                                                                  • Instruction ID: 1bccbe2978c0a1e2c939259ec438464d7d294e66c7c501d182cf260f338c5dbb
                                                                                  • Opcode Fuzzy Hash: 7e7f03b008efb17b1f32f72ac567079f35ab3eee46228239b01908b2fe547f7f
                                                                                  • Instruction Fuzzy Hash: 282167B6C002889FCB20DFAAC844BDEBFF5EF89324F14841AD559A7250C7799540CFA5
                                                                                  Function 061FF7B0 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 061FF81E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocVirtual
                                                                                  • String ID:
                                                                                  • API String ID: 4275171209-0
                                                                                  • Opcode ID: 48a4fa20aaaf54af3952f6c643f4de4c9fd2befb60ee3bc668daebe3750c7f7d
                                                                                  • Instruction ID: 21b08f9d8e06cc3aedd05f87079c966b35e3c0f1ba4b5438b517d969624315fa
                                                                                  • Opcode Fuzzy Hash: 48a4fa20aaaf54af3952f6c643f4de4c9fd2befb60ee3bc668daebe3750c7f7d
                                                                                  • Instruction Fuzzy Hash: 311137B19002499FCB10DFAAC844BDEFFF5EF88324F108419E559A7250C775A554CFA5
                                                                                  Function 061FF621 Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID:
                                                                                  • API String ID: 947044025-0
                                                                                  • Opcode ID: 029299aebd126f69091bcd2951a06b0582d627e45dec000e8609f3321e1455b7
                                                                                  • Instruction ID: 67125fa1f7bec916875b99d56c123fff6d8262a47b93bfc03144d7ccf2eedd9a
                                                                                  • Opcode Fuzzy Hash: 029299aebd126f69091bcd2951a06b0582d627e45dec000e8609f3321e1455b7
                                                                                  • Instruction Fuzzy Hash: CA1188B1D002898FCB20DFAAC4447EEFBF5EF88320F208429D559A7210CB74A545CF94
                                                                                  Function 061FF628 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: ResumeThread
                                                                                  • String ID:
                                                                                  • API String ID: 947044025-0
                                                                                  • Opcode ID: 12a6c56e67e43158ef03d9864217429669327abc45c9e698625a730e0727884f
                                                                                  • Instruction ID: eca3d84879984cf534586ecf6fb1e0a515a110a61e18ca2a074ec63f3f162857
                                                                                  • Opcode Fuzzy Hash: 12a6c56e67e43158ef03d9864217429669327abc45c9e698625a730e0727884f
                                                                                  • Instruction Fuzzy Hash: 86113AB1D002498FCB10DFAAC4457DEFBF5EF88324F208419D559A7250CB75A544CF95
                                                                                  Function 0168B5C0 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNELBASE(00000000), ref: 0168B626
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669992600.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1680000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleModule
                                                                                  • String ID:
                                                                                  • API String ID: 4139908857-0
                                                                                  • Opcode ID: 4b6bf2ac984958b429182acc5e9904755ef78bc7642fd47e7edfb6e7962697dd
                                                                                  • Instruction ID: a8f5574ea5a7abf32d32a62073ebd3ac2701e1f2b5a01dae1edf0ff1ada4ecdf
                                                                                  • Opcode Fuzzy Hash: 4b6bf2ac984958b429182acc5e9904755ef78bc7642fd47e7edfb6e7962697dd
                                                                                  • Instruction Fuzzy Hash: 691110B5C003598FDB10DF9AC844ADEFBF4AF88324F10852AD429B7211C379A585CFA5
                                                                                  Function 0148D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1665505520.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_148d000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 51fed3c95772b6f98e54d465bace5c2a674e4744e4289c4fc1c48706a48075cb
                                                                                  • Instruction ID: a6bdd3229d1cd3bfbd60c4bc034ca5802956dc9b17726aa32e4bcc154c6c52ec
                                                                                  • Opcode Fuzzy Hash: 51fed3c95772b6f98e54d465bace5c2a674e4744e4289c4fc1c48706a48075cb
                                                                                  • Instruction Fuzzy Hash: 88212871900204DFDB05EF58D9C0B5BBF65FB94724F20C17AD9094B3A6C336E456CAA1
                                                                                  Function 0149D01C Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1666134125.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_149d000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4bd9a9439954d0487a69aa55f1dc816d259c41c734a764c67582944f9624abc4
                                                                                  • Instruction ID: f8f46afebbb4da9d8d511acef72ce6e77f88bdfc37949ae6bcda7a74cf80c233
                                                                                  • Opcode Fuzzy Hash: 4bd9a9439954d0487a69aa55f1dc816d259c41c734a764c67582944f9624abc4
                                                                                  • Instruction Fuzzy Hash: 9D21F2B1A04200DFDF15DF68D984B26BFA5FB84358F20C56ED94A4B366C33AD447CA61
                                                                                  Function 0149D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1666134125.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_149d000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2707482520a81eee11f042017ec0147e4db305c5276f60d78d1989259b1aba33
                                                                                  • Instruction ID: ce64a4645f1d85e268f41968748c3ebbae24751c6ff293187df379c9ca97f502
                                                                                  • Opcode Fuzzy Hash: 2707482520a81eee11f042017ec0147e4db305c5276f60d78d1989259b1aba33
                                                                                  • Instruction Fuzzy Hash: C6212971904200DFDF05DF98DAC4B26BFA5FB84324F20C5AED9094B3A6C336D446CA61
