Edit tour

Windows Analysis Report
product sample requirement.exe

Overview

General Information

Sample name:	product sample requirement.exe
Analysis ID:	1560738
MD5:	07d5a83558349a82cfa1dc6d68f4d84b
SHA1:	064af18045030703bc4c62c99f1abe5700832e8a
SHA256:	096b33571e80d18c1763a3bd5d019e3177f1547b3ca6e6205a349075ce2fec18
Tags:	exemalwareuser-Joker
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sample uses string decryption to hide its real strings

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

product sample requirement.exe (PID: 6576 cmdline: "C:\Users\user\Desktop\product sample requirement.exe" MD5: 07D5A83558349A82CFA1DC6D68F4D84B)

powershell.exe (PID: 2032 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 1136 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 5812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7368 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 7048 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

product sample requirement.exe (PID: 7236 cmdline: "C:\Users\user\Desktop\product sample requirement.exe" MD5: 07D5A83558349A82CFA1DC6D68F4D84B)

TWmzcmqkuotC.exe (PID: 7340 cmdline: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe MD5: 07D5A83558349A82CFA1DC6D68F4D84B)

schtasks.exe (PID: 7540 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB0.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

TWmzcmqkuotC.exe (PID: 7592 cmdline: "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe" MD5: 07D5A83558349A82CFA1DC6D68F4D84B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["teebro1800.dynamic-dns.net"], "Port": 2195, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000D.00000002.1778713308.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0000000D.00000002.1778713308.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6aa8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6b45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6c5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x691a:$cnc4: POST / HTTP/1.1
00000009.00000002.1766752393.0000000002A46000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000009.00000002.1766752393.0000000002A46000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x91d0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x114b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x19d4c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x926d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1154d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x19de9:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x9382:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11662:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x19efe:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x9042:$cnc4: POST / HTTP/1.1 0x11322:$cnc4: POST / HTTP/1.1 0x19bbe:$cnc4: POST / HTTP/1.1
00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xce59c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xd687c:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xdf124:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xce639:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xd6919:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xdf1c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xce74e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xd6a2e:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xdf2d6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xce40e:$cnc4: POST / HTTP/1.1 0xd66ee:$cnc4: POST / HTTP/1.1 0xdef96:$cnc4: POST / HTTP/1.1
Process Memory Space: product sample requirement.exe PID: 6576	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: product sample requirement.exe PID: 6576	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TWmzcmqkuotC.exe PID: 7340	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: TWmzcmqkuotC.exe PID: 7340	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: TWmzcmqkuotC.exe PID: 7592	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.product sample requirement.exe.27e0bd4.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.product sample requirement.exe.27e0bd4.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4d1a:$cnc4: POST / HTTP/1.1
9.2.TWmzcmqkuotC.exe.2a48528.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
9.2.TWmzcmqkuotC.exe.2a48528.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4d1a:$cnc4: POST / HTTP/1.1
9.2.TWmzcmqkuotC.exe.2a50808.2.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
9.2.TWmzcmqkuotC.exe.2a50808.2.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4d1a:$cnc4: POST / HTTP/1.1
0.2.product sample requirement.exe.27d88f4.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.product sample requirement.exe.27d88f4.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x4ea8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x4f45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x505a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4d1a:$cnc4: POST / HTTP/1.1
13.2.TWmzcmqkuotC.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
13.2.TWmzcmqkuotC.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1
9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xef88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x17824:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf025:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x178c1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf13a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x179d6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1 0xedfa:$cnc4: POST / HTTP/1.1 0x17696:$cnc4: POST / HTTP/1.1
0.2.product sample requirement.exe.27d88f4.0.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.product sample requirement.exe.27d88f4.0.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xef88:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x17830:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf025:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x178cd:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf13a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x179e2:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1 0xedfa:$cnc4: POST / HTTP/1.1 0x176a2:$cnc4: POST / HTTP/1.1
9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf544:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf5e1:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf6f6:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1 0xf3b6:$cnc4: POST / HTTP/1.1
0.2.product sample requirement.exe.27e0bd4.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.product sample requirement.exe.27e0bd4.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6ca8:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0xf550:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6d45:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0xf5ed:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e5a:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0xf702:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6b1a:$cnc4: POST / HTTP/1.1 0xf3c2:$cnc4: POST / HTTP/1.1
0.2.product sample requirement.exe.276fe74.2.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.product sample requirement.exe.276fe74.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.product sample requirement.exe.276fe74.2.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6f728:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x77a08:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x802b0:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6f7c5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x77aa5:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x8034d:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6f8da:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x77bba:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x80462:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6f59a:$cnc4: POST / HTTP/1.1 0x7787a:$cnc4: POST / HTTP/1.1 0x80122:$cnc4: POST / HTTP/1.1
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\product sample requirement.exe", ParentImage: C:\Users\user\Desktop\product sample requirement.exe, ParentProcessId: 6576, ParentProcessName: product sample requirement.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe", ProcessId: 2032, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB0.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB0.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe, ParentImage: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe, ParentProcessId: 7340, ParentProcessName: TWmzcmqkuotC.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB0.tmp", ProcessId: 7540, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\product sample requirement.exe", ParentImage: C:\Users\user\Desktop\product sample requirement.exe, ParentProcessId: 6576, ParentProcessName: product sample requirement.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp", ProcessId: 7048, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\product sample requirement.exe", ParentImage: C:\Users\user\Desktop\product sample requirement.exe, ParentProcessId: 6576, ParentProcessName: product sample requirement.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe", ProcessId: 2032, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\product sample requirement.exe", ParentImage: C:\Users\user\Desktop\product sample requirement.exe, ParentProcessId: 6576, ParentProcessName: product sample requirement.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp", ProcessId: 7048, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T09:18:32.444655+0100	2853193	1	Malware Command and Control Activity Detected	192.168.2.4	50032	109.248.151.221	2195	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: teebro1800.dynamic-dns.net

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000009.00000002.1766752393.0000000002A46000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["teebro1800.dynamic-dns.net"], "Port": 2195, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe

ReversingLabs: Detection: 65%

Multi AV Scanner detection for submitted file

Source: product sample requirement.exe

ReversingLabs: Detection: 65%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: product sample requirement.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack	String decryptor: teebro1800.dynamic-dns.net
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack	String decryptor: 2195
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack	String decryptor: <123456789>
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack	String decryptor: <Xwormmm>
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack	String decryptor: XWorm V5.6
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack	String decryptor: USB.exe

Source: product sample requirement.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: product sample requirement.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: WvTw.pdb source: product sample requirement.exe, TWmzcmqkuotC.exe.0.dr
Source:	Binary string: WvTw.pdbSHA256 source: product sample requirement.exe, TWmzcmqkuotC.exe.0.dr

Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 4x nop then jmp 07154526h		0_2_07154666
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 4x nop then jmp 06DD37F6h		9_2_06DD3936

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49835 -> 109.248.151.221:2195
Source: Network traffic	Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:50032 -> 109.248.151.221:2195

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: teebro1800.dynamic-dns.net

Yara detected Generic Downloader

Source: Yara match

File source: 0.2.product sample requirement.exe.276fe74.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 109.248.151.221:2195

Source: Joe Sandbox View

ASN Name: DATACLUBLV DATACLUBLV

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: teebro1800.dynamic-dns.net

Source: product sample requirement.exe, 00000008.00000002.4126443765.0000000001136000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.mic
Source: product sample requirement.exe, 00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp, product sample requirement.exe, 00000008.00000002.4127948271.0000000003141000.00000004.00000800.00020000.00000000.sdmp, TWmzcmqkuotC.exe, 00000009.00000002.1766752393.0000000002981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: product sample requirement.exe, TWmzcmqkuotC.exe.0.dr	String found in binary or memory: http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.fonts.com
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp, product sample requirement.exe, 00000000.00000002.1729533775.0000000005130000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sakkal.com
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.tiro.com
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.typography.netD
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.product sample requirement.exe.27e0bd4.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.product sample requirement.exe.27d88f4.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 13.2.TWmzcmqkuotC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.product sample requirement.exe.276fe74.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000D.00000002.1778713308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000009.00000002.1766752393.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\product sample requirement.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_0256D57C	0_2_0256D57C
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_04CC0040	0_2_04CC0040
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_04CC003F	0_2_04CC003F
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_0534E978	0_2_0534E978
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_0534B12C	0_2_0534B12C
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_0534D868	0_2_0534D868
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071543E8	0_2_071543E8
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_07156220	0_2_07156220
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_07151F09	0_2_07151F09
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071506D8	0_2_071506D8
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071502A0	0_2_071502A0
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071A34B8	0_2_071A34B8
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071A2106	0_2_071A2106
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071A6678	0_2_071A6678
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071AF678	0_2_071AF678
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071A6669	0_2_071A6669
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071AF240	0_2_071AF240
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071AA2D1	0_2_071AA2D1
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_071ADE30	0_2_071ADE30
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 8_2_02F16350	8_2_02F16350
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 8_2_02F15678	8_2_02F15678
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 8_2_02F184D0	8_2_02F184D0
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 8_2_02F10BA0	8_2_02F10BA0
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 8_2_02F15330	8_2_02F15330
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_00EBD57C	9_2_00EBD57C
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06DD36C8	9_2_06DD36C8
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06DD54F8	9_2_06DD54F8
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06DD06D8	9_2_06DD06D8
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06DD02A0	9_2_06DD02A0
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E134B8	9_2_06E134B8
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E10040	9_2_06E10040
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E1F661	9_2_06E1F661
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E16669	9_2_06E16669
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E1F670	9_2_06E1F670
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E16678	9_2_06E16678
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E1A2D1	9_2_06E1A2D1
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E1F227	9_2_06E1F227
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E1F238	9_2_06E1F238
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E1EE00	9_2_06E1EE00
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 9_2_06E1DCB0	9_2_06E1DCB0
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Code function: 13_2_02960B92	13_2_02960B92

Source: product sample requirement.exe, 00000000.00000002.1731220498.0000000007270000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs product sample requirement.exe
Source: product sample requirement.exe, 00000000.00000002.1723277901.000000000082E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs product sample requirement.exe
Source: product sample requirement.exe, 00000000.00000002.1726250869.0000000003879000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs product sample requirement.exe
Source: product sample requirement.exe, 00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs product sample requirement.exe
Source: product sample requirement.exe, 00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXClient.exe4 vs product sample requirement.exe
Source: product sample requirement.exe, 00000000.00000000.1677959587.0000000000420000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameWvTw.exeP vs product sample requirement.exe
Source: product sample requirement.exe, 00000000.00000002.1730907310.00000000070D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameArthur.dll" vs product sample requirement.exe
Source: product sample requirement.exe	Binary or memory string: OriginalFilenameWvTw.exeP vs product sample requirement.exe

Source: product sample requirement.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 0.2.product sample requirement.exe.27e0bd4.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.product sample requirement.exe.27d88f4.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 13.2.TWmzcmqkuotC.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.product sample requirement.exe.276fe74.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000D.00000002.1778713308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000009.00000002.1766752393.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: product sample requirement.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TWmzcmqkuotC.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, J2rLQ5Ba9pr58NDIa7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, J2rLQ5Ba9pr58NDIa7.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, BBG68ril99edvlsaCS.cs	Security API names: _0020.SetAccessControl
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, BBG68ril99edvlsaCS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, BBG68ril99edvlsaCS.cs	Security API names: _0020.AddAccessRule
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, BBG68ril99edvlsaCS.cs	Security API names: _0020.SetAccessControl
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, BBG68ril99edvlsaCS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, BBG68ril99edvlsaCS.cs	Security API names: _0020.AddAccessRule
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@19/15@8/1

Source: C:\Users\user\Desktop\product sample requirement.exe

File created: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4280:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7548:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:708:120:WilError_03
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Mutant created: \Sessions\1\BaseNamedObjects\zIEdvXAXTNmur
Source: C:\Users\user\Desktop\product sample requirement.exe	Mutant created: \Sessions\1\BaseNamedObjects\wyDwhmVwMImivlWa

Source: C:\Users\user\Desktop\product sample requirement.exe

File created: C:\Users\user\AppData\Local\Temp\tmpA26.tmp

Jump to behavior

Source: product sample requirement.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: product sample requirement.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\product sample requirement.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\product sample requirement.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: product sample requirement.exe

ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\product sample requirement.exe

File read: C:\Users\user\Desktop\product sample requirement.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\product sample requirement.exe "C:\Users\user\Desktop\product sample requirement.exe"
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Users\user\Desktop\product sample requirement.exe "C:\Users\user\Desktop\product sample requirement.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB0.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process created: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe"
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe"	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Users\user\Desktop\product sample requirement.exe "C:\Users\user\Desktop\product sample requirement.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB0.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process created: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe"	Jump to behavior

Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Section loaded: sspicli.dll

Source: C:\Users\user\Desktop\product sample requirement.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\product sample requirement.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: product sample requirement.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: product sample requirement.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: product sample requirement.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: WvTw.pdb source: product sample requirement.exe, TWmzcmqkuotC.exe.0.dr
Source:	Binary string: WvTw.pdbSHA256 source: product sample requirement.exe, TWmzcmqkuotC.exe.0.dr

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, BBG68ril99edvlsaCS.cs	.Net Code: yJHAHL1da8 System.Reflection.Assembly.Load(byte[])
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, BBG68ril99edvlsaCS.cs	.Net Code: yJHAHL1da8 System.Reflection.Assembly.Load(byte[])
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, Messages.cs	.Net Code: Memory
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, Messages.cs	.Net Code: Memory

Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_0256C3F1 push cs; ret	0_2_0256C3FE
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_0256A0D8 push edx; ret	0_2_0256A0E7
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_0256C658 push es; ret	0_2_0256C666
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_0256C4D9 push cs; ret	0_2_0256C4E6
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_025696F0 pushfd ; ret	0_2_025696FE
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_0256B7F8 push ebx; ret	0_2_0256B80F
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_02565E88 pushfd ; ret	0_2_02565F26
Source: C:\Users\user\Desktop\product sample requirement.exe	Code function: 0_2_04CC5847 push ss; ret	0_2_04CC5849

Source: product sample requirement.exe	Static PE information: section name: .text entropy: 7.914229382691976
Source: TWmzcmqkuotC.exe.0.dr	Static PE information: section name: .text entropy: 7.914229382691976

Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, wf7pIcJpDXjZPhmdcR.cs	High entropy of concatenated method names: 'Dispose', 'dFvMsmJLYy', 'uMpZE2RChT', 'ld6PxmeM0k', 'WVZMDaBj5l', 'UWhMzAi2mt', 'ProcessDialogKey', 'ElNZKAnrwU', 'ED8ZMIYuk5', 'XetZZj3TX0'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, lahKsNlJhvfR5sOQsC.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'DAPZsoHdlV', 'SlWZDG6oyT', 'qYBZzua41o', 'QIHtKxnD74', 'QkstMOaKVe', 'sgStZZ2WmW', 'fUottI3Mjh', 'AsYiRLQACHGfIoaCAVM'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, CIuvfcMMUIGohnXtuRN.cs	High entropy of concatenated method names: 'HnmFDRlPTb', 'VCQFzcrO9x', 'Cn8uKNaDJY', 'pNRuManQTB', 'MyLuZ3vJhy', 'Y3butqtZqv', 'BKhuApHUEB', 'a8uu8inxR0', 'CECu9HNeap', 'ztduJyb4xV'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, L3TX0hDPpaonn1Z3cI.cs	High entropy of concatenated method names: 'S4jFlZ2m69', 'X9UFQcg7LD', 'c7iFcdwDX5', 'B85Fpp0qOi', 'rhuF3Hdgxt', 'nbLFi4FEDH', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, YNQMIuZR96mk1bBJra.cs	High entropy of concatenated method names: 'PLyH8tOMY', 'DGtbIXAcH', 'A2joVDswW', 'jwAYdtTVH', 'V9Yer39oL', 'A1lxNaNly', 'dTvI7s77beZreynCGV', 'eYK5PXS1GTBuV8B1s4', 'EAAvQ5jGv', 'A19FFGDBD'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, DyEgUQzn4oBAjYcrSs.cs	High entropy of concatenated method names: 'O5eFo9Hyoc', 'uYQFBpdyZe', 'T2bFeyK1aU', 'bkKF5vXSDA', 'FI6FEWHBUV', 'zjnFhssLdx', 'u52FPZ2bIU', 'aToFrm83q3', 'eatF1Ay81e', 'exUFGLSTGg'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, J2rLQ5Ba9pr58NDIa7.cs	High entropy of concatenated method names: 'zoeJRHGRim', 'sP5JXT4s7B', 'vpoJwUNE0p', 'EwpJg6mZSD', 'XFMJINy3o3', 'VcnJkJmUXS', 'OhIJ0S27D9', 'rXyJq9YyCo', 'DagJsbrBTT', 'YSZJDodO9D'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, bhqlRWMAgHg9OOlfpUx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VGJ23H2JbA', 'Jyr2FqTVGr', 'LWr2uLqqse', 'X4022dSGxv', 'B9D2CENxlq', 'OMw2dJeQVL', 'j0p2rhVV15'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, b97t5sLblaohbYs4QH.cs	High entropy of concatenated method names: 'x616BvVq4f', 'p3i6efvD7N', 'TR565yWpyZ', 'oZK6Ewm0wd', 'Jtn6hpKt8U', 'Cat6P5TfFp', 'xAX6jCIrn4', 'iiq6VxHJ5a', 'L8o6fa5Wq1', 'D5M6SNu92I'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, iEUq6ejrWBbLc1BIGt.cs	High entropy of concatenated method names: 'KQMp9qxBox', 'B43pl4YtBq', 'XuEpc8tBEJ', 'gsTcD2bnKP', 'KnkczL6eQB', 'Wq3pKjnCaq', 'fX5pMsG78c', 'G4SpZvrItr', 'ggEptlGlZf', 'IJapAHSOkA'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, oAnrwUseD8IYuk5set.cs	High entropy of concatenated method names: 'aIE35qQ056', 'ojI3E3Wfl1', 'JjM3m7dOFb', 'Y5r3hHeH6P', 'JKE3P10v2x', 'Rbb3UCWYtv', 'eI53jfjU1b', 'XgK3V4ipEk', 'bDh3y7FfZC', 'Gi93fPSPhX'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, bQmIQewe4KykYYO3Rt.cs	High entropy of concatenated method names: 'ToString', 'e7dWSyeir8', 'cMKWEyrTsv', 'HpVWmAYapV', 'SuhWh2tv7d', 'vwZWPov9L5', 'dKJWUMMrRv', 'ShhWjIuYDD', 'ERvWVXFKx8', 'n1xWyXxW4Q'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, JBquDIkTJBCKCHfOX3.cs	High entropy of concatenated method names: 'zylTqxQRaI', 'evTTDfDOJB', 'tvAvKWRhHR', 'efcvM4CF67', 'pSYTSjedom', 'zjeTa8b1P2', 'NseTLB8iZL', 'zKcTRUBovr', 'zV9TXFvPVy', 'GA7TwqPK6T'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, pQCggtydJZWO9wRk8V.cs	High entropy of concatenated method names: 'Lfqp1PuoU8', 'hqSpGbRlR8', 'DWhpHpRojL', 'UXhpbZ3ajm', 'BJ1pOPjk92', 'Dt3povj60C', 'DuYpYgAnjp', 'KRppBBNMwf', 'FiMpexrqJH', 'XjbpxqMgHF'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, wjJ0770SbtFvmJLYy0.cs	High entropy of concatenated method names: 'Nr93NL2UjN', 'MVj3TjWi8o', 'LNu33YjNcS', 'NH33uqnF5f', 'gE23CHsGUA', 'NBb3r85SZO', 'Dispose', 'N5Ev9n9t8N', 'qCYvJd1D7E', 'yEDvlhmIc1'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, t2xSoI5OIPqG3Emstu.cs	High entropy of concatenated method names: 'lGyc8pO2Lu', 'V2kcJ6DXCZ', 'YcOcQ3cQwX', 'zM1cpc13YM', 'EKacieE2Bg', 'xW4QIqAskj', 'r8tQkK4PPO', 'DyVQ0BOv5e', 'wlRQqLKyNx', 'EgoQsI2Zb9'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, BBG68ril99edvlsaCS.cs	High entropy of concatenated method names: 'bAct8pHDaF', 'BdCt9rWjKG', 'pYutJZ3bnN', 'OqftlW6EId', 'NUptQAqTcY', 'fF3tcBBTQY', 'YQUtppk3Ji', 'xBXtieBXw2', 'apRt4QOr0W', 'pXnt7UVEtI'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, uFsj5WRoiYsTfJXB4I.cs	High entropy of concatenated method names: 'zcLNfDwbQQ', 'QOiNaBdTgB', 'SkyNRVpuGj', 'phmNXnjtTR', 'WCnNEXhOrU', 'xJLNmZ1Msu', 'AjDNhX1SpF', 'YyFNPdjKFW', 'bUINUEIUvu', 'XtDNj5qGMg'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, nh2UCue7G7vdMMX7Dg.cs	High entropy of concatenated method names: 'ebelbpT0u9', 'eCQloG2nZO', 'ENilBkvJWB', 'fHTleL9pda', 'IQAlNYseh2', 'xP6lWFdrSW', 'dpNlTmxgae', 'BgSlv8aajo', 'M1ul3ehYjQ', 'lY9lFt668F'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, WOiRsLxcY7rY5d8atk.cs	High entropy of concatenated method names: 'Fw4QOOOorS', 'XhdQY0wj6s', 'DmllmTXttf', 'DB8lhkreYZ', 'maRlPU9iZD', 'TJylU1GIGX', 'pgmljARcFg', 'itZlV0Hx4g', 'wU1lyxSreb', 'UUOlfEiAgV'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, KQFy4hAZGpktWxQ9X2.cs	High entropy of concatenated method names: 'KsPMp2rLQ5', 'P9pMir58ND', 't7GM77vdMM', 'R7DMngqOiR', 'w8aMNtkF2x', 'OoIMWOIPqG', 'x7xjQU0cSF9WN7y31K', 'HVl0x99XgMJ9M3WJPh', 'kUVMMaKJPm', 'oIlMteXdJT'
Source: 0.2.product sample requirement.exe.7270000.5.raw.unpack, wZq0OkMKagw2smxV2ca.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vaAFSwWYCm', 'EwlFaAm5An', 'e0bFLTmkT8', 'wy7FRb6Yag', 'KiFFXT3Zof', 'zPGFwA3wPY', 'MuMFgiq9mT'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, wf7pIcJpDXjZPhmdcR.cs	High entropy of concatenated method names: 'Dispose', 'dFvMsmJLYy', 'uMpZE2RChT', 'ld6PxmeM0k', 'WVZMDaBj5l', 'UWhMzAi2mt', 'ProcessDialogKey', 'ElNZKAnrwU', 'ED8ZMIYuk5', 'XetZZj3TX0'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, lahKsNlJhvfR5sOQsC.cs	High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'DAPZsoHdlV', 'SlWZDG6oyT', 'qYBZzua41o', 'QIHtKxnD74', 'QkstMOaKVe', 'sgStZZ2WmW', 'fUottI3Mjh', 'AsYiRLQACHGfIoaCAVM'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, CIuvfcMMUIGohnXtuRN.cs	High entropy of concatenated method names: 'HnmFDRlPTb', 'VCQFzcrO9x', 'Cn8uKNaDJY', 'pNRuManQTB', 'MyLuZ3vJhy', 'Y3butqtZqv', 'BKhuApHUEB', 'a8uu8inxR0', 'CECu9HNeap', 'ztduJyb4xV'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, L3TX0hDPpaonn1Z3cI.cs	High entropy of concatenated method names: 'S4jFlZ2m69', 'X9UFQcg7LD', 'c7iFcdwDX5', 'B85Fpp0qOi', 'rhuF3Hdgxt', 'nbLFi4FEDH', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, YNQMIuZR96mk1bBJra.cs	High entropy of concatenated method names: 'PLyH8tOMY', 'DGtbIXAcH', 'A2joVDswW', 'jwAYdtTVH', 'V9Yer39oL', 'A1lxNaNly', 'dTvI7s77beZreynCGV', 'eYK5PXS1GTBuV8B1s4', 'EAAvQ5jGv', 'A19FFGDBD'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, DyEgUQzn4oBAjYcrSs.cs	High entropy of concatenated method names: 'O5eFo9Hyoc', 'uYQFBpdyZe', 'T2bFeyK1aU', 'bkKF5vXSDA', 'FI6FEWHBUV', 'zjnFhssLdx', 'u52FPZ2bIU', 'aToFrm83q3', 'eatF1Ay81e', 'exUFGLSTGg'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, J2rLQ5Ba9pr58NDIa7.cs	High entropy of concatenated method names: 'zoeJRHGRim', 'sP5JXT4s7B', 'vpoJwUNE0p', 'EwpJg6mZSD', 'XFMJINy3o3', 'VcnJkJmUXS', 'OhIJ0S27D9', 'rXyJq9YyCo', 'DagJsbrBTT', 'YSZJDodO9D'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, bhqlRWMAgHg9OOlfpUx.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'VGJ23H2JbA', 'Jyr2FqTVGr', 'LWr2uLqqse', 'X4022dSGxv', 'B9D2CENxlq', 'OMw2dJeQVL', 'j0p2rhVV15'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, b97t5sLblaohbYs4QH.cs	High entropy of concatenated method names: 'x616BvVq4f', 'p3i6efvD7N', 'TR565yWpyZ', 'oZK6Ewm0wd', 'Jtn6hpKt8U', 'Cat6P5TfFp', 'xAX6jCIrn4', 'iiq6VxHJ5a', 'L8o6fa5Wq1', 'D5M6SNu92I'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, iEUq6ejrWBbLc1BIGt.cs	High entropy of concatenated method names: 'KQMp9qxBox', 'B43pl4YtBq', 'XuEpc8tBEJ', 'gsTcD2bnKP', 'KnkczL6eQB', 'Wq3pKjnCaq', 'fX5pMsG78c', 'G4SpZvrItr', 'ggEptlGlZf', 'IJapAHSOkA'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, oAnrwUseD8IYuk5set.cs	High entropy of concatenated method names: 'aIE35qQ056', 'ojI3E3Wfl1', 'JjM3m7dOFb', 'Y5r3hHeH6P', 'JKE3P10v2x', 'Rbb3UCWYtv', 'eI53jfjU1b', 'XgK3V4ipEk', 'bDh3y7FfZC', 'Gi93fPSPhX'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, bQmIQewe4KykYYO3Rt.cs	High entropy of concatenated method names: 'ToString', 'e7dWSyeir8', 'cMKWEyrTsv', 'HpVWmAYapV', 'SuhWh2tv7d', 'vwZWPov9L5', 'dKJWUMMrRv', 'ShhWjIuYDD', 'ERvWVXFKx8', 'n1xWyXxW4Q'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, JBquDIkTJBCKCHfOX3.cs	High entropy of concatenated method names: 'zylTqxQRaI', 'evTTDfDOJB', 'tvAvKWRhHR', 'efcvM4CF67', 'pSYTSjedom', 'zjeTa8b1P2', 'NseTLB8iZL', 'zKcTRUBovr', 'zV9TXFvPVy', 'GA7TwqPK6T'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, pQCggtydJZWO9wRk8V.cs	High entropy of concatenated method names: 'Lfqp1PuoU8', 'hqSpGbRlR8', 'DWhpHpRojL', 'UXhpbZ3ajm', 'BJ1pOPjk92', 'Dt3povj60C', 'DuYpYgAnjp', 'KRppBBNMwf', 'FiMpexrqJH', 'XjbpxqMgHF'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, wjJ0770SbtFvmJLYy0.cs	High entropy of concatenated method names: 'Nr93NL2UjN', 'MVj3TjWi8o', 'LNu33YjNcS', 'NH33uqnF5f', 'gE23CHsGUA', 'NBb3r85SZO', 'Dispose', 'N5Ev9n9t8N', 'qCYvJd1D7E', 'yEDvlhmIc1'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, t2xSoI5OIPqG3Emstu.cs	High entropy of concatenated method names: 'lGyc8pO2Lu', 'V2kcJ6DXCZ', 'YcOcQ3cQwX', 'zM1cpc13YM', 'EKacieE2Bg', 'xW4QIqAskj', 'r8tQkK4PPO', 'DyVQ0BOv5e', 'wlRQqLKyNx', 'EgoQsI2Zb9'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, BBG68ril99edvlsaCS.cs	High entropy of concatenated method names: 'bAct8pHDaF', 'BdCt9rWjKG', 'pYutJZ3bnN', 'OqftlW6EId', 'NUptQAqTcY', 'fF3tcBBTQY', 'YQUtppk3Ji', 'xBXtieBXw2', 'apRt4QOr0W', 'pXnt7UVEtI'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, uFsj5WRoiYsTfJXB4I.cs	High entropy of concatenated method names: 'zcLNfDwbQQ', 'QOiNaBdTgB', 'SkyNRVpuGj', 'phmNXnjtTR', 'WCnNEXhOrU', 'xJLNmZ1Msu', 'AjDNhX1SpF', 'YyFNPdjKFW', 'bUINUEIUvu', 'XtDNj5qGMg'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, nh2UCue7G7vdMMX7Dg.cs	High entropy of concatenated method names: 'ebelbpT0u9', 'eCQloG2nZO', 'ENilBkvJWB', 'fHTleL9pda', 'IQAlNYseh2', 'xP6lWFdrSW', 'dpNlTmxgae', 'BgSlv8aajo', 'M1ul3ehYjQ', 'lY9lFt668F'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, WOiRsLxcY7rY5d8atk.cs	High entropy of concatenated method names: 'Fw4QOOOorS', 'XhdQY0wj6s', 'DmllmTXttf', 'DB8lhkreYZ', 'maRlPU9iZD', 'TJylU1GIGX', 'pgmljARcFg', 'itZlV0Hx4g', 'wU1lyxSreb', 'UUOlfEiAgV'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, KQFy4hAZGpktWxQ9X2.cs	High entropy of concatenated method names: 'KsPMp2rLQ5', 'P9pMir58ND', 't7GM77vdMM', 'R7DMngqOiR', 'w8aMNtkF2x', 'OoIMWOIPqG', 'x7xjQU0cSF9WN7y31K', 'HVl0x99XgMJ9M3WJPh', 'kUVMMaKJPm', 'oIlMteXdJT'
Source: 0.2.product sample requirement.exe.38a5f70.3.raw.unpack, wZq0OkMKagw2smxV2ca.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'vaAFSwWYCm', 'EwlFaAm5An', 'e0bFLTmkT8', 'wy7FRb6Yag', 'KiFFXT3Zof', 'zPGFwA3wPY', 'MuMFgiq9mT'

Source: C:\Users\user\Desktop\product sample requirement.exe

File created: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\product sample requirement.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: product sample requirement.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TWmzcmqkuotC.exe PID: 7340, type: MEMORYSTR

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController

Source: C:\Users\user\Desktop\product sample requirement.exe	Memory allocated: 2560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Memory allocated: 2710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Memory allocated: 4710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Memory allocated: 8830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Memory allocated: 9830000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Memory allocated: 9A30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Memory allocated: AA30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Memory allocated: 2ED0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Memory allocated: 3140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Memory allocated: 2F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory allocated: EB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory allocated: 2980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory allocated: 4980000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory allocated: 8520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory allocated: 9520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory allocated: 9710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory allocated: A710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory allocated: 28C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory allocated: 2B20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory allocated: 28C0000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\product sample requirement.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6176	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1139	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7906	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1340	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Window / User API: threadDelayed 1863	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Window / User API: threadDelayed 7984	Jump to behavior

Source: C:\Users\user\Desktop\product sample requirement.exe TID: 6528	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7288	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7212	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep count: 7906 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200	Thread sleep count: 1340 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7296	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe TID: 7636	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe TID: 7636	Thread sleep time: -35048813740048126s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe TID: 7648	Thread sleep count: 1863 > 30	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe TID: 7648	Thread sleep count: 7984 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe TID: 7364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe TID: 7620	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\product sample requirement.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Thread delayed: delay time: 922337203685477

Source: product sample requirement.exe, 00000008.00000002.4126443765.0000000001136000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln=0

Source: C:\Users\user\Desktop\product sample requirement.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\product sample requirement.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\product sample requirement.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe"
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe"
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe"	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\product sample requirement.exe	Memory written: C:\Users\user\Desktop\product sample requirement.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Memory written: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe"	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe"	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Process created: C:\Users\user\Desktop\product sample requirement.exe "C:\Users\user\Desktop\product sample requirement.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB0.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Process created: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe"	Jump to behavior

Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Users\user\Desktop\product sample requirement.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\DUBAI-MEDIUM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\OFFSYMSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Users\user\Desktop\product sample requirement.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\product sample requirement.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Queries volume information: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Queries volume information: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\Desktop\product sample requirement.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: product sample requirement.exe, 00000008.00000002.4126443765.000000000118E000.00000004.00000020.00020000.00000000.sdmp, product sample requirement.exe, 00000008.00000002.4126443765.0000000001136000.00000004.00000020.00020000.00000000.sdmp, product sample requirement.exe, 00000008.00000002.4126443765.00000000011EF000.00000004.00000020.00020000.00000000.sdmp, product sample requirement.exe, 00000008.00000002.4126443765.00000000011D3000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\product sample requirement.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 0.2.product sample requirement.exe.27e0bd4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TWmzcmqkuotC.exe.2a48528.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TWmzcmqkuotC.exe.2a50808.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.product sample requirement.exe.27d88f4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.TWmzcmqkuotC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.product sample requirement.exe.276fe74.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1778713308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1766752393.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: product sample requirement.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TWmzcmqkuotC.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TWmzcmqkuotC.exe PID: 7592, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 0.2.product sample requirement.exe.27e0bd4.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TWmzcmqkuotC.exe.2a48528.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TWmzcmqkuotC.exe.2a50808.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.product sample requirement.exe.27d88f4.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.TWmzcmqkuotC.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TWmzcmqkuotC.exe.2a48528.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.product sample requirement.exe.27d88f4.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.TWmzcmqkuotC.exe.2a50808.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.product sample requirement.exe.27e0bd4.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.product sample requirement.exe.276fe74.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.1778713308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1766752393.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: product sample requirement.exe PID: 6576, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TWmzcmqkuotC.exe PID: 7340, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: TWmzcmqkuotC.exe PID: 7592, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	111 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	11 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	131 Virtualization/Sandbox Evasion	Security Account Manager	131 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	22 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
product sample requirement.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla
product sample requirement.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe	66%	ReversingLabs	ByteCode-MSIL.Trojan.AgentTesla

Source	Detection	Scanner	Label	Link
teebro1800.dynamic-dns.net	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
teebro1800.dynamic-dns.net	109.248.151.221	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
teebro1800.dynamic-dns.net	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://www.apache.org/licenses/LICENSE-2.0	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designersG	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/?	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/bThe	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers?	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.tiro.com	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.goodfont.co.kr	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://tempuri.org/project_mgtDataSet.xsdOproject_mgt_system.Properties.Resources	product sample requirement.exe, TWmzcmqkuotC.exe.0.dr	false	high
http://go.mic	product sample requirement.exe, 00000008.00000002.4126443765.0000000001136000.00000004.00000020.00020000.00000000.sdmp	false	high
http://www.carterandcone.coml	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sajatypeworks.com	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.typography.netD	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/cabarga.htmlN	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn/cThe	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/staff/dennis.htm	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.founder.com.cn/cn	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers/frere-user.html	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.jiyu-kobo.co.jp/	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.galapagosdesign.com/DPlease	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fontbureau.com/designers8	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.fonts.com	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sandoll.co.kr	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.urwpp.deDPlease	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.zhongyicts.com.cn	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	product sample requirement.exe, 00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp, product sample requirement.exe, 00000008.00000002.4127948271.0000000003141000.00000004.00000800.00020000.00000000.sdmp, TWmzcmqkuotC.exe, 00000009.00000002.1766752393.0000000002981000.00000004.00000800.00020000.00000000.sdmp	false	high
http://www.sakkal.com	product sample requirement.exe, 00000000.00000002.1729601394.0000000006922000.00000004.00000800.00020000.00000000.sdmp, product sample requirement.exe, 00000000.00000002.1729533775.0000000005130000.00000004.00000020.00020000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
109.248.151.221	teebro1800.dynamic-dns.net	Russian Federation		52048	DATACLUBLV	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560738
Start date and time:	2024-11-22 09:14:44 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	product sample requirement.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@19/15@8/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 98% Number of executed functions: 227 Number of non-executed functions: 12
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target TWmzcmqkuotC.exe, PID 7592 because it is empty
Execution Graph export aborted for target product sample requirement.exe, PID 7236 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: product sample requirement.exe

Simulations

Behavior and APIs

Time	Type	Description
03:15:37	API Interceptor	8521548x Sleep call for process: product sample requirement.exe modified
03:15:39	API Interceptor	35x Sleep call for process: powershell.exe modified
03:15:41	API Interceptor	2x Sleep call for process: TWmzcmqkuotC.exe modified
08:15:41	Task Scheduler	Run new task: TWmzcmqkuotC path: C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
teebro1800.dynamic-dns.net	z1ProductSampleRequirement.exe	Get hash	malicious	Remcos	Browse	51.75.166.98
teebro1800.dynamic-dns.net	HSBC Payment Swift Copy.exe	Get hash	malicious	Remcos	Browse	140.228.29.6

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
DATACLUBLV	COTIZACIONSyCONSULTA#46789NOV24.bat.exe	Get hash	malicious	Remcos, GuLoader	Browse	46.183.220.125
	Finvasken.exe	Get hash	malicious	FormBook, GuLoader	Browse	109.248.151.196
	Finvasken.exe	Get hash	malicious	FormBook, GuLoader	Browse	109.248.151.196
	USD Payment Receipt 12112024.exe	Get hash	malicious	NoCry, XWorm	Browse	109.248.151.21
	86#U041b.exe	Get hash	malicious	XWorm	Browse	84.38.130.134
	46roqD3HEE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	109.248.150.169
	46roqD3HEE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	109.248.150.169
	iENcsTur6E.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	109.248.150.169
	6ehOuQ8ifL.exe	Get hash	malicious	AgentTesla	Browse	109.248.150.169
	Noncapture19.exe	Get hash	malicious	FormBook, GuLoader	Browse	109.248.151.196

Process:	C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\product sample requirement.exe.log

Download File

Process:	C:\Users\user\Desktop\product sample requirement.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3810236212315665
Encrypted:	false
SSDEEP:	48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMuge//ZeUyus:lGLHxv2IfLZ2KRH6Ougos
MD5:	534D6716758747FA57A53A245EB4D6A1
SHA1:	78784FF1B73FBA507598C5D518BE90D9B96EE1B6
SHA-256:	2BC11EC63A7511C3C755BA497E774B153A2C8366E779B00369714A49EE4E492B
SHA-512:	D957D8DD62F4694C3FF7CE48384356F756370B082B488529AB510C35DB5C06C159EACA9ABEADFC715E13BAB7C5EDF2DD9D7134BDBF6DCF1D2B3F4451E1454475
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1yewi1od.ii5.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fcgsw2b.fo1.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjk12krn.g5p.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyd2q3f5.c0l.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ir3lksmf.hg3.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l00opidz.oys.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prteouww.rsg.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qz5z2kog.pcy.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp1AB0.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.116333157337675
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaBIxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT/v
MD5:	64F99015749EC0B20ACF03168E78014A
SHA1:	774A9C55A40906DA0070A62092842A4AE53A9081
SHA-256:	1D236F557DB2338C7BD73AA87F8D06EE04FC55C3B5E3079E81DA7256A60E0B49
SHA-512:	8E6F5EF54B24F6C57201F5FA2CC0729C265CA87E8DE18EDD03CFCA2E9EB47FA87503056F0E9FF608279744A1E8AFFDAB2D9554D1CEA2F02550DB863F57BC66DF
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpA26.tmp

Download File

Process:	C:\Users\user\Desktop\product sample requirement.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1578
Entropy (8bit):	5.116333157337675
Encrypted:	false
SSDEEP:	24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaBIxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT/v
MD5:	64F99015749EC0B20ACF03168E78014A
SHA1:	774A9C55A40906DA0070A62092842A4AE53A9081
SHA-256:	1D236F557DB2338C7BD73AA87F8D06EE04FC55C3B5E3079E81DA7256A60E0B49
SHA-512:	8E6F5EF54B24F6C57201F5FA2CC0729C265CA87E8DE18EDD03CFCA2E9EB47FA87503056F0E9FF608279744A1E8AFFDAB2D9554D1CEA2F02550DB863F57BC66DF
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe

Download File

Process:	C:\Users\user\Desktop\product sample requirement.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	448512
Entropy (8bit):	7.899851657059944
Encrypted:	false
SSDEEP:	12288:pMFo7mq6/FqLzEvttwVnGUaGtyk6JXFajEHUC:pko7mq+I/EOoEIr
MD5:	07D5A83558349A82CFA1DC6D68F4D84B
SHA1:	064AF18045030703BC4C62C99F1ABE5700832E8A
SHA-256:	096B33571E80D18C1763A3BD5D019E3177F1547B3CA6E6205A349075CE2FEC18
SHA-512:	AA9D794E0FFB14163F3D1C2DF374B99DA287B7CE1DF965E271921A700A9972C6EAD3830F0319EB9EC2D1352E2C0A06BB192045E482B2D54FE091C29DC58946BF
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-<g..............0................. ........@.. .......................@............@.....................................O.......L.................... ..........T............................................ ............... ..H............text...0.... ...................... ..`.rsrc...L...........................@..@.reloc....... ......................@..B........................H........}...O......i....................................................0..$..........s......s.....s ......o!...&..+...0..)........s\....s.......o[...s......o".......+.......0..+........s\....r...p.(#......o[...s......o$....+....0..0........s\....rC..p.r...p(%......o[...s......o$....+...0...........s\.......O...%.r...p.%...%.r...p.%...%.r...p.%....%.r!..p.%....%.r;..p.%.....%..rU..p.%.....%..ry..p.%....%..r...p.(&......o[...s.......o$...&r...p('...&......o(...('...&....