                                                                                  Function 0149D006 Relevance: .1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1666134125.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_149d000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 44c5c3c0cb08b0c2bda3e0c8251460847606b8385cdbae9f830b621e8e7cd68d
                                                                                  • Instruction ID: b7c3a7f11297e9fbaaf4c21da0dbc20858c869e494b31b04c10ee9b3592aaff2
                                                                                  • Opcode Fuzzy Hash: 44c5c3c0cb08b0c2bda3e0c8251460847606b8385cdbae9f830b621e8e7cd68d
                                                                                  • Instruction Fuzzy Hash: 062192755093808FDB07CF64D594716BF71EB46218F28C5DBD8498F2A7C33A980ACB62
                                                                                  Function 0148D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1665505520.000000000148D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0148D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_148d000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                  • Instruction ID: 52180e0d50ff1f9b8de807f0c904d52804147513b2efb19003e61f193b1d0563
                                                                                  • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                  • Instruction Fuzzy Hash: CC11D272804240DFDB02DF48D5C4B5ABF71FB94314F24C2AAD9090B266C33AD45ACB91
                                                                                  Function 0149D1CF Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1666134125.000000000149D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0149D000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_149d000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                  • Instruction ID: 6c53664993f013d377e393caf8c1f41d34e572dc179a9a4b7874f4d52d64771e
                                                                                  • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                  • Instruction Fuzzy Hash: D7118B75904280DFDB16CF54D5C4B16BFA1FB84224F24C6AAD8494B7A6C33AD44ACB61

                                                                                  Non-executed Functions

                                                                                  Function 061F3F60 Relevance: 1.4, Strings: 1, Instructions: 167COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'^q
                                                                                  • API String ID: 0-1614139903
                                                                                  • Opcode ID: bd48a0c7426bbd03272596c0471c835cf4dea36e917f36b7bcb4155168214d49
                                                                                  • Instruction ID: f30a5d2e0c843a8c91c38e52f05dc8e3d6ae806ce58fdc7380845fba5b5a003c
                                                                                  • Opcode Fuzzy Hash: bd48a0c7426bbd03272596c0471c835cf4dea36e917f36b7bcb4155168214d49
                                                                                  • Instruction Fuzzy Hash: 83610D70E122098FD748EF7AE95579EBFF3BB89700F14D569D005AB268EF70580A8B41
                                                                                  Function 061F3F70 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: 4'^q
                                                                                  • API String ID: 0-1614139903
                                                                                  • Opcode ID: 3664c27ebc9242004d276ad65d0245cbddedd0b205015f1648445274c1c325d0
                                                                                  • Instruction ID: bd25399bc410b440e890fb8897acab29004961951a5f1240850f6d598ee7e439
                                                                                  • Opcode Fuzzy Hash: 3664c27ebc9242004d276ad65d0245cbddedd0b205015f1648445274c1c325d0
                                                                                  • Instruction Fuzzy Hash: 4B611C70E122098FD748EF7AE95579EBFF3BB89700F14D569D005AB268EF70580A8B41
                                                                                  Function 061FD5C0 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d0c3bebcc5d8400d51e56e07c617223bf4ca4bafaa4d0895f9d42096a55bce50
                                                                                  • Instruction ID: 9ff67256682ee7974a75af5615b80b7eeef551719d5d44c2dd598e6d66dc3288
                                                                                  • Opcode Fuzzy Hash: d0c3bebcc5d8400d51e56e07c617223bf4ca4bafaa4d0895f9d42096a55bce50
                                                                                  • Instruction Fuzzy Hash: 97E13A74E101198FCB14DFA9D5909AEFBF2FF89304F248169E519AB35ADB30A941CF60
                                                                                  Function 061FD188 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: a6f70284713e627d2a1d440a636f3c82719c92ee31fd57c3a5eed1fca6aa493c
                                                                                  • Instruction ID: c8c479cb48d76d046b22cd8855a66d6e471668f5758fac5bd2934ed3b17c16db
                                                                                  • Opcode Fuzzy Hash: a6f70284713e627d2a1d440a636f3c82719c92ee31fd57c3a5eed1fca6aa493c
                                                                                  • Instruction Fuzzy Hash: 79E14C74E101198FCB14DFA9D5909AEFBF2FF88304F248169E515AB356D730A941CFA0
                                                                                  Function 061FEE00 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: beba5c926d04bc8890537b3956158686b089608d455dd3f8b6e0a72a59d19518
                                                                                  • Instruction ID: 7beb11f96454001699949568170780bfb6bb6d3a4f619b3bc51f04e07709f039
                                                                                  • Opcode Fuzzy Hash: beba5c926d04bc8890537b3956158686b089608d455dd3f8b6e0a72a59d19518
                                                                                  • Instruction Fuzzy Hash: 1DE14B74E101198FCB54DFA9C5909AEFBF2FF88304F248169E519AB356D730A942CFA0
                                                                                  Function 061FCD50 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: b873887c885a64a6ad42ee2ab28b765ef05ddb8a4c2de8609a77c17ed46b35b3
                                                                                  • Instruction ID: 349e8bd17cd6ee003f43e2b6445adcdd386e7ee809abb500b533decc207f3f53
                                                                                  • Opcode Fuzzy Hash: b873887c885a64a6ad42ee2ab28b765ef05ddb8a4c2de8609a77c17ed46b35b3
                                                                                  • Instruction Fuzzy Hash: 98E14C74E102198FCB54DFA9C5909AEFBF2FF89304F248169E519AB356D730A941CFA0
                                                                                  Function 061FE9C8 Relevance: .3, Instructions: 312COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 86170f978393548c935dbba35fc8b8c966cf8d397fe03eab49a46001e4f15d0f
                                                                                  • Instruction ID: 020eda967fa762463c74b20355bffeb48c2086bc9e732e2a4adf89e28b77aca7
                                                                                  • Opcode Fuzzy Hash: 86170f978393548c935dbba35fc8b8c966cf8d397fe03eab49a46001e4f15d0f
                                                                                  • Instruction Fuzzy Hash: ADE11A74E102199FCB14DFA9C5909AEFBB2FF88304F24C169E519AB356D731A941CFA0
                                                                                  Function 0168D8EC Relevance: .3, Instructions: 264COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1669992600.0000000001680000.00000040.00000800.00020000.00000000.sdmp, Offset: 01680000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_1680000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 24afc042d568cf71668456648f539eb0b121fe8a470beca95135072845478ee5
                                                                                  • Instruction ID: 92ee9ef8f5b87f2cb14e9b7b10806cf4d988ff6b35380e38d0e9ba86d682febf
                                                                                  • Opcode Fuzzy Hash: 24afc042d568cf71668456648f539eb0b121fe8a470beca95135072845478ee5
                                                                                  • Instruction Fuzzy Hash: D8A15E32E0020ADFCF05EFB4C84459EBBB3FF85310B1546AAE905AB265DB71E956CB50
                                                                                  Function 061F5180 Relevance: .2, Instructions: 210COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 426c10e805cea4d0a2880ef4dcac785ad0217cbf6bb3085c1008453b88909e4a
                                                                                  • Instruction ID: f84142ef90ff895d9e9f732badd2ba73fa8646608378a25cc8992024db15eca2
                                                                                  • Opcode Fuzzy Hash: 426c10e805cea4d0a2880ef4dcac785ad0217cbf6bb3085c1008453b88909e4a
                                                                                  • Instruction Fuzzy Hash: B1911370D19218CFDB98CFA9D8847EEBBF6BF59304F008469E619A7251DB301986CF80
                                                                                  Function 061FCD32 Relevance: .1, Instructions: 144COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ca0ed07d408458d06b15b981aeb4bb3d76d092761013419e9e33690f8def120b
                                                                                  • Instruction ID: 253ef6ff7c021a098015942dc4e782d10dbd5c646c9a8650bfe908187f4e66d9
                                                                                  • Opcode Fuzzy Hash: ca0ed07d408458d06b15b981aeb4bb3d76d092761013419e9e33690f8def120b
                                                                                  • Instruction Fuzzy Hash: DF517E74E102198FCB54CFAAC9815AEFBF2FF89300F248169D518AB356D7309941CFA0
                                                                                  Function 061FE9B7 Relevance: .1, Instructions: 133COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 38e8181200ed08e231f445d7ab61443b73932fac8f6d2feeaa4540f94b59e473
                                                                                  • Instruction ID: 2a4a8d89458194425c8c7203975501984f9c9b829638fc4250c89150c3dd8a5e
                                                                                  • Opcode Fuzzy Hash: 38e8181200ed08e231f445d7ab61443b73932fac8f6d2feeaa4540f94b59e473
                                                                                  • Instruction Fuzzy Hash: A1515CB4E112198FCB14DFA9C5805AEFBF2BF89304F24C569D518AB366D7309942CFA1
                                                                                  Function 061FD5B0 Relevance: .1, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.1675719571.00000000061F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 061F0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_61f0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1e96e129b87326a1eb227832522b865d2d22250ef21668334971bb18ab43707c
                                                                                  • Instruction ID: 895eca3152ce207b79587db43d48cc2927c6168535239ee657c0a5c22771c1dd
                                                                                  • Opcode Fuzzy Hash: 1e96e129b87326a1eb227832522b865d2d22250ef21668334971bb18ab43707c
                                                                                  • Instruction Fuzzy Hash: F7515B74E102198FDB14DFA9D9905AEFBF2BF89304F24C16AD418AB356DB309941CF61

                                                                                  Executed Functions

                                                                                  Function 00CD5F98 Relevance: .3, Instructions: 281COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 3694f66426e02b0e523cd34260f8ca6863a10a37e9b13adfa66d06d01e3742dd
                                                                                  • Instruction ID: 173fa55a06eb7e96c811c80cda7a0df00cdd27bd110a92ec44f83d514fa00b6b
                                                                                  • Opcode Fuzzy Hash: 3694f66426e02b0e523cd34260f8ca6863a10a37e9b13adfa66d06d01e3742dd
                                                                                  • Instruction Fuzzy Hash: E9B14E70E002098FDF14CFA9C8957EDBBF2AF88314F14812AD925A7394EB749946CB85
                                                                                  Function 00CD6868 Relevance: .3, Instructions: 266COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 165f5ddd5009e1c7c768c2dd96e3c5e72c4d2f37ce4ee47e9a380d51c3aab72c
                                                                                  • Instruction ID: 3fbc88eb0caada2825addf1bf520a6b8ecf44925cc1199d69183ef8e54f822a0
                                                                                  • Opcode Fuzzy Hash: 165f5ddd5009e1c7c768c2dd96e3c5e72c4d2f37ce4ee47e9a380d51c3aab72c
                                                                                  • Instruction Fuzzy Hash: B0B18F70E00209DFDF10CFA9C8917ADBBF2AF88314F14812AD559E7394EB749946DB81
                                                                                  Function 00CD1727 Relevance: 5.4, Strings: 4, Instructions: 447COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: a^q$ a^q$,$xbq
                                                                                  • API String ID: 0-2180861429
                                                                                  • Opcode ID: 5134fbccc3d99fe442486893d0f16b7d8967e4cd8b51f42ad5955475c6fd3633
                                                                                  • Instruction ID: b5e1d6acd701f279d92760e9aed2b4a02568dd1d11f08d138917fc5f5c266a1b
                                                                                  • Opcode Fuzzy Hash: 5134fbccc3d99fe442486893d0f16b7d8967e4cd8b51f42ad5955475c6fd3633
                                                                                  • Instruction Fuzzy Hash: 67028C747002009FD705EF28D894B6EBBE2BF84304F248969E5159F3A9DBB5ED85CB81
                                                                                  Function 00CD1962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: a^q$ a^q$xbq