C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\product sample requirement.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.899851657059944
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	product sample requirement.exe
File size:	448'512 bytes
MD5:	07d5a83558349a82cfa1dc6d68f4d84b
SHA1:	064af18045030703bc4c62c99f1abe5700832e8a
SHA256:	096b33571e80d18c1763a3bd5d019e3177f1547b3ca6e6205a349075ce2fec18
SHA512:	aa9d794e0ffb14163f3d1c2df374b99da287b7ce1df965e271921a700a9972c6ead3830f0319eb9ec2d1352e2c0a06bb192045e482b2d54fe091c29dc58946bf
SSDEEP:	12288:pMFo7mq6/FqLzEvttwVnGUaGtyk6JXFajEHUC:pko7mq+I/EOoEIr
TLSH:	AD94018132AD9FABD57A5BF16222645117F5283B6A32F21C1FD240DF2D7AF006761B0B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-<g..............0.............*.... ........@.. .......................@............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x46eb2a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x673C2D0F [Tue Nov 19 06:15:43 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x6ead6	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x70000	0x64c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x72000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x6c9d8	0x54	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x6cb30	0x6cc00	de7fadb31d125c006b04b7d8ac37576f	False	0.9335623204022988	data	7.914229382691976	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x70000	0x64c	0x800	ccde5771d2be2cbd7ab9cb27545fa3f8	False	0.341796875	data	3.514751469590367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x72000	0xc	0x200	6cbf4c2f3aa890a0dbbce9eb4b9fa19a	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x70090	0x3bc	data			0.4131799163179916
RT_MANIFEST	0x7045c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-22T09:17:07.824645+0100	2855924	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	49835	109.248.151.221	2195	TCP
2024-11-22T09:18:32.444655+0100	2853193	ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound	1	192.168.2.4	50032	109.248.151.221	2195	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 09:15:44.022052050 CET	49734	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:44.141654968 CET	2195	49734	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:44.141756058 CET	49734	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:44.761178970 CET	49734	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:44.880902052 CET	2195	49734	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:45.528965950 CET	2195	49734	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:45.529046059 CET	49734	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:49.527546883 CET	49734	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:49.530030966 CET	49736	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:49.647260904 CET	2195	49734	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:49.649630070 CET	2195	49736	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:49.649843931 CET	49736	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:49.858047009 CET	49736	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:49.977694988 CET	2195	49736	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:51.046667099 CET	2195	49736	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:51.049058914 CET	49736	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:53.464950085 CET	49736	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:53.466892004 CET	49738	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:53.584748030 CET	2195	49736	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:53.586877108 CET	2195	49738	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:53.586952925 CET	49738	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:53.607582092 CET	49738	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:53.727271080 CET	2195	49738	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:54.934092999 CET	2195	49738	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:54.934185028 CET	49738	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:57.871717930 CET	49738	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:57.872847080 CET	49742	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:57.991333961 CET	2195	49738	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:57.992377996 CET	2195	49742	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:57.992521048 CET	49742	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:58.038222075 CET	49742	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:15:58.158031940 CET	2195	49742	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:59.343750000 CET	2195	49742	109.248.151.221	192.168.2.4
Nov 22, 2024 09:15:59.343822002 CET	49742	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:02.449476004 CET	49742	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:02.450926065 CET	49745	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:02.569233894 CET	2195	49742	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:02.570508957 CET	2195	49745	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:02.570728064 CET	49745	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:02.589823961 CET	49745	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:02.709434986 CET	2195	49745	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:03.875591040 CET	2195	49745	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:03.875710964 CET	49745	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:07.147692919 CET	49745	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:07.148540974 CET	49746	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:07.267632008 CET	2195	49745	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:07.268232107 CET	2195	49746	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:07.268423080 CET	49746	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:07.485743046 CET	49746	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:07.605431080 CET	2195	49746	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:08.660748959 CET	2195	49746	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:08.660830021 CET	49746	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:11.293171883 CET	49746	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:11.294313908 CET	49747	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:11.412879944 CET	2195	49746	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:11.413945913 CET	2195	49747	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:11.414057016 CET	49747	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:11.433475971 CET	49747	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:11.553092003 CET	2195	49747	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:12.763955116 CET	2195	49747	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:12.764040947 CET	49747	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:15.871279955 CET	49747	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:15.990838051 CET	2195	49747	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:16.189205885 CET	49748	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:16.308779955 CET	2195	49748	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:16.308934927 CET	49748	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:16.329668999 CET	49748	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:16.451023102 CET	2195	49748	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:17.612530947 CET	2195	49748	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:17.613517046 CET	49748	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:20.590267897 CET	49748	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:20.591284990 CET	49749	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:20.710216999 CET	2195	49748	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:20.710931063 CET	2195	49749	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:20.711157084 CET	49749	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:20.727669954 CET	49749	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:20.847393036 CET	2195	49749	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:22.060903072 CET	2195	49749	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:22.061024904 CET	49749	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:25.730804920 CET	49749	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:25.733030081 CET	49750	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:25.850733042 CET	2195	49749	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:25.852746964 CET	2195	49750	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:25.852843046 CET	49750	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:25.871373892 CET	49750	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:25.991218090 CET	2195	49750	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:27.202214956 CET	2195	49750	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:27.202306986 CET	49750	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:29.871376038 CET	49750	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:29.872512102 CET	49751	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:29.991084099 CET	2195	49750	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:29.992115974 CET	2195	49751	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:29.992218971 CET	49751	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:30.010442019 CET	49751	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:30.130084991 CET	2195	49751	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:31.344849110 CET	2195	49751	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:31.345088005 CET	49751	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:33.699418068 CET	49751	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:33.701277018 CET	49752	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:33.819268942 CET	2195	49751	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:33.821183920 CET	2195	49752	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:33.821288109 CET	49752	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:33.841543913 CET	49752	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:33.961118937 CET	2195	49752	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:35.156100988 CET	2195	49752	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:35.157075882 CET	49752	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:36.933820963 CET	49752	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:36.934931993 CET	49755	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:37.061971903 CET	2195	49752	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:37.061986923 CET	2195	49755	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:37.062103033 CET	49755	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:37.077900887 CET	49755	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:37.197475910 CET	2195	49755	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:38.841099024 CET	2195	49755	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:38.841577053 CET	49755	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:38.996411085 CET	49755	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:38.997776985 CET	49761	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:39.116080999 CET	2195	49755	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:39.117285013 CET	2195	49761	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:39.117409945 CET	49761	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:39.146034956 CET	49761	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:39.265779018 CET	2195	49761	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:40.467009068 CET	2195	49761	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:40.471435070 CET	49761	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:41.449717999 CET	49761	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:41.452358007 CET	49767	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:41.569302082 CET	2195	49761	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:41.571851015 CET	2195	49767	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:41.571963072 CET	49767	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:41.589179993 CET	49767	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:41.708695889 CET	2195	49767	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:42.924520969 CET	2195	49767	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:42.927454948 CET	49767	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:43.684034109 CET	49767	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:43.685415983 CET	49773	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:43.803546906 CET	2195	49767	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:43.805008888 CET	2195	49773	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:43.805129051 CET	49773	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:43.822591066 CET	49773	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:43.942194939 CET	2195	49773	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:45.202876091 CET	2195	49773	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:45.202971935 CET	49773	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:45.261915922 CET	49773	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:45.264307022 CET	49779	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:45.381469011 CET	2195	49773	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:45.383835077 CET	2195	49779	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:45.383932114 CET	49779	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:45.405711889 CET	49779	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:45.525363922 CET	2195	49779	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:46.830090046 CET	2195	49779	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:46.831384897 CET	49779	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:47.105767012 CET	49779	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:47.225399017 CET	2195	49779	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:47.424114943 CET	49785	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:47.543818951 CET	2195	49785	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:47.543932915 CET	49785	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:47.562681913 CET	49785	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:47.682248116 CET	2195	49785	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:48.892183065 CET	2195	49785	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:48.896245003 CET	49785	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:49.293268919 CET	49785	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:49.295298100 CET	49791	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:49.412864923 CET	2195	49785	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:49.414874077 CET	2195	49791	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:49.414947987 CET	49791	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:49.458704948 CET	49791	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:49.578233957 CET	2195	49791	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:50.718190908 CET	2195	49791	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:50.718305111 CET	49791	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:51.121918917 CET	49791	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:51.141486883 CET	49795	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:51.241497993 CET	2195	49791	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:51.261030912 CET	2195	49795	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:51.261249065 CET	49795	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:51.279598951 CET	49795	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:51.399079084 CET	2195	49795	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:52.611619949 CET	2195	49795	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:52.612051010 CET	49795	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:52.652652025 CET	49795	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:52.655872107 CET	49798	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:52.772080898 CET	2195	49795	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:52.775517941 CET	2195	49798	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:52.775696993 CET	49798	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:52.793006897 CET	49798	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:52.912575006 CET	2195	49798	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:53.920808077 CET	49798	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:54.040302038 CET	2195	49798	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:54.080425024 CET	2195	49798	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:54.080604076 CET	49798	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:54.106349945 CET	49798	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:54.107388973 CET	49804	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:54.225924015 CET	2195	49798	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:54.226840973 CET	2195	49804	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:54.227046013 CET	49804	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:54.409071922 CET	49804	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:54.528587103 CET	2195	49804	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:55.537517071 CET	2195	49804	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:55.537599087 CET	49804	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:55.543416023 CET	49804	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:55.546050072 CET	49805	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:55.663011074 CET	2195	49804	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:55.665790081 CET	2195	49805	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:55.665868998 CET	49805	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:55.711365938 CET	49805	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:16:55.830936909 CET	2195	49805	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:57.016364098 CET	2195	49805	109.248.151.221	192.168.2.4
Nov 22, 2024 09:16:57.016437054 CET	49805	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:01.152672052 CET	49805	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:01.156955004 CET	49821	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:01.272341013 CET	2195	49805	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:01.276680946 CET	2195	49821	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:01.276781082 CET	49821	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:01.321078062 CET	49821	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:01.440907001 CET	2195	49821	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:01.440968037 CET	49821	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:01.560574055 CET	2195	49821	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:02.581870079 CET	2195	49821	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:02.581949949 CET	49821	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:07.543340921 CET	49821	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:07.545228958 CET	49835	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:07.662830114 CET	2195	49821	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:07.664808989 CET	2195	49835	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:07.664879084 CET	49835	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:07.705071926 CET	49835	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:07.824592113 CET	2195	49835	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:07.824645042 CET	49835	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:07.944168091 CET	2195	49835	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:07.945422888 CET	49835	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:08.064924002 CET	2195	49835	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:09.111574888 CET	2195	49835	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:09.111649990 CET	49835	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:13.059004068 CET	49835	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:13.062181950 CET	49847	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:13.178639889 CET	2195	49835	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:13.181742907 CET	2195	49847	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:13.181822062 CET	49847	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:13.210834026 CET	49847	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:13.330384970 CET	2195	49847	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:14.578416109 CET	2195	49847	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:14.578668118 CET	49847	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:18.373127937 CET	49847	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:18.493662119 CET	2195	49847	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:18.675962925 CET	49859	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:18.795553923 CET	2195	49859	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:18.795734882 CET	49859	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:18.857994080 CET	49859	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:18.977519035 CET	2195	49859	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:19.043698072 CET	49859	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:19.163161993 CET	2195	49859	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:20.192817926 CET	2195	49859	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:20.192923069 CET	49859	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:24.061059952 CET	49859	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:24.061290979 CET	49874	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:24.180583954 CET	2195	49859	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:24.180794954 CET	2195	49874	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:24.180927038 CET	49874	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:24.249042034 CET	49874	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:24.368683100 CET	2195	49874	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:25.075208902 CET	49874	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:25.194833040 CET	2195	49874	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:25.531023979 CET	2195	49874	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:25.531100988 CET	49874	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:29.308948040 CET	49874	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:29.310348034 CET	49886	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:29.428425074 CET	2195	49874	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:29.429868937 CET	2195	49886	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:29.429939032 CET	49886	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:29.467187881 CET	49886	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:29.586725950 CET	2195	49886	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:29.586782932 CET	49886	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:29.706378937 CET	2195	49886	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:29.706465960 CET	49886	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:29.826014996 CET	2195	49886	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:30.074846983 CET	49886	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:30.194346905 CET	2195	49886	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:30.857764959 CET	2195	49886	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:30.860877037 CET	49886	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:35.090295076 CET	49886	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:35.091989994 CET	49901	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:35.210679054 CET	2195	49886	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:35.212374926 CET	2195	49901	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:35.212479115 CET	49901	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:35.251195908 CET	49901	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:35.371129036 CET	2195	49901	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:35.434179068 CET	49901	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:35.553720951 CET	2195	49901	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:36.610152960 CET	2195	49901	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:36.610236883 CET	49901	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:40.449719906 CET	49901	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:40.453319073 CET	49913	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:40.570322990 CET	2195	49901	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:40.573648930 CET	2195	49913	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:40.573868990 CET	49913	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:40.679364920 CET	49913	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:40.798986912 CET	2195	49913	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:42.040077925 CET	2195	49913	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:42.040231943 CET	49913	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:46.451353073 CET	49913	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:46.452172995 CET	49927	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:46.570898056 CET	2195	49913	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:46.571743965 CET	2195	49927	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:46.571939945 CET	49927	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:46.715351105 CET	49927	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:46.834933043 CET	2195	49927	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:47.090765953 CET	49927	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:47.210254908 CET	2195	49927	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:47.968997002 CET	2195	49927	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:47.969118118 CET	49927	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:48.508429050 CET	2195	49927	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:48.508501053 CET	49927	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:52.152774096 CET	49927	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:52.272329092 CET	2195	49927	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:52.470354080 CET	49940	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:52.590781927 CET	2195	49940	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:52.591088057 CET	49940	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:52.699244976 CET	49940	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:52.819252968 CET	2195	49940	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:53.325701952 CET	49940	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:53.445173979 CET	2195	49940	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:53.898468018 CET	2195	49940	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:53.898545980 CET	49940	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:58.340671062 CET	49940	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:58.343511105 CET	49955	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:58.460155964 CET	2195	49940	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:58.462970018 CET	2195	49955	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:58.463148117 CET	49955	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:58.673439026 CET	49955	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:17:58.792877913 CET	2195	49955	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:59.813416958 CET	2195	49955	109.248.151.221	192.168.2.4
Nov 22, 2024 09:17:59.813509941 CET	49955	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:03.762109995 CET	49955	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:03.764133930 CET	49967	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:04.039621115 CET	2195	49955	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:04.039663076 CET	2195	49967	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:04.044729948 CET	49967	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:04.217196941 CET	49967	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:04.336832047 CET	2195	49967	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:04.337260962 CET	49967	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:04.456873894 CET	2195	49967	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:05.440903902 CET	2195	49967	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:05.440972090 CET	49967	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:09.294042110 CET	49967	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:09.297210932 CET	49978	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:09.413470984 CET	2195	49967	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:09.416662931 CET	2195	49978	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:09.417191982 CET	49978	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:09.703227043 CET	49978	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:09.823966980 CET	2195	49978	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:10.074826956 CET	49978	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:10.194314957 CET	2195	49978	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:10.809998035 CET	2195	49978	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:10.810080051 CET	49978	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:15.155011892 CET	49993	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:15.155014038 CET	49978	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:15.274580002 CET	2195	49978	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:15.274633884 CET	2195	49993	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:15.275237083 CET	49993	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:15.334928989 CET	49993	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:15.454433918 CET	2195	49993	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:16.625097990 CET	2195	49993	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:16.625173092 CET	49993	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:20.887228966 CET	49993	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:20.889097929 CET	50005	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:21.006726027 CET	2195	49993	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:21.008558989 CET	2195	50005	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:21.008635998 CET	50005	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:21.055896044 CET	50005	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:21.176043034 CET	2195	50005	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:22.406898022 CET	2195	50005	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:22.406989098 CET	50005	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:26.419723034 CET	50005	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:26.539174080 CET	2195	50005	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:26.733974934 CET	50021	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:26.853530884 CET	2195	50021	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:26.853681087 CET	50021	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:26.881724119 CET	50021	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:27.001198053 CET	2195	50021	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:27.001280069 CET	50021	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:27.120812893 CET	2195	50021	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:28.203653097 CET	2195	50021	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:28.203716993 CET	50021	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:32.044029951 CET	50021	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:32.048511028 CET	50032	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:32.163639069 CET	2195	50021	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:32.167927980 CET	2195	50032	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:32.168018103 CET	50032	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:32.205600977 CET	50032	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:32.325073957 CET	2195	50032	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:32.325129032 CET	50032	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:32.444597960 CET	2195	50032	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:32.444654942 CET	50032	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:32.564152002 CET	2195	50032	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:32.564203978 CET	50032	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:32.683634043 CET	2195	50032	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:33.554050922 CET	2195	50032	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:33.554192066 CET	50032	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:37.593143940 CET	50046	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:37.593143940 CET	50032	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:37.712856054 CET	2195	50032	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:37.712892056 CET	2195	50046	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:37.713078022 CET	50046	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:37.805833101 CET	50046	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:37.925368071 CET	2195	50046	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:39.155766010 CET	2195	50046	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:39.158405066 CET	50046	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:42.981081963 CET	50046	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:42.983942986 CET	50048	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:43.101711035 CET	2195	50046	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:43.103727102 CET	2195	50048	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:43.110830069 CET	50048	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:43.209877968 CET	50048	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:43.329356909 CET	2195	50048	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:44.520554066 CET	2195	50048	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:44.520641088 CET	50048	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:48.299293995 CET	50048	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:48.303780079 CET	50049	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:48.419009924 CET	2195	50048	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:48.423397064 CET	2195	50049	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:48.423482895 CET	50049	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:48.864780903 CET	50049	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:48.984309912 CET	2195	50049	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:48.984369993 CET	50049	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:49.105076075 CET	2195	50049	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:49.821583033 CET	2195	50049	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:49.821672916 CET	50049	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:53.999382019 CET	50049	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:54.019352913 CET	50050	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:54.118962049 CET	2195	50049	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:54.138919115 CET	2195	50050	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:54.138997078 CET	50050	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:54.332732916 CET	50050	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:54.452950954 CET	2195	50050	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:54.481452942 CET	50050	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:54.600919008 CET	2195	50050	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:55.503173113 CET	2195	50050	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:55.505368948 CET	50050	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:59.591352940 CET	50050	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:18:59.710803986 CET	2195	50050	109.248.151.221	192.168.2.4
Nov 22, 2024 09:18:59.903352976 CET	50051	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:00.024008989 CET	2195	50051	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:00.024251938 CET	50051	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:00.108057976 CET	50051	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:00.227464914 CET	2195	50051	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:01.327795029 CET	2195	50051	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:01.328150988 CET	50051	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:05.137258053 CET	50051	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:05.138938904 CET	50052	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:05.256886005 CET	2195	50051	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:05.258414984 CET	2195	50052	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:05.258519888 CET	50052	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:05.324457884 CET	50052	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:05.445517063 CET	2195	50052	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:06.608045101 CET	2195	50052	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:06.610094070 CET	50052	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:10.344913960 CET	50052	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:10.349524021 CET	50053	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:10.467278004 CET	2195	50052	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:10.471395969 CET	2195	50053	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:10.471510887 CET	50053	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:10.498419046 CET	50053	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:10.617897034 CET	2195	50053	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:11.774960041 CET	2195	50053	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:11.775058985 CET	50053	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:15.543790102 CET	50053	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:15.547010899 CET	50054	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:15.663295984 CET	2195	50053	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:15.666495085 CET	2195	50054	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:15.666660070 CET	50054	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:15.775243998 CET	50054	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:15.894781113 CET	2195	50054	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:17.147377014 CET	2195	50054	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:17.147449017 CET	50054	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:21.043576002 CET	50054	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:21.046864033 CET	50055	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:21.162997961 CET	2195	50054	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:21.167071104 CET	2195	50055	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:21.167198896 CET	50055	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:21.394447088 CET	50055	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:21.514641047 CET	2195	50055	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:21.684566975 CET	50055	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:21.804539919 CET	2195	50055	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:21.996984005 CET	50055	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:22.117243052 CET	2195	50055	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:22.469850063 CET	2195	50055	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:22.469932079 CET	50055	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:27.059252024 CET	50055	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:27.062689066 CET	50056	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:27.178706884 CET	2195	50055	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:27.182249069 CET	2195	50056	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:27.188883066 CET	50056	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:27.365329981 CET	50056	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:27.486409903 CET	2195	50056	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:28.584558010 CET	2195	50056	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:28.584631920 CET	50056	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:32.512366056 CET	50056	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:32.631815910 CET	2195	50056	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:32.832989931 CET	50057	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:32.952472925 CET	2195	50057	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:32.952569008 CET	50057	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:32.988400936 CET	50057	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:33.107973099 CET	2195	50057	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:34.302850008 CET	2195	50057	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:34.302901030 CET	50057	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:38.044800043 CET	50057	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:38.046646118 CET	50058	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:38.164489031 CET	2195	50057	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:38.166166067 CET	2195	50058	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:38.166281939 CET	50058	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:38.222270966 CET	50058	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:38.341814041 CET	2195	50058	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:38.341878891 CET	50058	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:38.461364985 CET	2195	50058	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:38.461412907 CET	50058	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:38.580791950 CET	2195	50058	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:38.580878019 CET	50058	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:38.700433969 CET	2195	50058	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:38.840866089 CET	50058	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:38.960305929 CET	2195	50058	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:38.960352898 CET	50058	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:39.079804897 CET	2195	50058	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:39.079862118 CET	50058	2195	192.168.2.4	109.248.151.221
Nov 22, 2024 09:19:39.199280024 CET	2195	50058	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:39.475450039 CET	2195	50058	109.248.151.221	192.168.2.4
Nov 22, 2024 09:19:39.483419895 CET	50058	2195	192.168.2.4	109.248.151.221

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 09:15:43.084871054 CET	60434	53	192.168.2.4	1.1.1.1
Nov 22, 2024 09:15:44.014076948 CET	53	60434	1.1.1.1	192.168.2.4
Nov 22, 2024 09:16:15.872637033 CET	57467	53	192.168.2.4	1.1.1.1
Nov 22, 2024 09:16:16.187975883 CET	53	57467	1.1.1.1	192.168.2.4
Nov 22, 2024 09:16:47.107153893 CET	55302	53	192.168.2.4	1.1.1.1
Nov 22, 2024 09:16:47.422873020 CET	53	55302	1.1.1.1	192.168.2.4
Nov 22, 2024 09:17:18.374810934 CET	61933	53	192.168.2.4	1.1.1.1
Nov 22, 2024 09:17:18.675059080 CET	53	61933	1.1.1.1	192.168.2.4
Nov 22, 2024 09:17:52.155280113 CET	60339	53	192.168.2.4	1.1.1.1
Nov 22, 2024 09:17:52.469444036 CET	53	60339	1.1.1.1	192.168.2.4
Nov 22, 2024 09:18:26.423135042 CET	56478	53	192.168.2.4	1.1.1.1
Nov 22, 2024 09:18:26.733156919 CET	53	56478	1.1.1.1	192.168.2.4
Nov 22, 2024 09:18:59.598335028 CET	56014	53	192.168.2.4	1.1.1.1
Nov 22, 2024 09:18:59.898725033 CET	53	56014	1.1.1.1	192.168.2.4
Nov 22, 2024 09:19:32.515826941 CET	54627	53	192.168.2.4	1.1.1.1
Nov 22, 2024 09:19:32.832118988 CET	53	54627	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 09:15:43.084871054 CET	192.168.2.4	1.1.1.1	0x834e	Standard query (0)	teebro1800.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:16:15.872637033 CET	192.168.2.4	1.1.1.1	0x6152	Standard query (0)	teebro1800.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:16:47.107153893 CET	192.168.2.4	1.1.1.1	0xa8ac	Standard query (0)	teebro1800.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:17:18.374810934 CET	192.168.2.4	1.1.1.1	0x6822	Standard query (0)	teebro1800.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:17:52.155280113 CET	192.168.2.4	1.1.1.1	0xf095	Standard query (0)	teebro1800.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:18:26.423135042 CET	192.168.2.4	1.1.1.1	0x9c96	Standard query (0)	teebro1800.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:18:59.598335028 CET	192.168.2.4	1.1.1.1	0x90a4	Standard query (0)	teebro1800.dynamic-dns.net	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:19:32.515826941 CET	192.168.2.4	1.1.1.1	0x6a41	Standard query (0)	teebro1800.dynamic-dns.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 09:15:44.014076948 CET	1.1.1.1	192.168.2.4	0x834e	No error (0)	teebro1800.dynamic-dns.net	109.248.151.221	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:16:16.187975883 CET	1.1.1.1	192.168.2.4	0x6152	No error (0)	teebro1800.dynamic-dns.net	109.248.151.221	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:16:47.422873020 CET	1.1.1.1	192.168.2.4	0xa8ac	No error (0)	teebro1800.dynamic-dns.net	109.248.151.221	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:17:18.675059080 CET	1.1.1.1	192.168.2.4	0x6822	No error (0)	teebro1800.dynamic-dns.net	109.248.151.221	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:17:52.469444036 CET	1.1.1.1	192.168.2.4	0xf095	No error (0)	teebro1800.dynamic-dns.net	109.248.151.221	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:18:26.733156919 CET	1.1.1.1	192.168.2.4	0x9c96	No error (0)	teebro1800.dynamic-dns.net	109.248.151.221	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:18:59.898725033 CET	1.1.1.1	192.168.2.4	0x90a4	No error (0)	teebro1800.dynamic-dns.net	109.248.151.221	A (IP address)	IN (0x0001)	false
Nov 22, 2024 09:19:32.832118988 CET	1.1.1.1	192.168.2.4	0x6a41	No error (0)	teebro1800.dynamic-dns.net	109.248.151.221	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	03:15:36
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\product sample requirement.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\product sample requirement.exe"
Imagebase:	0x3b0000
File size:	448'512 bytes
MD5 hash:	07D5A83558349A82CFA1DC6D68F4D84B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1725821769.0000000002711000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:15:38
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\product sample requirement.exe"
Imagebase:	0xfe0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:15:38
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:15:38
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe"
Imagebase:	0xfe0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:15:38
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:15:38
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmpA26.tmp"
Imagebase:	0x150000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	03:15:38
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	03:15:38
Start date:	22/11/2024
Path:	C:\Users\user\Desktop\product sample requirement.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\product sample requirement.exe"
Imagebase:	0xc40000
File size:	448'512 bytes
MD5 hash:	07D5A83558349A82CFA1DC6D68F4D84B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	03:15:41
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe
Imagebase:	0x620000
File size:	448'512 bytes
MD5 hash:	07D5A83558349A82CFA1DC6D68F4D84B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000009.00000002.1766752393.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000009.00000002.1766752393.0000000002A46000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	03:15:41
Start date:	22/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	03:15:42
Start date:	22/11/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TWmzcmqkuotC" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB0.tmp"
Imagebase:	0x150000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	03:15:42
Start date:	22/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	03:15:43
Start date:	22/11/2024
Path:	C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\TWmzcmqkuotC.exe"
Imagebase:	0x710000
File size:	448'512 bytes
MD5 hash:	07D5A83558349A82CFA1DC6D68F4D84B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 0000000D.00000002.1778713308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000D.00000002.1778713308.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	9.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	2.9%
Total number of Nodes:	175
Total number of Limit Nodes:	10

Executed Functions

Function 0534E978 Relevance: 7.0, Strings: 5, Instructions: 724COMMON

Download Yara Rule

Strings

(o^q, xrefs: 0534F20B
,bq, xrefs: 0534EF8F
,bq, xrefs: 0534EF9F
(o^q, xrefs: 0534F201
Hbq, xrefs: 0534F278

Memory Dump Source

Source File: 00000000.00000002.1729562440.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_product sample requirement.jbxd

Similarity

API ID:
String ID: (o^q$(o^q$,bq$,bq$Hbq
API String ID: 0-3486158592
Opcode ID: ce58e14b61b3019e94d9bfb7dd501a0e3529fd9421ce677c64da8cacfb6514b4
Instruction ID: 26b37417054b67bacec21165662fb5def85ec0d07852eedf691a727906b9062f
Opcode Fuzzy Hash: ce58e14b61b3019e94d9bfb7dd501a0e3529fd9421ce677c64da8cacfb6514b4
Instruction Fuzzy Hash: 23527E34A001159FDB18DF69D894AAEBBF6FF88310B198169E806DB361CB71EC45CF91

Function 071A34B8 Relevance: 5.6, Strings: 4, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 071A3874
~, xrefs: 071A36D6
pbq, xrefs: 071A393D
:, xrefs: 071A3737

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: 4'^q$:$pbq$~
API String ID: 0-999388165
Opcode ID: fca6c60f893e9daeec47daefe27513bffad6e2c4146ea6258e440af06ba8e636
Instruction ID: f2bed31059a106596b7d41f64f047e65b8d4f86c4b3c736a8eb141eaf9e15d51
Opcode Fuzzy Hash: fca6c60f893e9daeec47daefe27513bffad6e2c4146ea6258e440af06ba8e636
Instruction Fuzzy Hash: A242E4B9A00218DFDB19CFA9C944B99BBB2FF49300F1580E9E509AB265D731DE91DF10

Function 071A2106 Relevance: 1.8, Strings: 1, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

D, xrefs: 071A210B

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: d37ae46b0992666e9527388fc7ce49183ed08f0e4e954e5b0b0e1169ac52f623
Instruction ID: 88a7e5f944de2be511e130b1e59aefd67de6c25c6860d6d9d8171dacf55267bf
Opcode Fuzzy Hash: d37ae46b0992666e9527388fc7ce49183ed08f0e4e954e5b0b0e1169ac52f623
Instruction Fuzzy Hash: 1952D674A002289FDB64DF68D998A9DBBB6FF88310F1041D9D509A73A5DB34AEC1CF50

Function 07156220 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab7aae84d8d0d95eea962f11818967d453b0fbff434a1e047f48da56dc51838
Instruction ID: 38770ee8f6215e0c2d83246d45fd1415798ec95c751100e6bca33518700208f3
Opcode Fuzzy Hash: cab7aae84d8d0d95eea962f11818967d453b0fbff434a1e047f48da56dc51838
Instruction Fuzzy Hash: 2022B9B0701205CFDB19DB69C564BAEB7F7AF89B00F544069E9169B3A0CB31ED41CB91

Function 071543E8 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ee3fab1766caeb4ed05a28ee309fce09621c7afe2629d3d8444b9b330de9c31
Instruction ID: b808bdabd11579d969ba62b0a3cbc9012c973a2309895f50001ab4f7866713a7
Opcode Fuzzy Hash: 2ee3fab1766caeb4ed05a28ee309fce09621c7afe2629d3d8444b9b330de9c31
Instruction Fuzzy Hash: 488105B1D55269CFDB28CF66C8407EDB7B6BF89300F1085AAD819A6290EB745AC5CF40

Function 07151F09 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99efa53b68350367acf220c33b450b9fda09c4315553d5d7ddd928b67e9f61cb
Instruction ID: 2ee2871c0cfe61f366d223d53006132ec3d7abb6b9ad35a0026cc2339d15b121
Opcode Fuzzy Hash: 99efa53b68350367acf220c33b450b9fda09c4315553d5d7ddd928b67e9f61cb
Instruction Fuzzy Hash: 2F411BF5D19208DBDB0DCFA6D5447EDBBFABB4A300F10A026D929A6295D734584ACF40

Function 071AA2D1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d660a63f8c55691844f687a8da176a6a5cfdc219f4f3efae8e87bb516beeebdd
Instruction ID: f51fc5aadcc8d54424a19ead58278e2b30249e63c09c0a2b4c3c6a43b94f67d8
Opcode Fuzzy Hash: d660a63f8c55691844f687a8da176a6a5cfdc219f4f3efae8e87bb516beeebdd
Instruction Fuzzy Hash: 45215EB6D057099BEB09CFAB88012AAFBF7AFC9300F08C0B6D40C66155EB741645CF51

Function 07154666 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d80a879d399c49d5eef49a0f79dbdae433c428e2c3149adc1a2fae6abbaafe
Instruction ID: eb42ae042646a432d737f04929a712f44b10dde9112aabd1816dd1b200bced3f
Opcode Fuzzy Hash: 15d80a879d399c49d5eef49a0f79dbdae433c428e2c3149adc1a2fae6abbaafe
Instruction Fuzzy Hash: 69B012C0CBF180EEC10F192004003F8943E0517000F0734424D77330C31200C418111E

Function 071A2C38 Relevance: 7.9, Strings: 6, Instructions: 442
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 071A2D00
4'^q, xrefs: 071A2CAE
4'^q, xrefs: 071A2CDE
4|cq, xrefs: 071A2E43
4'^q, xrefs: 071A2C53
4|cq, xrefs: 071A2E28

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: 4'^q$4'^q$4'^q$4|cq$4|cq$$^q
API String ID: 0-1027864050
Opcode ID: 27925891490633dffcb99c52119b723989b369ed16db6e76e99a9d50a354171a
Instruction ID: 38f3ac8f720d69511ce44b6545428841e9cd323fe00e86baa71e0bc40c4c8d16
Opcode Fuzzy Hash: 27925891490633dffcb99c52119b723989b369ed16db6e76e99a9d50a354171a
Instruction Fuzzy Hash: 70E1D1B5B002169FCB199F78D85866E7BEABFCA710B154469E006DB3A2DF34DC41CB90

Function 071513C4 Relevance: 1.7, APIs: 1, Instructions: 246
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07151606

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9bf4c2ffcbf4b274c8306121ed12671f45c24df1d2c31f1fe4533f17409c117b
Instruction ID: a4ed0d97393af8260afba9c4c51e5e96f4debdaa92c456a4fbc1cb16d871c3f1
Opcode Fuzzy Hash: 9bf4c2ffcbf4b274c8306121ed12671f45c24df1d2c31f1fe4533f17409c117b
Instruction Fuzzy Hash: 97A16DB1D0021EDFDB15CF68C8407EDBBB2BF48310F1485A9E818A7290D7749985DF92

Function 071513D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07151606

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 9ff71365b1f4b7a4f8edd540c3ecf64d868e1d24af4b22f832b28ce02c3c4d78
Instruction ID: ca774dfbbd17dd33fd39668f8ca905c6ad1d12a94199dc9792ff66e71843cd47
Opcode Fuzzy Hash: 9ff71365b1f4b7a4f8edd540c3ecf64d868e1d24af4b22f832b28ce02c3c4d78
Instruction Fuzzy Hash: 78916CB1D0021EDFDB25CF68C8407EDBBB2BF48314F1481A9E818A7290DB749985DF92

Function 0256AD68 Relevance: 1.7, APIs: 1, Instructions: 193
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0256AFBE

Memory Dump Source

Source File: 00000000.00000002.1725456278.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_product sample requirement.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3f74614feccd1d936b815acd934a8dac970c4127048d8c86ae26af635aca8612
Instruction ID: 4133112ee380361d657b1b65d801ae3a675f26768cbd4565fd84a79fe109ff62
Opcode Fuzzy Hash: 3f74614feccd1d936b815acd934a8dac970c4127048d8c86ae26af635aca8612
Instruction Fuzzy Hash: C8712570A00B058FD724DF69D04476ABBF2FF88314F108A2DD48AE7A50DB75E949CB99

Function 025644B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025659C9

Memory Dump Source

Source File: 00000000.00000002.1725456278.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_product sample requirement.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 88939e87817d8dffe6b2853c9402276061bf6208be14f49cffb3dd93f32800a6
Instruction ID: 86bed3be5920a8d8a1a14175c0efe4f8ad916755692f46cbd9351c41da9c131c
Opcode Fuzzy Hash: 88939e87817d8dffe6b2853c9402276061bf6208be14f49cffb3dd93f32800a6
Instruction Fuzzy Hash: 8641F2B0D00719DBDB24DFA9C8487DDBBF5BF48304F64806AD408AB251EB756945CF90

Function 04CC4040 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04CC4101

Memory Dump Source

Source File: 00000000.00000002.1728838296.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cc0000_product sample requirement.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 76bc27e48001372321cd22aa43a4bead6ecaa0f70a9abbc89679dbe69720e9db
Instruction ID: 6a07bbf847d37722ab371c24d3fc543ee056bd06c309acba927b308a4266465d
Opcode Fuzzy Hash: 76bc27e48001372321cd22aa43a4bead6ecaa0f70a9abbc89679dbe69720e9db
Instruction Fuzzy Hash: E34138B8A00305DFDB14CF99C448AAAFBF6FB88314F24C458D559AB321D375A941CFA4

Function 02565917 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 025659C9

Memory Dump Source

Source File: 00000000.00000002.1725456278.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_product sample requirement.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e9f1d58335b2ec89e4d920f58816463bbb357428b7c6e0d798429addbea91c38
Instruction ID: 70ddc11ae569b6dfa37d4aee21d7b7bdac1998da0ad629d9d3bbf1985299fc42
Opcode Fuzzy Hash: e9f1d58335b2ec89e4d920f58816463bbb357428b7c6e0d798429addbea91c38
Instruction Fuzzy Hash: A741E2B0C00719DFDB24DFA9C8847DDBBB5BF48304F64806AD408AB255EB75698ACF90

Function 0534C071 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0534C10F

Memory Dump Source

Source File: 00000000.00000002.1729562440.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_product sample requirement.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 8fb02ea0d435c1b2ce96bbe9cbeb9441e5d454ace1c858f385d3ba84479f58b1
Instruction ID: 10b1273f6907e056f6208f514b26ce6a7acbfd5f0813868fd4282ed7267ec2a3
Opcode Fuzzy Hash: 8fb02ea0d435c1b2ce96bbe9cbeb9441e5d454ace1c858f385d3ba84479f58b1
Instruction Fuzzy Hash: EC31EEB5D013099FCB10CF9AD884AEEFBF5FB48320F54842AE819A7210D774A940CFA4

Function 07151140 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071511D8

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ffc377922e987e5fc1a8a007cf8e7bbf86b7e6f19fb5b9d82b3ab6f7ce0e9aba
Instruction ID: 6d6ab204c8723e9f375466c434af4dd03b933f75a577472d942e0877cface33b
Opcode Fuzzy Hash: ffc377922e987e5fc1a8a007cf8e7bbf86b7e6f19fb5b9d82b3ab6f7ce0e9aba
Instruction Fuzzy Hash: 232124B69003199FCB14CFA9C985BEEBBF5FF48310F10842AE958A7240D7789945CBA5

Function 0534C078 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DrawTextExW.USER32(?,?,?,?,?,?), ref: 0534C10F

Memory Dump Source

Source File: 00000000.00000002.1729562440.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_product sample requirement.jbxd

Similarity

API ID: DrawText
String ID:
API String ID: 2175133113-0
Opcode ID: 85f4aa451c1c5366d1f995335aeaad2fa1baa621b4349e419b46f255eae632cc
Instruction ID: 5c9b44e9c6f8b860b953cd0f1a1df0ca4734fb253ba2bfb1499f6de86d429732
Opcode Fuzzy Hash: 85f4aa451c1c5366d1f995335aeaad2fa1baa621b4349e419b46f255eae632cc
Instruction Fuzzy Hash: D521BFB5D013099FDB10CF9AD884AEEFBF5FB48320F14842AE919A7210D775A944CFA5

Function 07151148 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 071511D8

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: ef407affef8a73172ba8486a31dbad6a609f21e4d624f64228506dc84f67df52
Instruction ID: a29a4b922ac2aae6a4ad5e1aba33d08e87007ccced6386e05577778b3811c564
Opcode Fuzzy Hash: ef407affef8a73172ba8486a31dbad6a609f21e4d624f64228506dc84f67df52
Instruction Fuzzy Hash: 112146B1900319DFCB10CFA9C984BDEBBF5FF48310F108429E958A7240C7789944CBA4

Function 07150FA8 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0715102E

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a6a20d6d2dc849d67738d245387218f00d968c2a348a1363583528443a5d1da1
Instruction ID: 4ef55a52a2c44f8ded13938449dbb08a572309c4583b91ab984edb148b4940ad
Opcode Fuzzy Hash: a6a20d6d2dc849d67738d245387218f00d968c2a348a1363583528443a5d1da1
Instruction Fuzzy Hash: CC2159B19003099FDB10DFAAC4857EEBBF4EF48314F508429D859A7240D778A945CFA5

Function 0256D23C Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0256D616,?,?,?,?,?), ref: 0256D6D7

Memory Dump Source

Source File: 00000000.00000002.1725456278.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_product sample requirement.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ce810e408d0d0ad44e5471bcb574846d147942a32cfaa4f815f0ee466e88af78
Instruction ID: 6520c5b875f9624dbf0ef14f12918c950d2716fdcb1eed171594b075044f3080
Opcode Fuzzy Hash: ce810e408d0d0ad44e5471bcb574846d147942a32cfaa4f815f0ee466e88af78
Instruction Fuzzy Hash: BA21E3B59012589FDB10CFAAD584AEEFFF4FB48314F14841AE958A7311D374A940CFA5

Function 07151231 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071512B8

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 86e4f3028fbe8f55d24b8cce837b16875e5a9cb48be89f762e62ecb2a0bdd860
Instruction ID: c792cb8be0bb710f70279d4ac046c6731ba7b1f78b452eff0d83a6fe23787bd1
Opcode Fuzzy Hash: 86e4f3028fbe8f55d24b8cce837b16875e5a9cb48be89f762e62ecb2a0bdd860
Instruction Fuzzy Hash: 812125B1800259DFCB10CFAAC940AEEFBF5FF48320F108429E958A7250D7349945CBA5

Function 07150FB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0715102E

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 57ff82cf23db2eeed8e52af7b73166fe4ba6e605eb0152eb22757eee53ae65d1
Instruction ID: 56a20009fce5748d4946343d6641e9ac779ae3985c048d919002f9b15e01617c
Opcode Fuzzy Hash: 57ff82cf23db2eeed8e52af7b73166fe4ba6e605eb0152eb22757eee53ae65d1
Instruction Fuzzy Hash: E32138B19003099FDB14DFAAC4857EEBBF4EF48324F50842AD859A7240D7789945CFA5

Function 07151238 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071512B8

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ad605407777d6d64b65ddf55560595924e5abee44d6d80b57272bdb4bd2086b0
Instruction ID: 449af266c8ff76d906463db3511fc73f88cc4809450f45c33e8574f5f7451065
Opcode Fuzzy Hash: ad605407777d6d64b65ddf55560595924e5abee44d6d80b57272bdb4bd2086b0
Instruction Fuzzy Hash: C22116B1900259DFCB10DFAAC944ADEFBF5FF48320F508429E958A7250C7349545DBA5