                                                                                  • API String ID: 0-2081302502
                                                                                  • Opcode ID: bfca8143dc340c1fd34a72557cb747be7372fca3173f438e8a19411c9a471a6a
                                                                                  • Instruction ID: ddd728b206b53bb4f744660a33546139d5404e441343d40fee0e6b408016b527
                                                                                  • Opcode Fuzzy Hash: bfca8143dc340c1fd34a72557cb747be7372fca3173f438e8a19411c9a471a6a
                                                                                  • Instruction Fuzzy Hash: 94619C747402009FD709EF28D844B1E7BE2BF89305F248969E5159F3A5DBB1ED858B81
                                                                                  Function 00CD0EB8 Relevance: 3.9, Strings: 3, Instructions: 161COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: (bq$Te^q$d7p
                                                                                  • API String ID: 0-1699803613
                                                                                  • Opcode ID: cde8bab82680c7a149ee7f2aa98e0478b70543a666c69f1218522a431911bfd4
                                                                                  • Instruction ID: 8edcc9cb6076e6b89c5827cde58383a79e627bc081f3b524f4694c852f997b7e
                                                                                  • Opcode Fuzzy Hash: cde8bab82680c7a149ee7f2aa98e0478b70543a666c69f1218522a431911bfd4
                                                                                  • Instruction Fuzzy Hash: 1151AC30B101149FC714EF6DC898A5EBBF6FF89700F2580AAE906DB3A5CA75DD058B80
                                                                                  Function 00CD0D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Hbq$dLdq
                                                                                  • API String ID: 0-411705877
                                                                                  • Opcode ID: 345ebdad282fceecaf15c7b63d2da2a77705afb86645e67bc0c0aab6c433f5fc
                                                                                  • Instruction ID: db25398c2ab5e40f5d21bbc0e0e2d797b0aa5c23a6a19e0a532971079b0af101
                                                                                  • Opcode Fuzzy Hash: 345ebdad282fceecaf15c7b63d2da2a77705afb86645e67bc0c0aab6c433f5fc
                                                                                  • Instruction Fuzzy Hash: 59418F317042148FCB15DF69D454BAEBBF6BF89300F2448AAE505DB3A2CA75DD09CB91
                                                                                  Function 00CD9520 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $^q$$^q
                                                                                  • API String ID: 0-355816377
                                                                                  • Opcode ID: 042412f6f1435165a247f41e10bbd5ea7f9a98c1c8656ac9cc4457dd469ea065
                                                                                  • Instruction ID: a1d02f869b9b092aca78840eb1d884502a0f079d9229fe485d15dbf0fcc4567d
                                                                                  • Opcode Fuzzy Hash: 042412f6f1435165a247f41e10bbd5ea7f9a98c1c8656ac9cc4457dd469ea065
                                                                                  • Instruction Fuzzy Hash: E2415B38B04505DBC7896F6B9548529BBB2FB857113388D9AF2068B3A4DF32DD53CB81
                                                                                  Function 00CD9D80 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: xbq
                                                                                  • API String ID: 0-73991425
                                                                                  • Opcode ID: dae94936f2a98f0602c9b59859fa091846e08fc1db73a76e9d7210446857eaf7
                                                                                  • Instruction ID: 0c36c0c974c5e15fbeb31cd2531d34da6afd0c09e1446ce3823ac53931ef6294
                                                                                  • Opcode Fuzzy Hash: dae94936f2a98f0602c9b59859fa091846e08fc1db73a76e9d7210446857eaf7
                                                                                  • Instruction Fuzzy Hash: AD919778A00200CFDB18DF29E94572D7BA2FB86715F24452AD511CB3A0D7B1AB45CFD2
                                                                                  Function 00CD9A58 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te^q
                                                                                  • API String ID: 0-671973202
                                                                                  • Opcode ID: a5726079253b3dc13d8100c3f856ebbee081637bf440e342d01e604874b392b9
                                                                                  • Instruction ID: 868f6e7801097cdc1a4f7d7521151c28b1aa04cd4451e33b3f64ed9e21ecc466
                                                                                  • Opcode Fuzzy Hash: a5726079253b3dc13d8100c3f856ebbee081637bf440e342d01e604874b392b9
                                                                                  • Instruction Fuzzy Hash: FC518B78700604DFD724DB69D948B69BBF2FF88715F21419AE512AB3E5CBB1AC80CB40
                                                                                  Function 00CD1339 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LR^q
                                                                                  • API String ID: 0-2625958711
                                                                                  • Opcode ID: ca5c47211e8a72d824c0cf59aff572692129d3fe7c6097f1788cb74886e4096d
                                                                                  • Instruction ID: a8c4437c7fe2f7606a5970597c782df2ff968dd2f606732b12536bfcf066778c
                                                                                  • Opcode Fuzzy Hash: ca5c47211e8a72d824c0cf59aff572692129d3fe7c6097f1788cb74886e4096d
                                                                                  • Instruction Fuzzy Hash: 0D31E234F002159FCB04AB7DD49066EBBF2EFC5314B14456AD54ADB3A5DE30CD028782
                                                                                  Function 00CD9509 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: $^q
                                                                                  • API String ID: 0-388095546
                                                                                  • Opcode ID: 81cf5493d0bec346182256e0f5fd90c6ca5e4100f9226bd057d8a913c312b09e
                                                                                  • Instruction ID: 0c32e9a59f2ea895ea1634b709bba8017a521fd029ea74409d286c53ad266dac
                                                                                  • Opcode Fuzzy Hash: 81cf5493d0bec346182256e0f5fd90c6ca5e4100f9226bd057d8a913c312b09e
                                                                                  • Instruction Fuzzy Hash: AB419C38B08505EBC7895F5A944822CBBB2FF857113388996F2068B395CF32DC53CB81