Function 0256D648 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0256D616,?,?,?,?,?), ref: 0256D6D7

Memory Dump Source

Source File: 00000000.00000002.1725456278.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_product sample requirement.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6ae19aca53689818ac9d1736dd33361e33337b7a46c6cb3a56675773583cafcd
Instruction ID: 979fc82f7ab367fb52e04ea40d24c928bb4a6b31a6d4ba708d3317a7e4736164
Opcode Fuzzy Hash: 6ae19aca53689818ac9d1736dd33361e33337b7a46c6cb3a56675773583cafcd
Instruction Fuzzy Hash: DB2112B5900218DFDB10CFA9D584AEEBBF5FB48314F20842AE918A3310D334A940CF64

Function 071A4FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

@, xrefs: 071A5107

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: b385a94b73b4eb3195b2b6b6e15804699509b2ead1de06dc8fb1b65922035a35
Instruction ID: c95b68e723f415a1e68e07e5dd8784b5fcf27711a7c2ffcbad93015a261fa611
Opcode Fuzzy Hash: b385a94b73b4eb3195b2b6b6e15804699509b2ead1de06dc8fb1b65922035a35
Instruction Fuzzy Hash: F7E1B3B9E04219DFDB54CFA8D980A9DBBF2FB49310F1481AAD819E7345E7319A81CF50

Function 07151080 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071510F6

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c4e408944f2d46c8d80e1cfc669ac8565e56686b30c805abbe5dabeca7484514
Instruction ID: 82dd6169c7bd42f025381124d2d5eb5af059b019c21dbc55512b931d42cdfd57
Opcode Fuzzy Hash: c4e408944f2d46c8d80e1cfc669ac8565e56686b30c805abbe5dabeca7484514
Instruction Fuzzy Hash: D01167B68002499FCB20DFA9C944BDEBFF5EF48320F208419E859A7250C735A944CFA1

Function 07150EF8 Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07150F62

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1f83cbc76aa039e3895aa0a1e920c28af8263fc4f90a88ec706c7b502c4640e7
Instruction ID: ca4a16628e02349bd138d6d06a5a0038a31294f4c0c3da159d5081f0375fe7ae
Opcode Fuzzy Hash: 1f83cbc76aa039e3895aa0a1e920c28af8263fc4f90a88ec706c7b502c4640e7
Instruction Fuzzy Hash: 561176B19003488BCB20DFAAC4457EEFBF4EB88324F20881ED459A7240CB34A585CBA5

Function 07151088 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071510F6

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 111972c8f1c5e313a3b2ddd241df466e7c62be906650d44d6f767e37612ef096
Instruction ID: 2386b1de32625d5245661e3fd0ea3e7e5add5226fd4e62a91cdb4e3dc0465e86
Opcode Fuzzy Hash: 111972c8f1c5e313a3b2ddd241df466e7c62be906650d44d6f767e37612ef096
Instruction Fuzzy Hash: 121129B59002499FCB20DFA9C845BDEBFF5EB48320F108419E555A7250C7759544CFA5

Function 07150F00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 07150F62

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f3618508bfa61445953fcc730c8c20fb8a37a6da02f27c2452c8d0f99fd9f330
Instruction ID: cd0545e7730c943e01bb812027f06c45d3b425f42c23cd96668d00bab9ab6802
Opcode Fuzzy Hash: f3618508bfa61445953fcc730c8c20fb8a37a6da02f27c2452c8d0f99fd9f330
Instruction Fuzzy Hash: 981125B19003498BCB24DFAAC4457EEFBF4AB88324F20842AD459A7250CB75A945CFA5

Function 0256AF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0256AFBE

Memory Dump Source

Source File: 00000000.00000002.1725456278.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_product sample requirement.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: a932e63b2ee5a80e412674dabd5ab48d8048aa2c4de891693508776af1f99345
Instruction ID: 7d1d50f3d3d356d50ba9fc08c6335f3dad73b25cf97a8837fc769ee0b880148e
Opcode Fuzzy Hash: a932e63b2ee5a80e412674dabd5ab48d8048aa2c4de891693508776af1f99345
Instruction Fuzzy Hash: 631110B6C003498FCB20CF9AD448ADEFBF4AB88324F10842AD859B7610C379A545CFA5

Function 07155561 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 071555C5

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 32177d4d9ad59978151d4c050a2ba26c4e79f5413699e28f8ab79d6b0476b024
Instruction ID: 3485a78d030f3aa0f46cb5d4779ebe649c3ed013b3f3f0d14f82a7046cec2f5c
Opcode Fuzzy Hash: 32177d4d9ad59978151d4c050a2ba26c4e79f5413699e28f8ab79d6b0476b024
Instruction Fuzzy Hash: C711E0B5900349DFDB20CF9AC548BDEBFF9EB48324F10881AE958A7640C375A644CFA5

Function 07155568 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 071555C5

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 9e779c4ab1ad5b27a6ea190c46b10445c1768d9e22c2c1b9a0bd63505ed68520
Instruction ID: 9b5afeaff3e3e1c2a26a72f1474e458b236ee17c3eb19e0f4b1e9415a64794d9
Opcode Fuzzy Hash: 9e779c4ab1ad5b27a6ea190c46b10445c1768d9e22c2c1b9a0bd63505ed68520
Instruction Fuzzy Hash: B91103B5800349DFCB20CF9AC544BDEFBF9EB48320F108419E958A7640C375A544CFA5

Function 071A3D9E Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

LR^q, xrefs: 071A3E1A

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 4165aaf319c943402965bf6cb37cfc3b9f4c3da637533509e2feecece6df3841
Instruction ID: 4ee7f88ccd4175e5b82a82ff3389c92e005587286a350566dfa22317077df807
Opcode Fuzzy Hash: 4165aaf319c943402965bf6cb37cfc3b9f4c3da637533509e2feecece6df3841
Instruction Fuzzy Hash: 2491F6B8E00219AFDB05DFA9D4816ADBBF2FB49310F108429E829E7381DB359942CF51

Function 071A4894 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

Te^q, xrefs: 071A5C51

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: cef95fa38f7c68c7e4be3eb38dbed7dae45c4d1b0895a670e154b8242b2cda94
Instruction ID: 10294b4a1c666342cba3c722b708143d597a16fea5856e00b5ee674c2df4c138
Opcode Fuzzy Hash: cef95fa38f7c68c7e4be3eb38dbed7dae45c4d1b0895a670e154b8242b2cda94
Instruction Fuzzy Hash: 4B510F74B042069FCB01DF79D8484AEBBF7EFC5320718896AE055DB396DB309D1587A0

Function 071A4428 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8bq, xrefs: 071A44C9

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 689149d4ef2d63f65d61b8fef7bf14e654836ccaf21bc9098df3cf1f56a7337e
Instruction ID: 36840345528ce73e9f9a2499bd000f8a9983c6e2334062c29f1fcdf281703603
Opcode Fuzzy Hash: 689149d4ef2d63f65d61b8fef7bf14e654836ccaf21bc9098df3cf1f56a7337e
Instruction Fuzzy Hash: FB41E8B9E00159AFDB05DFA8E4515AEBBB2FB89300F108429E819A7344DB759D42CF51

Function 071A4417 Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

8bq, xrefs: 071A44C9

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 168963ca37471bbc468a75ab1c4be9b3159cef7f419d3da536ace9ed126d8882
Instruction ID: 92de0db6c407f4bf40fa4576404778400a78d8022ad26cbf349654c3e7cdadb8
Opcode Fuzzy Hash: 168963ca37471bbc468a75ab1c4be9b3159cef7f419d3da536ace9ed126d8882
Instruction Fuzzy Hash: 4F4129B9E00149AFDB05DFA8D8505EEBBF2FB89300F14846AE819A7381DB359D42CF51

Function 071AAD6B Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Te^q, xrefs: 071AADB9

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 4fe578ccc8de5123817d3cb627ac470cf3a1a260853e43def2888a453f21d28c
Instruction ID: 634aa30ebb23ce0d858696379ce31c849619f1b45b0fe101ba788b17366416ef
Opcode Fuzzy Hash: 4fe578ccc8de5123817d3cb627ac470cf3a1a260853e43def2888a453f21d28c
Instruction Fuzzy Hash: 7F31C3B8E01209DFDB08CFE9D4849ADBBB6FF89301F10912AE909AB365C7319945CF10

Function 071AAD5A Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

Te^q, xrefs: 071AADB9

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 337f85a943c13efd39285fee7f7eb866c8fa9c4693e4e9ee838bad5127010f3e
Instruction ID: 60ca32a8787935aca3f3ef7bf7042795c526279dab77493eafa8d746e8b12ad1
Opcode Fuzzy Hash: 337f85a943c13efd39285fee7f7eb866c8fa9c4693e4e9ee838bad5127010f3e
Instruction Fuzzy Hash: 8231A1B8E04209DFDB08CFA9D4849EDBBB5FF89310F14912AE919AB251C735A945CF50

Function 071AAED1 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

Te^q, xrefs: 071AADB9

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 804423dd294660d64913845df8c013291c3be680c164c8480042ce2ab1fbfeeb
Instruction ID: 031dd51d40525f78f336f2efb7aa97d2c2b131cd6ac87fafb586229279342b1d
Opcode Fuzzy Hash: 804423dd294660d64913845df8c013291c3be680c164c8480042ce2ab1fbfeeb
Instruction Fuzzy Hash: 4731AF78E042099FCB08CFE9D4849EDBBB5EF49310F14912AE919AB265C7359945CB50

Function 071A5608 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 071A5673

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: d4d92616637c9331777ad08bbb137c90630723595cadfb10b8df2360bf348bca
Instruction ID: d10ff46e5a4d72c1c8f5a3b396d5940ba9ee961359bd45ad9c57e621383220e6
Opcode Fuzzy Hash: d4d92616637c9331777ad08bbb137c90630723595cadfb10b8df2360bf348bca
Instruction Fuzzy Hash: DD114FB5B0020A9BCB05EFB999105EEB6F2AB84210B10403AC509E7384EB358E16CBE1

Function 071A7EF9 Relevance: 1.3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

Strings

;, xrefs: 071A7F1C

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 2567125fb68d0817a9ab96e8c4c231fa93ab61afc504a4d43e1020babef617f3
Instruction ID: 9eef2cdeb3e4a0011b49062f9968b59b371101a7d5ef743b68b8a45f7113fb29
Opcode Fuzzy Hash: 2567125fb68d0817a9ab96e8c4c231fa93ab61afc504a4d43e1020babef617f3
Instruction Fuzzy Hash: FE0140B8D0524BAFCB11CFB5D9456AEBBB9AB06300F1485A6D824E3381D7345B45CB91

Function 071A7450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

m, xrefs: 071A7464

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: fbafb6705c835965eeb38b44e55882dbb19dd7310bf511653d362c77723eaee7
Instruction ID: fe77dd080ab6c98f25b888eaa28a1a08380a4058722bb2b954038e59f25b039e
Opcode Fuzzy Hash: fbafb6705c835965eeb38b44e55882dbb19dd7310bf511653d362c77723eaee7
Instruction Fuzzy Hash: C5E0C2B8E05209FBCB08EFB4D4043ADBFB8A705300F000194C405532C1EB301B44CAA1

Function 071A3348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

6, xrefs: 071A335C

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: fea0c4250bf6b659f83df4d81675af28da18499b3f83bd75807d9177d8ebc1b3
Instruction ID: 2d445db24edc35388a0939cba4fe1e01852a096a248a1478cceb18a6cb515019
Opcode Fuzzy Hash: fea0c4250bf6b659f83df4d81675af28da18499b3f83bd75807d9177d8ebc1b3
Instruction Fuzzy Hash: 7CE0C2B4D09208FBDB15EFB4E4093AEBBBCAB09301F108195D40593280EF315A40D741

Function 071A4038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

7, xrefs: 071A404C

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 9b74996ffe5fbeedb5a2f4028733fde79c7f0f6739c7d420646d4a5f607d51d6
Instruction ID: 0122bcbb5287eb1ca84e9980c25bd716c5b01607ff0c6a93f891959da064151c
Opcode Fuzzy Hash: 9b74996ffe5fbeedb5a2f4028733fde79c7f0f6739c7d420646d4a5f607d51d6
Instruction Fuzzy Hash: 32E0C2B890514CFBCB15EFF8E5057EDBBB8A705300F5101A4C80693280DBB41A44E641

Function 071AAF28 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e4af2dab77d2017b6e59c157b93cea7e660846adb5dd7c02c7703fa3a32396
Instruction ID: 82988abd4d427a12e30d0c476f3968dc6d28a8085cb10bcf08b8f210d9f44dbe
Opcode Fuzzy Hash: 48e4af2dab77d2017b6e59c157b93cea7e660846adb5dd7c02c7703fa3a32396
Instruction Fuzzy Hash: 61B17EF4E15249EFCB14DFA8D940AEDBBB6FF49300F109625D409AB395DB30A985CB90

Function 071AAF26 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1ccf2741e2cdfe4d92f9109c4b141e07084a97a84ac96ff1a708de48f6dd223
Instruction ID: 988047af7fc0d2df66ce2443dcb07203f8f8df28d3d82f1de426389174411f73
Opcode Fuzzy Hash: b1ccf2741e2cdfe4d92f9109c4b141e07084a97a84ac96ff1a708de48f6dd223
Instruction Fuzzy Hash: 67918FF4E15249EFCB14DFA8D940AEDBBB6FF49300F109625D409AB395DB30A985CB90

Function 071A6D37 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01e07052dc2930c065d4f4e6e327e7fea64f42eb38f6a3df56b1cdad3497727
Instruction ID: f3fc9cbde260004efd65acc5db581d248b6504b68a0941aee277f8d7305187b2
Opcode Fuzzy Hash: a01e07052dc2930c065d4f4e6e327e7fea64f42eb38f6a3df56b1cdad3497727
Instruction Fuzzy Hash: 848194B9E0421A9FDF11CFA8C890AAEBBB1EF49304F148469E819EB355D7319946CF50

Function 071A8560 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b165c534daf1eb3fc296afd321cbc82b8e3a0afe7505443d3e94c03694fb001
Instruction ID: 87c5d6c743a5acf959abcd35a1c1bec5b39baff1c1d5018fbeba1b3fb2610a87
Opcode Fuzzy Hash: 7b165c534daf1eb3fc296afd321cbc82b8e3a0afe7505443d3e94c03694fb001
Instruction Fuzzy Hash: 834109B8E00119EFDB05DFA9D480AAEBBF1EB49310F108569E819E7380DB319D42CF51

Function 071A8551 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 054b1ad453b1b8e86d9ad869e43e5c7555bc9b0ec03ed757ae7bf85efcc9ca83
Instruction ID: 97660f654e937db9c28e0eecb215a8f8cb89ba722dcec1e5f68f3a825233e78d
Opcode Fuzzy Hash: 054b1ad453b1b8e86d9ad869e43e5c7555bc9b0ec03ed757ae7bf85efcc9ca83
Instruction Fuzzy Hash: 54416CB4E00209AFDB06DFA9D44069EBBF2EB49310F14C56AE819E7391DB359D42CB51

Function 071A2FB0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70170b8ae667b7a4919a2de9b3cc281a1e85c5ea603ea6b3f3103f73887c2f91
Instruction ID: fcd45c7fc15f45c10d23d6dc693b683608c79b36293430c4c6e4b97e90accbf8
Opcode Fuzzy Hash: 70170b8ae667b7a4919a2de9b3cc281a1e85c5ea603ea6b3f3103f73887c2f91
Instruction Fuzzy Hash: 8041F5B4E0021A9FDB05DFB9D85A6AEBBF5AF89311F108439D815E7291EB34E940CB50

Function 071A592C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 846cf7da282c37925cf7b00193023d0a1898616d2eb26ea584e53bd6f967073c
Instruction ID: 1c5b78a54dc0bd21717696e789b1d0fe07d6f9f4255a8d56711329587a013006
Opcode Fuzzy Hash: 846cf7da282c37925cf7b00193023d0a1898616d2eb26ea584e53bd6f967073c
Instruction Fuzzy Hash: BC318BB6A00209AFCB10CFA9D844ADEBFF5EF48320F10846AE804E7391C7359954CFA1

Function 071A4EC9 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec348c5e555ff38c0b39fc2ef3b2a09572ee0568c6d3cb752a6b45959d7559a
Instruction ID: 29343e2bc2a630558fbe1d09b80d5ca2fc2dc0a328700f123a348363a0ca91ae
Opcode Fuzzy Hash: bec348c5e555ff38c0b39fc2ef3b2a09572ee0568c6d3cb752a6b45959d7559a
Instruction Fuzzy Hash: 8F31B3B8E0424ADFDB41CFADD5456EEBBF4AB09200F1490AAD814F3341E7749A40CFA1

Function 071A5AB0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ebbf2751c084cd4ff994f99b578c6d1f8882a40035c997c7a8e633ca402eaf3
Instruction ID: c9c0b599691d258d5a4674b42eda4d43e1977a7f1e130af7b1387b2c8629dc19
Opcode Fuzzy Hash: 4ebbf2751c084cd4ff994f99b578c6d1f8882a40035c997c7a8e633ca402eaf3
Instruction Fuzzy Hash: 7721D7B99083955FD702EF7C98501EE7FB3EFC5260B19446AD094DB292DB348A09C7A1

Function 00D1D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724970879.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d1d000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749f42b3ac41fec87641d9652f6a91d1d9e3b97b377306609cef261d423ee7e5
Instruction ID: 06c7097c8aadb23f539f05484267632e0c2f8d1af1f0b7deae7a48c4a845009f
Opcode Fuzzy Hash: 749f42b3ac41fec87641d9652f6a91d1d9e3b97b377306609cef261d423ee7e5
Instruction Fuzzy Hash: 7F216A71100200EFDB04DF04E9C0B57BF66FB98314F24C169E8090B256C736E886C7B2

Function 00D1D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724970879.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d1d000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8a51cec4927e65abf2a0c6bc6bc3a05588f3278738e1a55657df39d4da1854
Instruction ID: 4221c544231b0c6f91771d43fdbf5dca453f2be8de00fa9f04c850459d7df308
Opcode Fuzzy Hash: ef8a51cec4927e65abf2a0c6bc6bc3a05588f3278738e1a55657df39d4da1854
Instruction Fuzzy Hash: CC212571504240EFEB05DF14E9C0B67BF67FB98318F24C569E8490B256C736D896CAB1

Function 024DD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725159663.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24dd000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20ef5b4756c825f3f26b8130c290c051f79b623e0ea1d4e2811ceebe9b793a3d
Instruction ID: 6d9d31561a0cdb1d2e5d6288008723f2a98ae5764eec5580842da9ecaff0cabe
Opcode Fuzzy Hash: 20ef5b4756c825f3f26b8130c290c051f79b623e0ea1d4e2811ceebe9b793a3d
Instruction Fuzzy Hash: 3B21F272A04200DFDB16DF24D994B26BBA5EBC8318F64C56AD90A4B356C33AD447CA61

Function 024DD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725159663.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24dd000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73414ed5840e7312521e00beff52b92a660eb867d8219100d81a3f965b798b1
Instruction ID: 952e0bed66a860db13dc05cfc2af4151937a0f8730375cf105a408ea409b02c5
Opcode Fuzzy Hash: e73414ed5840e7312521e00beff52b92a660eb867d8219100d81a3f965b798b1
Instruction Fuzzy Hash: 48212672A44200EFDB05DF14D9D4B26BBA5FB88314F20C66EE8494F356C336D446CA61

Function 071A5C94 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 717d3417c6d5852943be1a0080daa5dc17db78df7f6a5f847f887ac7e7b0399f
Instruction ID: 7a90f5faf44dc4bb60ff2f9dba3cbc9853cb672169674be720d6513569fd6d35
Opcode Fuzzy Hash: 717d3417c6d5852943be1a0080daa5dc17db78df7f6a5f847f887ac7e7b0399f
Instruction Fuzzy Hash: 6331F2B4C01358EFDB21CF99C988BCEBFF5AB08314F14841AE458BB290C7759885CB95

Function 071A5748 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0aad4e0b909c3e50c9990099333e35b677ea9cfa4c75ebb97f83b5fbe5d0ae1d
Instruction ID: c3fd17eb168c8f3c258e158e48984b51b5b22e2c89369b73a9e90a365ac2e0dc
Opcode Fuzzy Hash: 0aad4e0b909c3e50c9990099333e35b677ea9cfa4c75ebb97f83b5fbe5d0ae1d
Instruction Fuzzy Hash: 6931F2B4C04218EFDB20DF9AC588B8EBFF5EB08314F248019E418BB290C7B59845CFA5

Function 071A6FA0 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 198f278a318ceb743c00c96fb8e2eb3ddd6ea5687295f93b893baaa3b89a683d
Instruction ID: bcec94055364a5e4500382a760ceaf1f08f9507a38e6b3ea54fdd21e65a6f5fb
Opcode Fuzzy Hash: 198f278a318ceb743c00c96fb8e2eb3ddd6ea5687295f93b893baaa3b89a683d
Instruction Fuzzy Hash: 6F118274A0D385AFCB07DB7489254AD7FF59F42210B1844D7D845CB293DA398D1AC752

Function 024DD005 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725159663.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24dd000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0773a822291860bd057739c28979c0bf85d194cb0ba94588846dba2d7eb7b8e4
Instruction ID: 5475282e7fdda12279bb650dbab60f753d047a8aa613b9c6606d7b2ec6c6c410
Opcode Fuzzy Hash: 0773a822291860bd057739c28979c0bf85d194cb0ba94588846dba2d7eb7b8e4
Instruction Fuzzy Hash: CF216075508380DFCB06CF24D994712BF71EB86214F28C5DAD8498F2A6C33A980ACB62

Function 071ABBC8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a6e72c9e6c04f8df4ca275932ff38eeffd48952b510f091f07a8c2a2b3bbcf6
Instruction ID: 3323d78aff246e6491590c1f8f2e9e7548960ceb3d00c9064e8a1dce29e1886f
Opcode Fuzzy Hash: 0a6e72c9e6c04f8df4ca275932ff38eeffd48952b510f091f07a8c2a2b3bbcf6
Instruction Fuzzy Hash: A12103B5D146589BEB18CFABC8057EEFABABFC9300F04C02AD40966294DBB40945CF90

Function 00D1D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724970879.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d1d000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: a7c7e23eecc2e78060e2c8d82c1b25ad5c19f8d9f77cc12cd167fabf05f0dcca
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: A2112672504240DFCB16CF00D5C4B56BF72FB94324F28C6A9DC090B256C33AE85ACBA1

Function 00D1D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724970879.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d1d000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 85f3ac5301fe0f651bc2f77a1264cf629ede89d918c51247bcf3c9ad3cb316cb
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 17110372504280DFDB06CF10D5C4B56BF72FB94318F28C6A9D8090B256C336D85ACBA1

Function 071A593C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5dc35cef15b2808fac021b36b1384264945b299198f207a46736a67281866c4
Instruction ID: d6fc7d32fc8799d6c19ca4bbf4cb85d4a5be7c4ec368909637380a63c2e1f2eb
Opcode Fuzzy Hash: d5dc35cef15b2808fac021b36b1384264945b299198f207a46736a67281866c4
Instruction Fuzzy Hash: BB2103B5900349AFCB20CF9AD944ADEBBF4FB48310F108429E919A7250C374AA54CFA5

Function 024DD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725159663.00000000024DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 024DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_24dd000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: e5b1fa05e3c7c2af495030f85f7f5dcd84794212bbca9fa211fe34b57ca447c3
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 63118B76904280DFDB16CF14D5D4B16BBB1FB84218F24C6AAD8494F796C33AD44ACB61

Function 00D1D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724970879.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d1d000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35762c30145383bdacccb6df80ea97e5e880541ca4c94e52fbd56e4d679d3a8e
Instruction ID: 89c5c006e6db034084f49f54937dd0ff978b536be9b2d0361f1200c1b24e4028
Opcode Fuzzy Hash: 35762c30145383bdacccb6df80ea97e5e880541ca4c94e52fbd56e4d679d3a8e
Instruction Fuzzy Hash: FD01A771108340AAE7204A25ED847A7FF99EF51324F2CC92AED4A4A2C6CB79DC80C671

Function 071A6C18 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 331a3a9720d872b4736e2683ada4b541235ce13733d403b2dcf9876dc914f75f
Instruction ID: c42f9658cfa4d141a946248aadbd3a8013ef696aa432eb2618a3adb5d1aad06f
Opcode Fuzzy Hash: 331a3a9720d872b4736e2683ada4b541235ce13733d403b2dcf9876dc914f75f
Instruction Fuzzy Hash: 61011BB8E0520AAFCB05DFB8D4452AEBBF4FB49300F1485AAD414E3642E7349A04CB91

Function 071A32C3 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8802817e2d028b5bab240bd22fca4a441724297ef0215e3e0650c261db2c4f85
Instruction ID: be29fec622da018efb574a420cd3d02744a67dddb464b0cf8a0dd99d180a9d02
Opcode Fuzzy Hash: 8802817e2d028b5bab240bd22fca4a441724297ef0215e3e0650c261db2c4f85
Instruction Fuzzy Hash: 7C016DB8E08209AFDB02DFB8D4016AEBBF4EF46304F1085AAD854E3381DB359A05CB51

Function 071A43B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19aa7594f901daaf0e105955aa647ce66ad50f958c88b49f1671b94c78899843
Instruction ID: f943c182cf161a26e9a40519c7b1c1c6779913722dac41dc1f37fb9bc66b3507
Opcode Fuzzy Hash: 19aa7594f901daaf0e105955aa647ce66ad50f958c88b49f1671b94c78899843
Instruction Fuzzy Hash: 0201FBB8D09249EFCB05CFA9D9411AEBBF8BB49300F1181A6D854E3251E7749A05CB61

Function 071ACA60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db76b715c2f209648ae39e07d7de1c9487386f63a11b8b7183f027f9d2ccb8b1
Instruction ID: 964584446bfa786ae018e80526db71f2dcb9055bd123aecc35a8a5f94b686e86
Opcode Fuzzy Hash: db76b715c2f209648ae39e07d7de1c9487386f63a11b8b7183f027f9d2ccb8b1
Instruction Fuzzy Hash: FDF081B891C105EBC708CF65C5019FDBBBCAB4B700F05E9A4900A9B292E7309E40DBE0

Function 071A8430 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a68cfebf9fd1783a43623b0075e62df92d8d0864de86667ca0d05c5d7473de62
Instruction ID: f90a91a4b514cc493b0c7f7f25a28e290d66250b1219a40aed4f9aaa938ff324
Opcode Fuzzy Hash: a68cfebf9fd1783a43623b0075e62df92d8d0864de86667ca0d05c5d7473de62
Instruction Fuzzy Hash: C80121B4E05209EFD745DFA8D8016AEFBF5FB49300F1084AA9818E7345EB349E05CB51

Function 071A8440 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e06afe92fa7353154d3e7c997aa902595f9ed2b673e0a478fa93ed0ad1abba2
Instruction ID: b35d8fd74ed3e86b78b41220e1a4cb0cdf848da13f1dcb01267b9f76f3631891
Opcode Fuzzy Hash: 9e06afe92fa7353154d3e7c997aa902595f9ed2b673e0a478fa93ed0ad1abba2
Instruction Fuzzy Hash: 7B01FBF8E04209EFDB45DFA8D9416AEFBF5FB49300F1084A99818E7341EB319A01CB51

Function 071A83C8 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 225b9bbb3c32a776a8a2ba35a8b1e094e5b19bd163b7867ee1aff62fa92c9961
Instruction ID: f6f23bbe85b497bb4ca01d249c2b76d62e453e69eda20823d84ca05bf74a4daa
Opcode Fuzzy Hash: 225b9bbb3c32a776a8a2ba35a8b1e094e5b19bd163b7867ee1aff62fa92c9961
Instruction Fuzzy Hash: C50119B8D0934AEFCB02DFB898012ADBFF4AB0A304F0494A6D454E3242E7349A45CB41

Function 071A7F41 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ca95f4d5948e64a26b161333cee1633531c9a195b2dedda6137e5b73a631772
Instruction ID: 43390a70079d01e51cde49845873d8ba75bbcb6976ab8b51e138d70c0bc10d0c
Opcode Fuzzy Hash: 0ca95f4d5948e64a26b161333cee1633531c9a195b2dedda6137e5b73a631772
Instruction Fuzzy Hash: 550131B4D0524BAFC741DFB8D9011AEBFF5AB45300F1584A6D454E3242D7705B41CB91

Function 071A3D21 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e250a5d06789c3393d8d1a0cba612aa466e830a0e6127d326e28a95338e5227e
Instruction ID: 89333bd2bdcce32793078dbfcef99e90381f93c157fa7699e191ae25787df050
Opcode Fuzzy Hash: e250a5d06789c3393d8d1a0cba612aa466e830a0e6127d326e28a95338e5227e
Instruction Fuzzy Hash: B40119B8D09249EFCB42DFB9D8416ADBFF5AB4A300F4485AAD464E3252E7349A40DB41

Function 071A7049 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3181e43a450cab2345eadbaeb45587898c1a7ae67313ef9e126a5f490c1d47a3
Instruction ID: f592d1cf8b268900213a11042cc336019f1b59b3cc1f49e7a6cbda2c96424f3b
Opcode Fuzzy Hash: 3181e43a450cab2345eadbaeb45587898c1a7ae67313ef9e126a5f490c1d47a3
Instruction Fuzzy Hash: C1F0BB72508249BFCB05DB64DC4189E7FBADF05120715C0ABE444DB253D731A9508761

Function 00D1D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1724970879.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d1d000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce31767ca7dc6ab55013a08b5d984a7b5b6ed0acf04de0cfcfbe2f16d3ce169a
Instruction ID: d7dca6afdd58397f4883259b54e9df942351fdf30c280015269df6358fbb956d
Opcode Fuzzy Hash: ce31767ca7dc6ab55013a08b5d984a7b5b6ed0acf04de0cfcfbe2f16d3ce169a
Instruction Fuzzy Hash: ADF06871408344AEE7208A16DC847A2FFA8EF51724F18C55AED095A286C7759C44CA71

Function 071A84F8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 793d9cfc40ca8dacb02bab121ade14a778da34650711a5e9866a0bdc6bf806b5
Instruction ID: 7d24f7aea58b69afd6f28ad59e2a936e4cd03ec8ce20e4883c4a20f96aa514b1
Opcode Fuzzy Hash: 793d9cfc40ca8dacb02bab121ade14a778da34650711a5e9866a0bdc6bf806b5
Instruction Fuzzy Hash: 79F054B4D49349AFCB42DFB8D44569DBFF4AF0A300F1485EAD848E3242E7345A04CB51

Function 071AE5A8 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1a042e88586ac11cef83670aeb173f57127bb6e99e7fef417ce35e1c2a4df4
Instruction ID: e400f76152957cd59ccab1d6b6d04233507271039aac53215fa31323f7ae09a8
Opcode Fuzzy Hash: 1f1a042e88586ac11cef83670aeb173f57127bb6e99e7fef417ce35e1c2a4df4
Instruction Fuzzy Hash: 21F0C8B8905209EFEB14DB59E84679CB7B9BB45300F00C1A5D005A32C4DB759689CF00

Function 071ACC68 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cc2d1e9d14f62bbd5135dd19a9922a4b5f60775f93db30e31d79acbeb87e75c
Instruction ID: e4ecf12e81205ff07a8dfa95d483c2e7b4736f27e7938875adbec4d989887e6c
Opcode Fuzzy Hash: 0cc2d1e9d14f62bbd5135dd19a9922a4b5f60775f93db30e31d79acbeb87e75c
Instruction Fuzzy Hash: FFF0DAB4D5420AEFDB44DFA9C841AAEBBF4FB48200F1085AAD918E7340D77495048FE1

Function 071A5FBD Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a589cd0be4afdb5afa8e5a4c1442dfb1bce6d968eb5b3898e4e712a3266eb026
Instruction ID: 888c083c4ac233a8d710ea1720724e31d10835498fcdf400a0063a36cbd0f675
Opcode Fuzzy Hash: a589cd0be4afdb5afa8e5a4c1442dfb1bce6d968eb5b3898e4e712a3266eb026
Instruction Fuzzy Hash: 07E08CB6D0422AAB8B11AFA99C054EFFF7AAF06610B414512E89167A01D3700BA5CBD2

Function 071AFAB0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61a4d1e63692f6346f9510ff4d44d5d3d6ce2de0d0972c0a0e7a3062c414a2c6
Instruction ID: 68afba208d90f38dbc498b86268809f24116f0ebc90b92d3ddc883d1f69be0f7
Opcode Fuzzy Hash: 61a4d1e63692f6346f9510ff4d44d5d3d6ce2de0d0972c0a0e7a3062c414a2c6
Instruction Fuzzy Hash: EDF015B8E00208FBCB41EFA9E4056CCFBB9EB48301F10C0AAA818A2340DA346A50DF51

Function 071AA2A0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceba8754e153eefb868b65b73e9883120f797e80ab33bbf5a7ac0f631eac8002
Instruction ID: a55c2ffe8c0bd4b93cc4e6786f9c1537daeec5053c6ed515954f60292e7fe1b1
Opcode Fuzzy Hash: ceba8754e153eefb868b65b73e9883120f797e80ab33bbf5a7ac0f631eac8002
Instruction Fuzzy Hash: 52D0A5B24953655FD30727D675072E57F6C4F03311F445553F0CCD109745681699CF56

Function 071A4E90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3466afa0d8a9b543c42e5b217969a1017e1c09e632299c099708f135231bb4
Instruction ID: 88883ae103b99266bf91efc8257ae2e9cb118f192ea6b3fc78ba73c56c03186f
Opcode Fuzzy Hash: 3c3466afa0d8a9b543c42e5b217969a1017e1c09e632299c099708f135231bb4
Instruction Fuzzy Hash: 6BE0C2B890114DFBCB04EFB8D4046AD7BF8AB05300F5085A8D805A3380DBB81E44D792

Function 071ACC10 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb62ae04fe19ac0311745288b56bb44f791ed6a9fb14e0aec0717e76d56cf9e
Instruction ID: b56e7b3fc87f3984dfcebe9e6cbd05c0fda34e23b72d180992178ff434ca5af5
Opcode Fuzzy Hash: 7eb62ae04fe19ac0311745288b56bb44f791ed6a9fb14e0aec0717e76d56cf9e
Instruction Fuzzy Hash: 66E0B6B4D50209EFD744EFBDCA09A9EBBF4BF08600F11C5A9D019E7256E7B496048F91

Function 071AAD87 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35b72de94dc9ec5f796c34b6e5eaa2afe4986bb8c660e799b043c139d8fcafb1
Instruction ID: d61050ae8ddd274fc0e74362177bbfa984d3bac86f5aff80878abf19e7826a30
Opcode Fuzzy Hash: 35b72de94dc9ec5f796c34b6e5eaa2afe4986bb8c660e799b043c139d8fcafb1
Instruction Fuzzy Hash: B7E0B6B8D042089FDB08DFE8E4451ACBBF6FF49300F10A419D45AAB385DB305802CF20

Function 071AACB0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 779e156979dfc428cf0bc998d240cf3c60e1e4f778246b5257d28c5337fd5691
Instruction ID: b2b3b199d89f1210336d5b475685cf61f74ea128e8f6b4032ea55aacfc6d7f8e
Opcode Fuzzy Hash: 779e156979dfc428cf0bc998d240cf3c60e1e4f778246b5257d28c5337fd5691
Instruction Fuzzy Hash: B0E017B4D15209EFDB81EFB9E94A69DBBF8AB04301F1090A9D808A3340EB706A40CB51

Function 071A5FC8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: e4d4d0d29aed3dd64c6aa69d49be03ba5aa36083c94d71db7258569c552df4b9
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: 82D09EB6D04139A78B10AFE9DC054DFFF79EF05A50F418126E915A7100D3715A21DBD1

Function 071A55D0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0406a8f72a1c1f9e0c1ca8f5e8ff46720fb8ea5d1a16c53ed5c64d6bb81e6b88
Instruction ID: ecb3c9fc22e3fc9f9fd07a66e393f9e4f1210561bb83738e0f16b427917fa96c
Opcode Fuzzy Hash: 0406a8f72a1c1f9e0c1ca8f5e8ff46720fb8ea5d1a16c53ed5c64d6bb81e6b88
Instruction Fuzzy Hash: 67D0A92500A7C1AED303A3208908858BFB6AEA250139A84C3D8C0CA833C6184828D362

Function 071AA56C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e9a7587e68c26de2f047d186163647c4fa08a656d496a4030448612f028e6d
Instruction ID: 0a92bcec3fc880155009b4413add1da91235e9cf5544d859da3913182195165e
Opcode Fuzzy Hash: 47e9a7587e68c26de2f047d186163647c4fa08a656d496a4030448612f028e6d
Instruction Fuzzy Hash: E1D0523AA46208CFDB10CB08EA41AE8B7BAEF85211F0091E5C00D92254D7302E888F11

Function 071ACD08 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2823f01949842d8b03fdfedd4293a28cd535b869657dca80affcf53628475162
Instruction ID: ab624e1692b9d981e9a37adbdde2dfe9a5d52a3c6605b754e4c16f1265fed314
Opcode Fuzzy Hash: 2823f01949842d8b03fdfedd4293a28cd535b869657dca80affcf53628475162
Instruction Fuzzy Hash: 78D0127A240208AE8B51EE95E800D527BDCFB54640700C432E508CB021E721E438E791

Function 071AA2B0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ee78b6592a4ffc3110d332c4237e90625d06e1629e73b806bf8dc8853f4f1f
Instruction ID: 5df3bd043431a8d3f2d90ded44fe5662c353bcf4a5462668d04989155579ccdd
Opcode Fuzzy Hash: d8ee78b6592a4ffc3110d332c4237e90625d06e1629e73b806bf8dc8853f4f1f
Instruction Fuzzy Hash: 18C08CB004070697D3022BD6BA0F3A4B7AC5B01302F44A020A00C604924BB82860CBA1

Function 071A7029 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8eb558d6c01e3a750170eac87da10636827f20c542e6f1b73674167b22b5e319
Instruction ID: a9c31193610d887de68ca87e22bc6c73106ffa7f0eb3024cc96b4e2b54b8e00f
Opcode Fuzzy Hash: 8eb558d6c01e3a750170eac87da10636827f20c542e6f1b73674167b22b5e319
Instruction Fuzzy Hash: 71B012B9048381F4C70192708A40E9DAF635B65764FA84003E6C4100478375007BD317

Non-executed Functions

Function 04CC0040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728838296.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cc0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cec7fc6ae75c50fc2049591cce6a0d63bc7d726123387f7bab05470051269e9
Instruction ID: c5449a90c03e6a2b1f02e0533b2ffcc9ea3e2066f3bef90eee375e376249ff35
Opcode Fuzzy Hash: 9cec7fc6ae75c50fc2049591cce6a0d63bc7d726123387f7bab05470051269e9
Instruction Fuzzy Hash: 5F1295B0C827458AD330EF65E84C1893BB1BB45319BD04E19D2619F2E1E7B8126EEF5D

Function 071AF678 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c35a6838352aff8d981b164d59de2113be43d8a4078ea52ae4b2e1d95b3c8090
Instruction ID: e19d10d03c5dc425d461812d5424928354397cddf93982693974ce37053522d7
Opcode Fuzzy Hash: c35a6838352aff8d981b164d59de2113be43d8a4078ea52ae4b2e1d95b3c8090
Instruction Fuzzy Hash: F4E1FAB4E001599FCB14DFA9C5809AEFBF6BF89305F24C169E415AB356DB30A942CF60

Function 071AF240 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbd724dd309da4298e9a046f1e36345ac340dc67b3773abf9c488c5e7e236867
Instruction ID: 038c012ac801e2b0727d35149a3cd413cfb419e5b78cd8dbeeb2d4eca36ca944
Opcode Fuzzy Hash: fbd724dd309da4298e9a046f1e36345ac340dc67b3773abf9c488c5e7e236867
Instruction Fuzzy Hash: 2AE1FCB4E002599FCB14DFA9C5809AEFBF6BF49305F24C169E419A7356DB30A942CF60

Function 071506D8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d90788dc17096b5a05bd86721c6baefe8af66fd84db714ced856d0a6c33da82
Instruction ID: a437ad675b5cd5c677c17fbd63eb1e5c62f77d536bf4f0ce7f139eb4253b77b6
Opcode Fuzzy Hash: 8d90788dc17096b5a05bd86721c6baefe8af66fd84db714ced856d0a6c33da82
Instruction Fuzzy Hash: EFE1EBB4E00159CFCB18DFA9C5909AEFBF2BF89305F248159E815A7356DB31A981CF60

Function 071502A0 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731104649.0000000007150000.00000040.00000800.00020000.00000000.sdmp, Offset: 07150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7150000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d833dadc82870ebb1e6f9319aa26e3d47cc77679633e8d7a0451f0d200a2ab49
Instruction ID: 81d34b3b550d77c8f5e64b8a0ad26c49f8aabbc2f4747af2a2a0fa180e4e2cf3
Opcode Fuzzy Hash: d833dadc82870ebb1e6f9319aa26e3d47cc77679633e8d7a0451f0d200a2ab49
Instruction Fuzzy Hash: F6E1DAB4E00159CFCB18DFA9C5809AEFBF2BF89305F248169E815A7356DB31A941CF61

Function 071A6669 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681555f5a7c9f45c31297ab9c682bc047c1a2c1bc4ed20e3c98020e747fb891b
Instruction ID: f907722e434c2ff4a6e4c6aa66f4640efc9c231d4df314f7a582286f06eb696b
Opcode Fuzzy Hash: 681555f5a7c9f45c31297ab9c682bc047c1a2c1bc4ed20e3c98020e747fb891b
Instruction Fuzzy Hash: FEE11635D2065A9ACB10EFA8D994ADDF7B1FF95300F10C79AE00937225EB706AC5CB91

Function 071A6678 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac414b4dc3170bd6806c36a364521000cc94a915e31230a883d05f78909045d8
Instruction ID: de585de51425bb2d8c5cb1adaee593314444975e1476765f83a69d7230b1b8fa
Opcode Fuzzy Hash: ac414b4dc3170bd6806c36a364521000cc94a915e31230a883d05f78909045d8
Instruction Fuzzy Hash: FFD1F435D2065A9ACB00EFA8D994ADDB7B1FF95300F10C79AE40937225EF706AC5CB91