                                                                                  Function 00CD0D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: dLdq
                                                                                  • API String ID: 0-3390252261
                                                                                  • Opcode ID: 38732cc04bcf0b1cdae0498bd6706352684b938b2c3f8375b24f43025eb23ad6
                                                                                  • Instruction ID: afacf3e4a252f78d125024a11d4646a7117d5ebc5dcca253170a8c7a2c0babec
                                                                                  • Opcode Fuzzy Hash: 38732cc04bcf0b1cdae0498bd6706352684b938b2c3f8375b24f43025eb23ad6
                                                                                  • Instruction Fuzzy Hash: CE316135A002048FDB14DF69C498B9EBBF2FF88300F24856AD501AB3A1DB75ED49CB91
                                                                                  Function 00CD942A Relevance: 1.3, Strings: 1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te^q
                                                                                  • API String ID: 0-671973202
                                                                                  • Opcode ID: 27398298a2c9630897eb1c4a8e37c7b81b739faf3226b33981a289e1f934374a
                                                                                  • Instruction ID: a43f4c4725cd79cd4ccadee15d20cc066c38bcad132ec1dfff8814ad585e1745
                                                                                  • Opcode Fuzzy Hash: 27398298a2c9630897eb1c4a8e37c7b81b739faf3226b33981a289e1f934374a
                                                                                  • Instruction Fuzzy Hash: A5219F397101108FDB04DF28C858BAE7BF2EF88710F24806AE606DB3A1CF759C058B91
                                                                                  Function 00CD9438 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te^q
                                                                                  • API String ID: 0-671973202
                                                                                  • Opcode ID: 6239e2c90fdf40e49c5eb7f1bff544b24237e7fad84fc9c046d8963c7bab5311
                                                                                  • Instruction ID: 8567c9d1408a72c90ec538bcdef3cd82d7608dd9246916d08aefbfdccd6b0b82
                                                                                  • Opcode Fuzzy Hash: 6239e2c90fdf40e49c5eb7f1bff544b24237e7fad84fc9c046d8963c7bab5311
                                                                                  • Instruction Fuzzy Hash: 85218E347101148FCB149B69D858B6E7BF6AF88720F20815AE606DB3A5CF71DC058B91
                                                                                  Function 00CD35C9 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: |
                                                                                  • API String ID: 0-2343686810
                                                                                  • Opcode ID: 847afcd79ea9a20309ba60c425005dd8be5a6bfcaec0eb84a90e2757cf94d9a3
                                                                                  • Instruction ID: d38397330202cff0b0a5eb78270b6930c080979fa0707cd14146affb1d1bf40d
                                                                                  • Opcode Fuzzy Hash: 847afcd79ea9a20309ba60c425005dd8be5a6bfcaec0eb84a90e2757cf94d9a3
                                                                                  • Instruction Fuzzy Hash: C2117F75B402149FCB44DF78D915BAEBBF1BF88710F10446AEA0AE73A0DA35D901CB85
                                                                                  Function 00CD993F Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te^q
                                                                                  • API String ID: 0-671973202
                                                                                  • Opcode ID: c4a93b1d6c6898fa3020840061b43fb398b9cd80af08fce651793856fb4c0958
                                                                                  • Instruction ID: fc2a06a04fdc82e34ee85e4c736c8126d18112cb97445400534d9eaa27f071dd
                                                                                  • Opcode Fuzzy Hash: c4a93b1d6c6898fa3020840061b43fb398b9cd80af08fce651793856fb4c0958
                                                                                  • Instruction Fuzzy Hash: C2117F74B402009FD7049F6CC8A9BADBBE6EF88710F24405AE602EB3A5CE759C45CB90
                                                                                  Function 00CD9950 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te^q
                                                                                  • API String ID: 0-671973202
                                                                                  • Opcode ID: 73fb691f7d2f0e8e346a2a059853b83bb9f3b16b89db42505f6fc7445cbbe627
                                                                                  • Instruction ID: a08325081074f4bed4c7620aaec9e92e360cfe5bd408a6d1e0cbfca87721645f
                                                                                  • Opcode Fuzzy Hash: 73fb691f7d2f0e8e346a2a059853b83bb9f3b16b89db42505f6fc7445cbbe627
                                                                                  • Instruction Fuzzy Hash: C0118234B40104DFDB149F29C499F6DBBF6EF88710F14405AE606AB3A1CE759C41CB90
                                                                                  Function 00CDA541 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Te^q
                                                                                  • API String ID: 0-671973202
                                                                                  • Opcode ID: 17abb395a7c3db9c957bfa1ac583f3454ea3115d1db18f20995872283372e10c
                                                                                  • Instruction ID: 3e637a3dddcea05e1d11f2859e32c5123679ef9ba021eb5a4ed47097b36322d0
                                                                                  • Opcode Fuzzy Hash: 17abb395a7c3db9c957bfa1ac583f3454ea3115d1db18f20995872283372e10c
                                                                                  • Instruction Fuzzy Hash: 2611A3307005049FCB049B28C819BAEBBF2AF8D700F25406AE505E73A1CF719D05CBC1
                                                                                  Function 00CD0E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: Hbq
                                                                                  • API String ID: 0-1245868
                                                                                  • Opcode ID: 16003cf3e715b10882ec21e4a79363cea2ef5204ee0fda0e6b6c9a7fdff82da7
                                                                                  • Instruction ID: 7fd1b39bb4ed1d34fca970416a7bbc2bfdd2e9f362aa03968024415e7f10d442
                                                                                  • Opcode Fuzzy Hash: 16003cf3e715b10882ec21e4a79363cea2ef5204ee0fda0e6b6c9a7fdff82da7
                                                                                  • Instruction Fuzzy Hash: 05F0FC313082945FC359AB7DA85452E3FE7EFCB25076548F6E149CB3A7DE248C0A8355