Function 0256D57C Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1725456278.0000000002560000.00000040.00000800.00020000.00000000.sdmp, Offset: 02560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2560000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed63fad2caf8990572528ab102f2857db0ddeeb7d20feecf737962924f2833d9
Instruction ID: a0d6e31c6a1a5050a4ca3d288b53c4e92486c0f4ce6c268160a88209e07e9119
Opcode Fuzzy Hash: ed63fad2caf8990572528ab102f2857db0ddeeb7d20feecf737962924f2833d9
Instruction Fuzzy Hash: 59A17F32E00206CFCF15DFB4D8485AEBBB2FF85304B15856AE806AB265DB71E956CF44

Function 04CC003F Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1728838296.0000000004CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04CC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4cc0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1b7f128341bc752782d136ab705ccd38a754c3f0381334cc8ac26a723226ef
Instruction ID: bd5cb5fb45fda1c8b8f1575f34ae6d0940e6798185480cdc7670208a1b2fac93
Opcode Fuzzy Hash: 4e1b7f128341bc752782d136ab705ccd38a754c3f0381334cc8ac26a723226ef
Instruction Fuzzy Hash: E7C12CB0C82705CBD730DF65E8481897BB1BB85315FE04E19D161AB2E0EBB4166EEF58

Function 071ADE30 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1731169380.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_71a0000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38aedf65e25faee093ef28d2120e990478b5c52295ea7c7189bcb9e7f319ae01
Instruction ID: c8d3bf97f8cd50a7cb69f7449627f645bcfbda4fb34861092937da7386442f7c
Opcode Fuzzy Hash: 38aedf65e25faee093ef28d2120e990478b5c52295ea7c7189bcb9e7f319ae01
Instruction Fuzzy Hash: 8F51F6B8E1960AEFCB08CFAAE4405EEFBF6BF8A300F159025E459B7659D7305941CB50

Function 0534B12C Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1729562440.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bdf96561c4d68da428d0231891bd9441c149d94efed58d4c5af6150824ed97c
Instruction ID: 9633dcf4ec2e9d7d10301877f4edc4f33444bef33bd7797be14a84b978bd667e
Opcode Fuzzy Hash: 9bdf96561c4d68da428d0231891bd9441c149d94efed58d4c5af6150824ed97c
Instruction Fuzzy Hash: AF51FBB4E002099BDB04CFA9D980AAEBBF6FF88300F14C565E515E7255D734AA818F60

Function 0534D868 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1729562440.0000000005340000.00000040.00000800.00020000.00000000.sdmp, Offset: 05340000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5340000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c17db2ceced469ec90082a13d055fc9f31587b2c01acf4b65358bcf206bbb386
Instruction ID: 57bcbbb7a739c0279d8eb4df0116b9fbe45e88b1b89d107e5af8b699e754f2ae
Opcode Fuzzy Hash: c17db2ceced469ec90082a13d055fc9f31587b2c01acf4b65358bcf206bbb386
Instruction Fuzzy Hash: 3D51DBB4E046099FDB04CFA9D880AAEBBF2FF88300F14C565E519E7255D734AA91CF64

Analysis Process: product sample requirement.exePID: 7236, Parent PID: 6576COMMON

Executed Functions

Function 02F180E0 Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4127637884.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2f10000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 297905810ec28fc67cfc43d14ea150cd163e75128edf229e02dfcc40f29ed29f
Instruction ID: 2ffd71728ea2f56f730c01b19052271c0d1ab6ddcde9b9d48530200e13971519
Opcode Fuzzy Hash: 297905810ec28fc67cfc43d14ea150cd163e75128edf229e02dfcc40f29ed29f
Instruction Fuzzy Hash: 4F416632E003958FDB05DFB9D8002DEBBF1BF89350F14856AD508A7250EB389845CBD1

Function 02F17CD0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,02F18132), ref: 02F1821F

Memory Dump Source

Source File: 00000008.00000002.4127637884.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2f10000_product sample requirement.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: c6561e70ac0bfdc08b31f3bfaeb186b377323932608b2a0744768358b507febb
Instruction ID: 32301faa35f54d4313c4576e5e0c339b8fe2eb2b12748502ba710c83bd28d9d8
Opcode Fuzzy Hash: c6561e70ac0bfdc08b31f3bfaeb186b377323932608b2a0744768358b507febb
Instruction Fuzzy Hash: AD1100B2D006599FDB10DF9AC544BEEFBF4AB48364F10816AE918B7240D378A940CFE5

Function 02F181B0 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNELBASE(?,?,?,?,?,?,?,?,?,02F18132), ref: 02F1821F

Memory Dump Source

Source File: 00000008.00000002.4127637884.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2f10000_product sample requirement.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: d5481c02d5e2c9e6b3166e4f197e099373867c31efff04d8352e7748657b0a33
Instruction ID: 1ae74d4ce5c5db60dd1b3dbdf67c1da66026801b61ee2ce42b6b123d754b8823
Opcode Fuzzy Hash: d5481c02d5e2c9e6b3166e4f197e099373867c31efff04d8352e7748657b0a33
Instruction Fuzzy Hash: F21133B6C006598BDB10CF9AC6447DEFBF4AB08364F20816AD818B7240D378A940CFA4

Function 0158D138 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4127228806.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_158d000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101efad2a1c2cfb9b11272af6eb088eb5e12a3194160975841208d98ccfc0ccd
Instruction ID: 8ce11c8d93577f44173b24b36da3ad8337b39a6cd4c25df486e508fefb08e4f2
Opcode Fuzzy Hash: 101efad2a1c2cfb9b11272af6eb088eb5e12a3194160975841208d98ccfc0ccd
Instruction Fuzzy Hash: 35210371504204DFDB05EF98D9C0B2ABFF5FB98324F208569E90A5F296C336D456CAA1

Function 0158D133 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4127228806.000000000158D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0158D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_158d000_product sample requirement.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: ed1148f0efe9c6ba314acf36fd46dbffb071acb0829e8a77b15d47666094d826
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: AD11E172404240CFCB16DF44D9C4B1ABFB2FB84324F24C1A9D8090F256C336D45ACBA1

Analysis Process: TWmzcmqkuotC.exePID: 7340, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	161
Total number of Limit Nodes:	11

Executed Functions

Function 06E10040 Relevance: 15.1, Strings: 10, Instructions: 2603COMMON

Download Yara Rule

Strings

4|cq, xrefs: 06E12E28
4'^q, xrefs: 06E12CAE
4'^q, xrefs: 06E11F11
4'^q, xrefs: 06E12C53
4'^q, xrefs: 06E10EA3
4'^q, xrefs: 06E1102B
$^q, xrefs: 06E12D00
(o^q, xrefs: 06E10116
4'^q, xrefs: 06E12CDE
4|cq, xrefs: 06E12E43

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: (o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4|cq$4|cq$$^q
API String ID: 0-2723476363
Opcode ID: 9ab0b73a3ffe03e0cd12d9f13b6c12b428647df42b49d4cd130704644634ed05
Instruction ID: 7c81227beb69521e6448f579b738c97e7307d99f1593ea82a9174738f58b4f18
Opcode Fuzzy Hash: 9ab0b73a3ffe03e0cd12d9f13b6c12b428647df42b49d4cd130704644634ed05
Instruction Fuzzy Hash: 13430874A00219CFCB64DF68C888A9DB7B2BF49314F159595E919AB3A1CB30EEC1DF50

Function 06E134B8 Relevance: 5.6, Strings: 4, Instructions: 562
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

4'^q, xrefs: 06E13874
~, xrefs: 06E136D6
:, xrefs: 06E13737
pbq, xrefs: 06E1393D

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: 4'^q$:$pbq$~
API String ID: 0-999388165
Opcode ID: 398674d31ab542ffee6fb0f21ba43a5eabd986e914f7c3c2b7582533fcc32338
Instruction ID: 92f4b8a8a4a3b6a03dc9e1b97133e5597f941235a524ddaa0fb3a982bcc97850
Opcode Fuzzy Hash: 398674d31ab542ffee6fb0f21ba43a5eabd986e914f7c3c2b7582533fcc32338
Instruction Fuzzy Hash: 9942F175E00228DFDB55CFA8C980B99BBB2FF88304F1590E9E509AB261D731AD91DF50

Function 06E1A2D1 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7233e88601e0b723ba51f02d89cf29700b641c685e0cae77e8bd011c6619019c
Instruction ID: 92116b1bf3835bdf1af897c257bb9433ea761c6056da766e5196a2c886028292
Opcode Fuzzy Hash: 7233e88601e0b723ba51f02d89cf29700b641c685e0cae77e8bd011c6619019c
Instruction Fuzzy Hash: AF112EB1D017089BEB18DF6BDC053AEBBF7AFC9300F18D0799418AA264DB7405469F41

Function 06DD13C4 Relevance: 1.7, APIs: 1, Instructions: 244
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DD1606

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4487260966a3713ddd19e5220ec93cc4a947d133ede2f823fabd5f56765ce378
Instruction ID: 66cfc94c018a5f05b15c89cf94e4d39e3e0cf6faf0d093ef40466e41f1a5d846
Opcode Fuzzy Hash: 4487260966a3713ddd19e5220ec93cc4a947d133ede2f823fabd5f56765ce378
Instruction Fuzzy Hash: 75913871D002199FDB50DFA8CD41BEEBBB2FF48314F1485AAE809A7290DB749985CF91

Function 06DD13D0 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06DD1606

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: b69e9c2ddb331852e0862d601798fe89a4648ff27e5515412eb96503b2ed6b83
Instruction ID: 403b99be1a40eb5f529fe2a47219cf6bc750c735fb6109e5fc6c805a62505dab
Opcode Fuzzy Hash: b69e9c2ddb331852e0862d601798fe89a4648ff27e5515412eb96503b2ed6b83
Instruction Fuzzy Hash: 15912971D002199FDB50DFA8CC41BEEBBB2FF48314F1485AAE849A7290DB749985CF91

Function 00EBAD68 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EBAFBE

Memory Dump Source

Source File: 00000009.00000002.1765295566.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eb0000_TWmzcmqkuotC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 3a7cf24ba2dcf277b5d8349a182f0c15042b130074d4c1e1a071a8fc26d3fdbe
Instruction ID: a8f2cf001337b59d9255daff3bbf6fbe39f9b640e1d68939e507c33988368698
Opcode Fuzzy Hash: 3a7cf24ba2dcf277b5d8349a182f0c15042b130074d4c1e1a071a8fc26d3fdbe
Instruction Fuzzy Hash: C2711370A00B058FDB24DF69D05179BBBF1BF88304F148A2ED48AE7A50D775E949CB92

Function 00EB44B4 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EB59C9

Memory Dump Source

Source File: 00000009.00000002.1765295566.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eb0000_TWmzcmqkuotC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: cb2a087b95f95f3272649d7ba5c961af335f8589f7f11c7ee2a8a883a80d36f2
Instruction ID: 45785550fbd607a6d48e9719e50f3cac6de48ee4c244d3e0dd81acd34fc3f71b
Opcode Fuzzy Hash: cb2a087b95f95f3272649d7ba5c961af335f8589f7f11c7ee2a8a883a80d36f2
Instruction Fuzzy Hash: A141E0B1C00619CBDB24DFA9C884BDEBBB5BF88304F20806AD408BB251DB756945CF90

Function 00EB5916 Relevance: 1.6, APIs: 1, Instructions: 91
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00EB59C9

Memory Dump Source

Source File: 00000009.00000002.1765295566.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eb0000_TWmzcmqkuotC.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: d4fe0a45c2cfb8fc10a88dc9abf2bd09f72626d8cd11906da6676f0ad043269c
Instruction ID: de5d0d6884efa1712fce74c93f149cc8ce71f76af9151642ffe03c418d52d384
Opcode Fuzzy Hash: d4fe0a45c2cfb8fc10a88dc9abf2bd09f72626d8cd11906da6676f0ad043269c
Instruction Fuzzy Hash: D941EFB1C00619CFDB24DFA9C8847DEBBB5BF88304F24816AD408BB255DB756986CF90

Function 06DD1140 Relevance: 1.6, APIs: 1, Instructions: 70
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DD11D8

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 75d0711f30e295ed9ccc34db108a3762301644bc43b783ed46122e8186c4df49
Instruction ID: ec3252d51e214262df1b00ff49ade9642285602dc109017a6f74d310ff139fba
Opcode Fuzzy Hash: 75d0711f30e295ed9ccc34db108a3762301644bc43b783ed46122e8186c4df49
Instruction Fuzzy Hash: C22146B5D003099FCB10DFA9C985BEEBBF1FF48310F10842AE959A7250C7789945CBA0

Function 06DD1148 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06DD11D8

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9f69fd2a8efdfe44d35045ca0c578813232b6e047633937accea32b7181b9291
Instruction ID: aa0a89358d44fe8cb145bf0df5146764a8facbb0649b0aa926ce325f4d60bcef
Opcode Fuzzy Hash: 9f69fd2a8efdfe44d35045ca0c578813232b6e047633937accea32b7181b9291
Instruction Fuzzy Hash: 112127B5D003599FCB10DFA9C885BDEBBF5FF88310F108429E958A7250D7789944CBA4

Function 00EBD23C Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EBD616,?,?,?,?,?), ref: 00EBD6D7

Memory Dump Source

Source File: 00000009.00000002.1765295566.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eb0000_TWmzcmqkuotC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ed036197c5493f9150dac6c285922e18534d7bdc2ef62fc0f36eb1b02127219b
Instruction ID: 0f7f4b6c2a110e71bab9dde6ac5629ebd04d529cdf448d4babd6dc5535aeff66
Opcode Fuzzy Hash: ed036197c5493f9150dac6c285922e18534d7bdc2ef62fc0f36eb1b02127219b
Instruction Fuzzy Hash: BE21E4B5900248DFDB10CF9AD984ADEFBF8EB48314F14841AE958B7310D374A944CFA4

Function 00EBD648 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00EBD616,?,?,?,?,?), ref: 00EBD6D7

Memory Dump Source

Source File: 00000009.00000002.1765295566.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eb0000_TWmzcmqkuotC.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: c0751b01517cf0c846eab10cd55edb4571480d5ea396ae53b88d08c7b3b9f1e2
Instruction ID: dd22ee6c4c3b3c9446eeb13c7fb58062e1eddf23afc326b472f4b47ce51a24b4
Opcode Fuzzy Hash: c0751b01517cf0c846eab10cd55edb4571480d5ea396ae53b88d08c7b3b9f1e2
Instruction Fuzzy Hash: B32114B5900218DFDB10CF9AD884ADEBFF4EB48320F10841AE918B7310D378A940CFA4

Function 06DD0FA8 Relevance: 1.6, APIs: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DD102E

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7f5d93d36e68b56b82bae4bcf8794bb8a1f12d16c96c4078b0952fae084cc2fb
Instruction ID: 7e9d0ca306a338515f8c84c3de0dab6f4c32e5dda48f1cec6b8973d915c08bb3
Opcode Fuzzy Hash: 7f5d93d36e68b56b82bae4bcf8794bb8a1f12d16c96c4078b0952fae084cc2fb
Instruction Fuzzy Hash: BD2177B5D002098FDB10DFAAC8857EEBBF4EF88364F10C42AD559A7240C7789985CFA4

Function 06DD0FB0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06DD102E

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: dce234dac11a255d80d4b2778138529b2cd61c1489711401260ac19b99f526a1
Instruction ID: 8d5abe0ccf6c54ebef72cc268b9b6beed84d7bb81a41e0ffd1c9c7b11d825566
Opcode Fuzzy Hash: dce234dac11a255d80d4b2778138529b2cd61c1489711401260ac19b99f526a1
Instruction Fuzzy Hash: A72149B1D003098FDB10DFAAC8857EEBBF4EF88364F10842AD559A7240C7789945CFA4

Function 06DD1238 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DD12B8

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e7931267d0a259328f46825e0dcbfb6bcfdc3f4cbf70a9f30b6fb65801b54834
Instruction ID: af266cd0de425ea08cfe9def4b69086d2d7b986a9e010137f235e36ebe2e4ec2
Opcode Fuzzy Hash: e7931267d0a259328f46825e0dcbfb6bcfdc3f4cbf70a9f30b6fb65801b54834
Instruction Fuzzy Hash: FB2128B19002599FCB10DFAAC841ADEFBF5FF48320F108429E558A7250C7399544CBA4

Function 06DD1231 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06DD12B8

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: e2ce96723c5a2243f41a864113818d66a883886441fe45f28d0fb82a589c4c2d
Instruction ID: 809c8d379c4a40acec9f22e7919389cd23fbc4ef78fcb3bfd65838446a8dcce2
Opcode Fuzzy Hash: e2ce96723c5a2243f41a864113818d66a883886441fe45f28d0fb82a589c4c2d
Instruction Fuzzy Hash: 332145B1D002198FCB10DFA9C981BEEFBF1FF48320F10842AE959A7250C7389544CBA0

Function 06E14FDF Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

@, xrefs: 06E15107

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 2fd018f7cc5b9afd4a770bae3864cd00126449f5cdb6d8835aef4d9a0854aab1
Instruction ID: b18faace9ca1869a1d54688d3499c26806f0e0d6ce9f618c28263e0413105fe5
Opcode Fuzzy Hash: 2fd018f7cc5b9afd4a770bae3864cd00126449f5cdb6d8835aef4d9a0854aab1
Instruction Fuzzy Hash: BAE194B4E04218CFDB50DFA9D880A9DBBF1FB89314F2491AAD819EB345E7319985CF50

Function 06DD1080 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DD10F6

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2dd3c220024f8266b8b19dd5642cf2ae48ae3e422aec385c034960280c51a4ee
Instruction ID: 4e846b7a72f2d1a8cc0d8c8c1dd684311d2ff04e49715104c36f5ece4c6940f8
Opcode Fuzzy Hash: 2dd3c220024f8266b8b19dd5642cf2ae48ae3e422aec385c034960280c51a4ee
Instruction Fuzzy Hash: FE1167B6900249CFCB10DFA9C9457EEBFF5EF88320F24881AD559A7250C7399544CFA0

Function 06DD1088 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06DD10F6

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3550c7a7f0d7e45b89428b346dca543c4bf3cf7c77834571d112a2d3868ff921
Instruction ID: 93b4375011d46a8606bfaf43f080c879e4156dfec809d9a553e2b21b44cfe96f
Opcode Fuzzy Hash: 3550c7a7f0d7e45b89428b346dca543c4bf3cf7c77834571d112a2d3868ff921
Instruction Fuzzy Hash: 961137759002499FCB10DFAAC845BDFBFF5EF88320F108419E559A7250C775A554CFA4

Function 06DD0EF8 Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DD0F62

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 3cd7200e984b35f5680e54d83e550d7d0d491a9bd93ddef5932d1d764c48dfab
Instruction ID: a285f5d291258e94ec35232bbacda24d31f34a0f436f86871387f2dc3c2251a9
Opcode Fuzzy Hash: 3cd7200e984b35f5680e54d83e550d7d0d491a9bd93ddef5932d1d764c48dfab
Instruction Fuzzy Hash: 801158B5D002488FCB10DFA9C4457EEFBF4EF88324F24881AC159A7250D739A545CF95

Function 06DD0F00 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06DD0F62

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 6afa18044609fd516379d5b1ef1845669cc68f3c9fa43d73ed6082f322b7e129
Instruction ID: 0d8d6e92fb33cdb34d097a651fea16bc86dc15ac4a7889372b57e73d962caeea
Opcode Fuzzy Hash: 6afa18044609fd516379d5b1ef1845669cc68f3c9fa43d73ed6082f322b7e129
Instruction Fuzzy Hash: F1113AB1D003488FCB10DFAAC4457DEFBF4EB88324F208419D559A7250C775A544CF95

Function 00EBAF58 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00EBAFBE

Memory Dump Source

Source File: 00000009.00000002.1765295566.0000000000EB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_eb0000_TWmzcmqkuotC.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: b40f9466ce1b22aa9dc2f364c71a69aed98df0682c22139006ff830bf8784c60
Instruction ID: e96104d0d8cb07bb9550f06d0e37b3d52faa038f24f29e5acd99f3a8c47b165b
Opcode Fuzzy Hash: b40f9466ce1b22aa9dc2f364c71a69aed98df0682c22139006ff830bf8784c60
Instruction Fuzzy Hash: CE11EDB6D002498FCB10CF9AD444ADFFBF4AB88328F14842AD869B7610D379A545CFA5

Function 06DD4831 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06DD4895

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: c50c831de155b8c5ab21f468d6132ee99dc0be5c121614b7d206339c16e80a09
Instruction ID: 62ac9ea758a69994d8daa12452c2be3f5b8e7bfae5e1e04f01dd3215f44c21bb
Opcode Fuzzy Hash: c50c831de155b8c5ab21f468d6132ee99dc0be5c121614b7d206339c16e80a09
Instruction Fuzzy Hash: 4011F5B58003489FDB60DF9AC889BDEBFF8EB48354F108819E554A7650D375A544CFA1