                                                                                  Function 00CD8F80 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: LR^q
                                                                                  • API String ID: 0-2625958711
                                                                                  • Opcode ID: 299b4469c7768d4d1696fcad867ab809497b5e732951f8383b1922589f7f8e55
                                                                                  • Instruction ID: bbd6d12d5947509e6ebeddeefd05427d670c93659f7024542b2f9d968135abc6
                                                                                  • Opcode Fuzzy Hash: 299b4469c7768d4d1696fcad867ab809497b5e732951f8383b1922589f7f8e55
                                                                                  • Instruction Fuzzy Hash: 95018671B001159FCB44EBA9D842AAE77F5FB88710F1044AAF609EB351EF709E0587D5
                                                                                  Function 00CD2CE0 Relevance: .4, Instructions: 368COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 0ed1de73cd7a73ec2eae8a9c2e17cf5957936733048e48f7a2d2d66ba3603981
                                                                                  • Instruction ID: 09a6d8de307ab1d968d3ef948d8c457866a58f2decc31a3479fb7974f8c74d37
                                                                                  • Opcode Fuzzy Hash: 0ed1de73cd7a73ec2eae8a9c2e17cf5957936733048e48f7a2d2d66ba3603981
                                                                                  • Instruction Fuzzy Hash: 75D1A0751057908FD706FF38E8A478A7F71EF86315F144AA6C0858B3A6DB349889CBD2
                                                                                  Function 00CD5F8C Relevance: .3, Instructions: 276COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8c472198185465f2f6fcfef85ce479a0d62b5ade0d0d55107291766dbaa909ee
                                                                                  • Instruction ID: e3e9efdbb76b6d74b9f9194c67a7e0a1c9ae378061880fae18686d14f5769b63
                                                                                  • Opcode Fuzzy Hash: 8c472198185465f2f6fcfef85ce479a0d62b5ade0d0d55107291766dbaa909ee
                                                                                  • Instruction Fuzzy Hash: 5AB13CB0E002198FDF10CFA9C9857EDBBF1BF48314F14812AD929A7394EB749946CB95
                                                                                  Function 00CD685E Relevance: .3, Instructions: 260COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d02172c379a9a62acde6aa2973553fdaf023807c516f93b6d8c88a67f6ea9164
                                                                                  • Instruction ID: 0facb5b2f9b116482c2e1ed5690f6e3cbdba64adeb68fb1d339a2b317deda4c4
                                                                                  • Opcode Fuzzy Hash: d02172c379a9a62acde6aa2973553fdaf023807c516f93b6d8c88a67f6ea9164
                                                                                  • Instruction Fuzzy Hash: F4A16C70E002099FDF10CFA9D9917DDBBF1AF48314F24812AD968E7394EB749986DB81
                                                                                  Function 00CDA178 Relevance: .3, Instructions: 251COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: e1e174ff9dfae8f04fc783292f16232f7ea9e5efbbe814e7b352f5c740b9ac03
                                                                                  • Instruction ID: 8dfe690ee684a7c6a3c5b1b21960ea956e7b11593d34f0a7223f20fab5c31b3b
                                                                                  • Opcode Fuzzy Hash: e1e174ff9dfae8f04fc783292f16232f7ea9e5efbbe814e7b352f5c740b9ac03
                                                                                  • Instruction Fuzzy Hash: 97A1AF747006058FCB09EF34E49466DB7F2BFC9314B1089AAD5069B365EF35DE4A8B82
                                                                                  Function 00CD2E38 Relevance: .2, Instructions: 227COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 93a7abfce4f9e7c0f19b13eed71d133ecaece54b6cfc9a4f07834be0b8f1a1a6
                                                                                  • Instruction ID: 4bf88accfcac70c60e888eaba9bbece411d47aaafcc689a5fc2a69c8c214656a
                                                                                  • Opcode Fuzzy Hash: 93a7abfce4f9e7c0f19b13eed71d133ecaece54b6cfc9a4f07834be0b8f1a1a6
                                                                                  • Instruction Fuzzy Hash: 2CA17F746017419FCB05EF34E848A1E7BB2FFC5311B108AA9D5068B36ADB35998ACFC1
                                                                                  Function 00CD36A0 Relevance: .1, Instructions: 122COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 60ccbcaed974b5e0efe0f21ca4ebcf5ebabacf76c0fac83c6d819a1bbdf72420
                                                                                  • Instruction ID: ab6f5f44df354adac35788ec827c514584bdfba1d6e443434d4bddc7e9a250a8
                                                                                  • Opcode Fuzzy Hash: 60ccbcaed974b5e0efe0f21ca4ebcf5ebabacf76c0fac83c6d819a1bbdf72420
                                                                                  • Instruction Fuzzy Hash: C241A071B042488FCB24EB79D4556AEBBE6EBC9314F14842ED10AAB341CF749D05CB91
                                                                                  Function 00CD96DA Relevance: .1, Instructions: 121COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6e2eafda1ff623ef837cac5d7f4c251415f354fc9241aec242dce2f664525376
                                                                                  • Instruction ID: 786f3f39883042111f67332c6f409ce6b0bb8330991ec7f76991e57f4eaa182d
                                                                                  • Opcode Fuzzy Hash: 6e2eafda1ff623ef837cac5d7f4c251415f354fc9241aec242dce2f664525376
                                                                                  • Instruction Fuzzy Hash: A2419F78A00105DFCB04DF68D984AAEFBB2FF44305F1285A5E515AB7A2DB31ED01CB91
                                                                                  Function 00CD0AA0 Relevance: .1, Instructions: 118COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 601f2e7562d2d83f92a000d25ce0c7e8d337897bb04c8de7e89e89a35fbab466
                                                                                  • Instruction ID: 772c458aadfa861af07c69b2669aa1d236a9937d20c807b5ffead93f0012cc34
                                                                                  • Opcode Fuzzy Hash: 601f2e7562d2d83f92a000d25ce0c7e8d337897bb04c8de7e89e89a35fbab466
                                                                                  • Instruction Fuzzy Hash: B651C838601A05DFC707FF24E9846597772FF863067108AA9D4018B36DDBB5A98ADF80
                                                                                  Function 00CD11D0 Relevance: .1, Instructions: 114COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 2c4206e864ddd5ec001ad76b68bad4fd460dc8f9fef356919046588da9fe4351
                                                                                  • Instruction ID: 5a568709ed88d26b58c70ad12a8096d39e18d1873b431de234dcba68f6cc7e8e
                                                                                  • Opcode Fuzzy Hash: 2c4206e864ddd5ec001ad76b68bad4fd460dc8f9fef356919046588da9fe4351
                                                                                  • Instruction Fuzzy Hash: 9141C270F04208AFCB08EFB9C54466EBBFAEF88300F24856AD549D7355DA359E428B91
                                                                                  Function 00CD40AE Relevance: .1, Instructions: 91COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: fcbd40f354f056fd28391143c2bc2d4997638944ee6d8e1bee0431bad9a947ea
                                                                                  • Instruction ID: 17847c206edbc0a39dc151573463ccba04463aa47cd2e5a800eacbd32294738a
                                                                                  • Opcode Fuzzy Hash: fcbd40f354f056fd28391143c2bc2d4997638944ee6d8e1bee0431bad9a947ea
                                                                                  • Instruction Fuzzy Hash: A84110B1D00249DFCB14DF99C980ADEBFB5FF48304F24802AE919AB254DB74A985CB90
                                                                                  Function 00CD40B8 Relevance: .1, Instructions: 90COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 7f0089a7d99da68d41ceace8441d0edd54d65b83f255ea1a605f93ecc359f78d
                                                                                  • Instruction ID: e6478e63458dae7bf93d224e19f48eaeadeb0d4cc8b8234de65345c0591560fe
                                                                                  • Opcode Fuzzy Hash: 7f0089a7d99da68d41ceace8441d0edd54d65b83f255ea1a605f93ecc359f78d
                                                                                  • Instruction Fuzzy Hash: 9E41E0B0D00349DFCB14DF99C884ADEBFB5FF48314F20802AE919AB254DB75A985CB90
                                                                                  Function 00CD0998 Relevance: .1, Instructions: 75COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 04c9162cffdeb9af18bf41771484da7d5f73dd3a5fdb4f981b9426ad9de64927
                                                                                  • Instruction ID: d67ac758e30ed3a9fb7a0c8f2ae849fde9c9c8c2f3af82198afe4edec1acfcae
                                                                                  • Opcode Fuzzy Hash: 04c9162cffdeb9af18bf41771484da7d5f73dd3a5fdb4f981b9426ad9de64927
                                                                                  • Instruction Fuzzy Hash: 6F21B034B05B429FDB65AB7D985832E3BA4BF51301F30486FD61BC2352EB60CA40EB51
                                                                                  Function 00CD929A Relevance: .1, Instructions: 72COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6af3a89f2fee12489ef222b536d3b560e5524477aae02e7dfdbb68d84838af3c
                                                                                  • Instruction ID: 2b4984e2403d9528c255c60423cf15fb4404fbff4d86df6fe59a8f4ac626d56c
                                                                                  • Opcode Fuzzy Hash: 6af3a89f2fee12489ef222b536d3b560e5524477aae02e7dfdbb68d84838af3c
                                                                                  • Instruction Fuzzy Hash: 9E219D34600608CFCB15AB74C9546AE7BF2EF89314F144879D502AB3A4DF319D46CB91
                                                                                  Function 00CD09A8 Relevance: .1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 4662edc620074ae7e653f23ef9cc975acbe977d5f988692344399008b61768ed
                                                                                  • Instruction ID: f7ef28cc199541c2ce2ad90d8d8f0f120e559c5d15628faed4d3d3737737684e
                                                                                  • Opcode Fuzzy Hash: 4662edc620074ae7e653f23ef9cc975acbe977d5f988692344399008b61768ed
                                                                                  • Instruction Fuzzy Hash: 0A215E347017039FDF64AFBDA91872E3AA4BF51345F30442F961BC6351EA60CA00EB66
                                                                                  Function 00CDA16A Relevance: .1, Instructions: 62COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6c77adf783720d8b9dee0eb755429aa4dd528da51f78b39511ba9c07a27545bf
                                                                                  • Instruction ID: 1c14e771a94a84db508740de310b02bf9a298bea7dd0f61a16cc178a14b2ca80
                                                                                  • Opcode Fuzzy Hash: 6c77adf783720d8b9dee0eb755429aa4dd528da51f78b39511ba9c07a27545bf
                                                                                  • Instruction Fuzzy Hash: 9A1125357005014BCB08B779E8902AE77E3EBC9304B10897AC90AC7359EF35DE0A47C6
                                                                                  Function 00CD9CA0 Relevance: .1, Instructions: 57COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5f82da255999af79ce1c939ca0eae30ddf0ab3da43d24316da2b21ec23252317
                                                                                  • Instruction ID: de77d6d3ae8122d1ea774cdc5336dd43d8766131b7b5e1a5b5c09f3a9e27e9e1
                                                                                  • Opcode Fuzzy Hash: 5f82da255999af79ce1c939ca0eae30ddf0ab3da43d24316da2b21ec23252317
                                                                                  • Instruction Fuzzy Hash: 3D11B6B06006469FCF05FB78D44179EBBE1EF81310F508A7AD2058B356EF71AA4A8BD1
                                                                                  Function 00CD1431 Relevance: .1, Instructions: 56COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ab5cbe7757894577ebb5b5d65dcb3dfe3fe83d5c8beb82a6f047673a30aa39cc
                                                                                  • Instruction ID: 22382bcf388f18d0f800c17a86cb5ed810a76b1d31908988892bbe5e1a494d80
                                                                                  • Opcode Fuzzy Hash: ab5cbe7757894577ebb5b5d65dcb3dfe3fe83d5c8beb82a6f047673a30aa39cc
                                                                                  • Instruction Fuzzy Hash: 9E118E74A00215DFCB55EBB9D44466ABBF2FF8971576408B9D505CB364EB30CD46CB80
                                                                                  Function 00CD1440 Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 70484cf44d4d89fe83befe778d94cee80bee5a4075837650e21021c61f075320
                                                                                  • Instruction ID: b0abf5632a1072b109847f9e2dc9158bb81af30880b3d7337fce42828a7abda8
                                                                                  • Opcode Fuzzy Hash: 70484cf44d4d89fe83befe778d94cee80bee5a4075837650e21021c61f075320
                                                                                  • Instruction Fuzzy Hash: 3D11C070B00209DFCB54EBB9D404A2EBBF6BF8831571408BAD50ACB364EA31CD41CB90
                                                                                  Function 00CD9CB0 Relevance: .1, Instructions: 53COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 97a6921d139d88694b7bea3c8eacc4c09d068f064e7d6a80d4da11094092aa5c
                                                                                  • Instruction ID: 16b037359d4ada9c2961f191a260c2df45fc286c88f7c0670019530ed554ae42
                                                                                  • Opcode Fuzzy Hash: 97a6921d139d88694b7bea3c8eacc4c09d068f064e7d6a80d4da11094092aa5c
                                                                                  • Instruction Fuzzy Hash: DB11A7706002458FCB44FB78D44169EBBF1EFC1310F504A6AD2058B356DF71AA4A8BD1
                                                                                  Function 00CD3691 Relevance: .0, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d5be64a9a49173c54a6165ecc7314b3a7b5f0e32d75924f3cbcb535efa95c4ea
                                                                                  • Instruction ID: 0fd22ba53eb30067ccb618ec60394391c36c897db358ed524b5f7736e44bc554
                                                                                  • Opcode Fuzzy Hash: d5be64a9a49173c54a6165ecc7314b3a7b5f0e32d75924f3cbcb535efa95c4ea
                                                                                  • Instruction Fuzzy Hash: 3601D4353046408BC729A738E99076E76D3AFC5355B09053EE207CB746CF74CD069741
                                                                                  Function 00CD9008 Relevance: .0, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ce4a7402ff1c974efb06caa3157382d3433a19bd88fba32708f98415560f0766
                                                                                  • Instruction ID: 9ccdf1ec3a6f1af7a32697637cb43373590ce49a9f939b640f8a0df4ae5141f4
                                                                                  • Opcode Fuzzy Hash: ce4a7402ff1c974efb06caa3157382d3433a19bd88fba32708f98415560f0766
                                                                                  • Instruction Fuzzy Hash: E1111EB9800308CFCB20DF99D985BDEBBF4EB08324F20841AC569A7350C375AA44CFA5
                                                                                  Function 00CD9010 Relevance: .0, Instructions: 41COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 8b3ee7ebe38787c866b0095a0d0dd32f0f078b0e678534b0ba2419c93ef832ba
                                                                                  • Instruction ID: 76f1877ffcf819df8b207f5a94767a366250fbd17898385386d2cc7b2601c469
                                                                                  • Opcode Fuzzy Hash: 8b3ee7ebe38787c866b0095a0d0dd32f0f078b0e678534b0ba2419c93ef832ba
                                                                                  • Instruction Fuzzy Hash: E711EEB59003498FCB20DF9AD485BDEBBF8EB48324F20845AD569A7350C375AA44CFA5
                                                                                  Function 00CD8B27 Relevance: .0, Instructions: 36COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1ed90b22d6c8d8d347f409e5b02027d83c5bec49b33ffba5d213a722fd59abcb
                                                                                  • Instruction ID: f61b1f8db036d4c88667ec18ac2369f456a788228754582e1ec36f998f365bce
                                                                                  • Opcode Fuzzy Hash: 1ed90b22d6c8d8d347f409e5b02027d83c5bec49b33ffba5d213a722fd59abcb
                                                                                  • Instruction Fuzzy Hash: 84F0E2712041109FC716AA788C56AA877A4EFD5316F5808A7D144DF36ACE00CC0D83C2
                                                                                  Function 00CD9BF6 Relevance: .0, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 14c728ea11afac40db7f25fdb2b82c00effa6841df07e3a7fa99cc17b18799e0
                                                                                  • Instruction ID: e14f123c98418de925aa8054dc0f7cdd04b80917d70765d7b3f5df522ff3dae1
                                                                                  • Opcode Fuzzy Hash: 14c728ea11afac40db7f25fdb2b82c00effa6841df07e3a7fa99cc17b18799e0
                                                                                  • Instruction Fuzzy Hash: 99F0A0BDA582459FDB019B22CA16A6D3BB0EF46300F18049BD242EB3A2D6388941CB60
                                                                                  Function 00CD25F1 Relevance: .0, Instructions: 15COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 44b2b08a4d80fbf0c9744ae9a6effaf16b4289609b77efedd518f43153e75d52
                                                                                  • Instruction ID: 1f74179341a25d864ab26105d0b6568adaaf372d22937566095322ccdec1482a
                                                                                  • Opcode Fuzzy Hash: 44b2b08a4d80fbf0c9744ae9a6effaf16b4289609b77efedd518f43153e75d52
                                                                                  • Instruction Fuzzy Hash: 4BD0A7755082448FC302EF58D4D4C823BB8FF59A0430100C9E441CB363E620E809C721
                                                                                  Function 00CD0A8F Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: ae7b3f14c926a00c546b59a1aa7f73baaddbc3e86cc41d7de49be09f15111100
                                                                                  • Instruction ID: 660719b047774de0d9358fccd84b6bd52fc1ef35765a1062bf6eb0c5da940ae7
                                                                                  • Opcode Fuzzy Hash: ae7b3f14c926a00c546b59a1aa7f73baaddbc3e86cc41d7de49be09f15111100
                                                                                  • Instruction Fuzzy Hash: C7C08C38605B07CFD7243BA8E80CB2C3D10BB82302FB00017A20B042628FB40900671A
                                                                                  Function 00CD0A73 Relevance: .0, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 1520f8df757b06660a23b12dfdc17d6970709b6cc0710ad524a488f1bd37b3e8
                                                                                  • Instruction ID: 72d3159fd1371873e61e3e7ce38bc136bfb4254dcaf242ece15dbe81cba801b1
                                                                                  • Opcode Fuzzy Hash: 1520f8df757b06660a23b12dfdc17d6970709b6cc0710ad524a488f1bd37b3e8
                                                                                  • Instruction Fuzzy Hash: 24C08C38605B4BCFDB242BA8E80CB2C3E10B782302FB0001BA20B042628FB40940AB1A
                                                                                  Function 00CD2600 Relevance: .0, Instructions: 8COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000002.00000002.2914851863.0000000000CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CD0000, based on PE: false
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_2_2_cd0000_PRODUKTY.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 694e5a06d08116547a038e728c8a72f2dbae5e78db6e0c0ee0d668e445ad0ab4
                                                                                  • Instruction ID: 09df1ab7a6177a9f01165c97742794bca65df664007705e01aee335baf90bc5b
                                                                                  • Opcode Fuzzy Hash: 694e5a06d08116547a038e728c8a72f2dbae5e78db6e0c0ee0d668e445ad0ab4
                                                                                  • Instruction Fuzzy Hash: DCC048392606088F8245EA99E588C12B7A8BF58A013410099E5018B722CB61F810DA61