Function 06DD4838 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 06DD4895

Memory Dump Source

Source File: 00000009.00000002.1770710190.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6dd0000_TWmzcmqkuotC.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 132ea0b031bce39c092ce1952dc9fe84e9bd3de1ee6533799cfd908fcbab2ad8
Instruction ID: 7530f22d773ac4cad90f8085d98e001262e90dd4185768355db107fa6ace4726
Opcode Fuzzy Hash: 132ea0b031bce39c092ce1952dc9fe84e9bd3de1ee6533799cfd908fcbab2ad8
Instruction Fuzzy Hash: AD11D0B5800349DFDB10DF9AD885BDEBFF8EB48324F10881AE558A7610C375A984CFA5

Function 06E13D9E Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

LR^q, xrefs: 06E13E1A

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: a43b6fc2641acf3f4c9f3d9a3797261e1993028564202324c3f01fb9f03d281c
Instruction ID: bcbea488a6d2fcd00922f26b19850cb75831b9b49b9feab4eebca3de611e5436
Opcode Fuzzy Hash: a43b6fc2641acf3f4c9f3d9a3797261e1993028564202324c3f01fb9f03d281c
Instruction Fuzzy Hash: 3691E674E142089FDB44DFA9D4806EDBBF2FB89314F20956AE819EB345E7319A42DF40

Function 06E14894 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06E15C51

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: b2ce31c1d535f8d3eb48d20b85ae9c623d7129d4058ec197b80ee57f6ff4a1f0
Instruction ID: 43f247b88958aa748f2f00d988d7a07d9057589ee132cc14036c5ad63b753c0d
Opcode Fuzzy Hash: b2ce31c1d535f8d3eb48d20b85ae9c623d7129d4058ec197b80ee57f6ff4a1f0
Instruction Fuzzy Hash: AB51BE71B003058FCB05DF7998888BEBBF7EFC5210B15896AE469CB391DB309D068791

Function 06E14428 Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

8bq, xrefs: 06E144C9

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: d2fd4d8f99bc057f35a07ff4e92032dec03e6ddbc354d4329b25e4785c41da11
Instruction ID: e58b0943fb3a1f9246a121ed90a3bbf8992a884f4344af9bca379da8f47c07de
Opcode Fuzzy Hash: d2fd4d8f99bc057f35a07ff4e92032dec03e6ddbc354d4329b25e4785c41da11
Instruction Fuzzy Hash: 4E41E674E00209DFDB44DFA8E5909EEBBF2FB89304F109469E915AB384DB319942DF50

Function 06E14417 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

8bq, xrefs: 06E144C9

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 0a07d9f494f636abd3d96b555edf6c8765301b27a1a113013c8202298f28e352
Instruction ID: 5acf299b3e917d82d6337fce904fcb0898059d1d7ca650795aee0f4ccf0e92e3
Opcode Fuzzy Hash: 0a07d9f494f636abd3d96b555edf6c8765301b27a1a113013c8202298f28e352
Instruction Fuzzy Hash: EB410775E00209DFDB44DFA8D4906EEBBF2FB89304F14846AE919AB380DB319946DF54

Function 06E1AD6B Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06E1ADB9

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 19899df1050b6cc11cda1b8f373209ddca680aa7c215c36f1f22b0d3aa0f478f
Instruction ID: 28359d67a8eb9308cf67adcdf3fd04e803b2e1dfba14a77a368e9dddaa0a330c
Opcode Fuzzy Hash: 19899df1050b6cc11cda1b8f373209ddca680aa7c215c36f1f22b0d3aa0f478f
Instruction Fuzzy Hash: CF31D274E02308CFDB44DFA9D9849EDBBB6FF89301F10A12AE919AB261C7319945DF40

Function 06E1AD5A Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06E1ADB9

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 7abdd30f6e4fd4a2d0ca8acd590c6ee5fd29bead2a9ec2f082fd3377cc5abfad
Instruction ID: 3f8eb984fcedc2fe606bd7b57d575039b7b1aaa5fe9730c4c458801e9325efc1
Opcode Fuzzy Hash: 7abdd30f6e4fd4a2d0ca8acd590c6ee5fd29bead2a9ec2f082fd3377cc5abfad
Instruction Fuzzy Hash: F831B074E05209CFDB48CFA9D4849EDBBB6FF88310F14A12AE919AB221C7359945DF50

Function 06E1AED1 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06E1ADB9

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 349694d13921ab297d6b0394882c63304e65e39b5d532a0ebc13ea2a59e5084b
Instruction ID: 1605a96484adab384bab909ed5858f2b7ed18bceef0ea6bbc3be0a085167fea4
Opcode Fuzzy Hash: 349694d13921ab297d6b0394882c63304e65e39b5d532a0ebc13ea2a59e5084b
Instruction Fuzzy Hash: 9B31D174E01208CFDB48CFE8D8849EDBBB5FF48310F10912AE919AB225C7355945DF50

Function 06E15608 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

Te^q, xrefs: 06E15673

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: ef146cad9b5aaaed30e5ecf931f461185e60db0996402ab8e79dd4619e863308
Instruction ID: 8633c2e796e1dc2eceefbdb5da0126f7808b28533c93a2dbb3d0e8b5336172ca
Opcode Fuzzy Hash: ef146cad9b5aaaed30e5ecf931f461185e60db0996402ab8e79dd4619e863308
Instruction Fuzzy Hash: 7B114C71F1020A8BDB84EBB9D9005EEB6F6ABD4214B10403AC409EB344EF318E06DBE1

Function 06E17450 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

m, xrefs: 06E17464

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 2b74023d708516e2a1f53bb1195dc3a07fd88a87b67c1f3a96f4d426b42f9afc
Instruction ID: 758622e39c1e50d35c5e82cab8144e63e5ec3fdb8e9454aafc4d04ff33f5b3c0
Opcode Fuzzy Hash: 2b74023d708516e2a1f53bb1195dc3a07fd88a87b67c1f3a96f4d426b42f9afc
Instruction Fuzzy Hash: 28E0C230D05308DFDF84EFB4D4042AD7FB8A701704F002194D44597240DB310A46EAA1

Function 06E13348 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

6, xrefs: 06E1335C

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: 6
API String ID: 0-498629140
Opcode ID: 1999bc19b2301d6aa343f2ae1667e7a0743409ff6b4d8b4030c80503b9256924
Instruction ID: 1927d37a32653c8f25981e7059ab071948ba1d37d8fb2529e5e165a26e973dda
Opcode Fuzzy Hash: 1999bc19b2301d6aa343f2ae1667e7a0743409ff6b4d8b4030c80503b9256924
Instruction Fuzzy Hash: A6E0C234D14308EBDB50EFB4E40D2ADBFB8A706305F109695E40597240EF314A42E685

Function 06E14038 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

7, xrefs: 06E1404C

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: 7
API String ID: 0-1790921346
Opcode ID: 35425ed93acfd435569bf6659f33d98bb9a07c46285284769446a44f5b30baaf
Instruction ID: 1d46c67f8bdd3a473fedc2b80779f4af20715e8a59bb105441b288b100cf95b7
Opcode Fuzzy Hash: 35425ed93acfd435569bf6659f33d98bb9a07c46285284769446a44f5b30baaf
Instruction Fuzzy Hash: 4FE0C270D0530CDBCB90EFF5E4056AD7BF8A701304F402194D40697780EB350E45F682

Function 06E1C7AD Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

@, xrefs: 06E1C7BA

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: c7ffbfb9c2d1e613fce76413180f678594c81e9aacac5baf120a80b61546a615
Instruction ID: c19170c84baabd9826f2b5e98ff668a87462e588140e831a81da73fe43ce185e
Opcode Fuzzy Hash: c7ffbfb9c2d1e613fce76413180f678594c81e9aacac5baf120a80b61546a615
Instruction Fuzzy Hash: A5E0C270918348CFE744CF25C8802EC7F69FF87260B10A298D46F9B195CB381482CB42

Function 06E1AF28 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94e543bea6de627d0621efcdef6ac793e3695aab30274d3e1f2ae68b82c44c4b
Instruction ID: c5b96ff41dd7d8cdee71bdb1ab068a65985a741e44737f8e0b486076d66bebdf
Opcode Fuzzy Hash: 94e543bea6de627d0621efcdef6ac793e3695aab30274d3e1f2ae68b82c44c4b
Instruction Fuzzy Hash: 1AB15F74E15219CFDB40DFA8D9809EDBBB5FF89300F109625E419AB355DB30AD8ADB80

Function 06E1AF23 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50f5cf37c207082c8861c70641786b6bfdfcfb50b3bd58103e1d320a82ac0e10
Instruction ID: 3902aa7d3507214e05ddcc2d6879794ce57ce4d498504b7a15d69a14f97a9473
Opcode Fuzzy Hash: 50f5cf37c207082c8861c70641786b6bfdfcfb50b3bd58103e1d320a82ac0e10
Instruction Fuzzy Hash: E1912F74E15219CFDB40DFA8D9809EDBBB5FF89300F109629E419AB355DB309D8ADB80

Function 06E16D37 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495db7a606df7dca74b06c5319201fd256b9d4a8455a1823a03344614f121700
Instruction ID: 4b2a1db4412671e3cc5e60fc7c022a2f008931ff7646999f6566bfe86c475215
Opcode Fuzzy Hash: 495db7a606df7dca74b06c5319201fd256b9d4a8455a1823a03344614f121700
Instruction Fuzzy Hash: 76819175E142198FDF51CFA8C880AEEBBB2BF49304F1094A9E819EB311D7319A46DF40

Function 06E18560 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3fa0b48561ed87a8219df16960d0c091367fdea1a99faad82440b3973ac4a81
Instruction ID: 203ae8bc0082a1c72d5fd6cd5b6b09fc5d506a074af397a21052d9e5fbc172d3
Opcode Fuzzy Hash: c3fa0b48561ed87a8219df16960d0c091367fdea1a99faad82440b3973ac4a81
Instruction Fuzzy Hash: 0F411774E20208DFDB44DFA9D490AAEBBF2EB89314F209569E816EB340DB31D941CF51

Function 06E18551 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac1c21946d0b2a2d766209e23848187b8f82034f603bda1f73adad0e806333ad
Instruction ID: 878af1926850aaed58e9d2de3d2325f0441eb4ea3b5c22b4abc1638cad147233
Opcode Fuzzy Hash: ac1c21946d0b2a2d766209e23848187b8f82034f603bda1f73adad0e806333ad
Instruction Fuzzy Hash: 10413A74E20208DFDB44DFA9D89069EBBF2EB89314F209569E815EB340DB31D946CF54

Function 06E12FB0 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e28d75c9b3797517cadcc53b82a8aa2a7b29e526a8795f50571a0d35931330d
Instruction ID: 3df39afc39cb94f36c1b0a6f8431dbe26fe0ddc3cc717eb8001d11c8f187ea7b
Opcode Fuzzy Hash: 5e28d75c9b3797517cadcc53b82a8aa2a7b29e526a8795f50571a0d35931330d
Instruction Fuzzy Hash: 6241E274E2020A8FCB54DFB9D8595AEBFF1AF4A315F10946AE802E7250EB35D942CF50

Function 06E12FC0 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9e5bd7cf8ad7cfd3393ca3ba22639d6ffa4539f75abca4c4c0194b396eb2c44
Instruction ID: 187ae984fa63396a5fedb38fdb57d13f3cb89d125e0d1ca4ed286bbcba78363b
Opcode Fuzzy Hash: c9e5bd7cf8ad7cfd3393ca3ba22639d6ffa4539f75abca4c4c0194b396eb2c44
Instruction Fuzzy Hash: 9931F074E2020A8FCB64DFB9D8595AEBFF1AF8A315F109469E802E7250EB35D941CF50

Function 06E1592C Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9ab1c5c23786f60afc5c2e5d8f823a7377abdf4522d57717298daa82969e596
Instruction ID: 468fcb8b249901e24d55b05dd28d1d04a10ce919d04796ea890f7b93e8775e22
Opcode Fuzzy Hash: f9ab1c5c23786f60afc5c2e5d8f823a7377abdf4522d57717298daa82969e596
Instruction Fuzzy Hash: D73159B1A003489FCF50DFA9D844ADEBFF9EF48324F10846AE919AB210D7359944CFA1

Function 06E1BD0B Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0af44f6de370a10ff9a3a05540a77f9e9b47cb915b00df64fab0e80f3b73432
Instruction ID: 175b29880f26c362b058c9a93252ed7f8b24b18319d5d586d039b7213142063c
Opcode Fuzzy Hash: b0af44f6de370a10ff9a3a05540a77f9e9b47cb915b00df64fab0e80f3b73432
Instruction Fuzzy Hash: B931F774D54218CFEB50CF98C584EDDBBB6BF49700F21E186E815AB219C734A981DF64

Function 06E15AB0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84360138b542d817f51c8b03805ef935683a2f24d65a6a63a9d36eb62f7822b0
Instruction ID: f8149105dc658e3e260fe5e135d5ea127b6167bfff57e682572c7c3f77b9b94c
Opcode Fuzzy Hash: 84360138b542d817f51c8b03805ef935683a2f24d65a6a63a9d36eb62f7822b0
Instruction Fuzzy Hash: A42129B5A047900FC702EF7C9C505EF7FB6EFC5260705446BD494CB291EA30890987A1

Function 00C5D4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1763603277.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c5d000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7eb3dbb86bfb704a224d8d76be1c19da8b76df5e3cbc132c91b1091fbdb78d7b
Instruction ID: dfc140be12c9140656ec0b0f4b09ddaff2959dbea077a0622722c54b45c00af8
Opcode Fuzzy Hash: 7eb3dbb86bfb704a224d8d76be1c19da8b76df5e3cbc132c91b1091fbdb78d7b
Instruction Fuzzy Hash: 752145B5500300DFCB21DF14C9C0B26BF65FB98319F60C169EC0A0B256C336D88ACBA2

Function 00C5D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1763603277.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c5d000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f72e662a145276cbbb42f1e131d4a7b015813f28ae02a359bd0dfcf1605e05fe
Instruction ID: bc7c42977535b52c07605cbdfb012df9b552880ccaf6eaf6a8fc75cc6b895490
Opcode Fuzzy Hash: f72e662a145276cbbb42f1e131d4a7b015813f28ae02a359bd0dfcf1605e05fe
Instruction Fuzzy Hash: 7F212879500304DFDB15DF14D9C0B26BF65FB94315F20C169ED0A4B256C336E89ACAA6

Function 06E1C5D0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5434c46136956a2ce78bc33ed4d7a13c2438f92c267c3c343f2b5e19bdc7fa29
Instruction ID: 1cb0e039075ca62dd0060d91474909820dc09f3ba7f14ebb864af2ab437e2e7f
Opcode Fuzzy Hash: 5434c46136956a2ce78bc33ed4d7a13c2438f92c267c3c343f2b5e19bdc7fa29
Instruction Fuzzy Hash: 8B21CF70E05318DFD748CB66D8449EEBFB6BBCA700B10E065E408EB351DB784902EB80

Function 06E14ED8 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1ef6ed000da84a5f75dca771503e3130f6d62664ffda648c57bc9a932869cc4
Instruction ID: a6958e6de762519a4f199470c1a7d37ef5139083106bfcf0e8af140f24922a3b
Opcode Fuzzy Hash: f1ef6ed000da84a5f75dca771503e3130f6d62664ffda648c57bc9a932869cc4
Instruction Fuzzy Hash: 313161B4E1020ADFCB50CFA9D5856EEBBF4AB08304F24A46AE814F7340E7349A41DF60

Function 00C6D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1763667920.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c6d000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9d7405a62bce8be675c1426a356b5fee5f15b2f3697e2fe6a5025f447bda6ff
Instruction ID: 3241ea54606a7b53120058fa2852f54afb4f2ea63dc33446429d1c8a7e8e0208
Opcode Fuzzy Hash: b9d7405a62bce8be675c1426a356b5fee5f15b2f3697e2fe6a5025f447bda6ff
Instruction Fuzzy Hash: 5D212671A04200EFDB25DF14D9D0B26BBA5FB88314F24C6ADE80A4B296C336DC46CA61

Function 00C6D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1763667920.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c6d000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1389ca1ad5af812310bfc2fa1094664e21534f7255745582a1c3930efd919f2d
Instruction ID: f0ada510fe02100ec45e376b4f8667896dd4e37381409890650542ca75014214
Opcode Fuzzy Hash: 1389ca1ad5af812310bfc2fa1094664e21534f7255745582a1c3930efd919f2d
Instruction Fuzzy Hash: 95210475A04240DFCB24DF14D9C4B26BFA5FB88314F24C56DE90A4B296C33BD847CAA1

Function 06E15C94 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eeab699c9a59913150c7358fd1c0aee704a3fd08b418d851c4464dd9b13642d
Instruction ID: c819dc4d820f60e68f3d91b5f33ec8193727ec68bc5ca50015ee547580e8e695
Opcode Fuzzy Hash: 1eeab699c9a59913150c7358fd1c0aee704a3fd08b418d851c4464dd9b13642d
Instruction Fuzzy Hash: 3331E0B0D01358DFDB60CF9AC989B8EBFF5AB48314F24945AE404BB250C7B56885CF95

Function 06E15748 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25b35853daec88c9b96d6c9193342942d5416f55377e05b15d8edbdc306b6c10
Instruction ID: 3bcc2b6cc6929bedadddf9e333d2e1f9cec3d3fd4caa32ce661caf979bff2231
Opcode Fuzzy Hash: 25b35853daec88c9b96d6c9193342942d5416f55377e05b15d8edbdc306b6c10
Instruction Fuzzy Hash: 9A31E0B0D00318DFDB60DF9AC988B9EBFF4AB48314F24945AE404BB250C7B55885CF95

Function 06E16FA0 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6292541479a9307b9c42739c7d743fabbf607a841e0c46e80c11d2991f64a331
Instruction ID: 058c595c41d389088d1f2f756f9cbfca2cf7910926436d95b97a8ff8fe1f4175
Opcode Fuzzy Hash: 6292541479a9307b9c42739c7d743fabbf607a841e0c46e80c11d2991f64a331
Instruction Fuzzy Hash: E311E3B1A09388AFCB46CBB4CD2546D7FF9DF52200B6544E6E804CB283E935CD06D722

Function 06E1E9A6 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f119a91f51dbab667d301fd1c68380c227763ff75caa8e859abf80120e58edc2
Instruction ID: 4627ea22e7ed22b587ee41f238361dbd743899fb9ebe1f72e479b6cad791a4e0
Opcode Fuzzy Hash: f119a91f51dbab667d301fd1c68380c227763ff75caa8e859abf80120e58edc2
Instruction Fuzzy Hash: A1210C749153098FDB44DFA4D5855EDBFB6FB84314B60A12AB81A9F358DB704C06CF40

Function 06E1BBB8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcd7912e216caf112a6e7238a6320d352d9a5984794c2dd73983518dce435ca7
Instruction ID: 3dea5f0f2cee1820a833dc3fa7477ad20e98a35b575f64676982f9ab4a181f88
Opcode Fuzzy Hash: dcd7912e216caf112a6e7238a6320d352d9a5984794c2dd73983518dce435ca7
Instruction Fuzzy Hash: D92107B1D146588BEB18CF9BC8053DEBFB6BF89300F04D16AE419AA264DB740946CF90

Function 06E14EC8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e7e8756e4cf14f25cdf9218926bf109409cf6e9bbf01e6a5a91fbf7e9b351d5
Instruction ID: 9ccbf3885fac6cef792c36767f4514fc32dd0fa216f5bdccf9ed073a046a318c
Opcode Fuzzy Hash: 4e7e8756e4cf14f25cdf9218926bf109409cf6e9bbf01e6a5a91fbf7e9b351d5
Instruction Fuzzy Hash: 7421A7B4E1024ACFCF50CFB9D5446AEBBF0AB09304F1495AAD424E7340E7349A41DF51

Function 00C6D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1763667920.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c6d000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fc7fb495ab6b5c4b96ecec40aa7f6f3fd6612049fb90be2d0e024dcd560feaf
Instruction ID: c5d8b69bd63d7e11fb987009a7bb4107cf7e7ec2fa960c06414d03107bd7daa4
Opcode Fuzzy Hash: 4fc7fb495ab6b5c4b96ecec40aa7f6f3fd6612049fb90be2d0e024dcd560feaf
Instruction Fuzzy Hash: C8215E755093808FDB12CF24D9D4B15BF71EB46314F28C5EAD8498F6A7C33A990ACB62

Function 06E1FB08 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c139b803e5760d6727f55e70148c8a8eb040dcad3c86acabe32e9a1a91bc1f
Instruction ID: 03d2585af124e8d3b723641b79d0f17cc7ce317e751b0e38120af104f7163b2a
Opcode Fuzzy Hash: c0c139b803e5760d6727f55e70148c8a8eb040dcad3c86acabe32e9a1a91bc1f
Instruction Fuzzy Hash: BA11A3B0F003048FDB589E799824ABF7AE6EFC4760F149529E916DB398EA30C94097D0

Function 06E1CAD2 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a640eed3dbad715289046c80dd567e7befc4c7972287e4c3833dbb8bc46936b8
Instruction ID: 8314624455250fdec56521ffef0bd6e9eb8319da865c8a0210ecd018cab022c7
Opcode Fuzzy Hash: a640eed3dbad715289046c80dd567e7befc4c7972287e4c3833dbb8bc46936b8
Instruction Fuzzy Hash: 36119130A88208DFD741CBA9C544AFCBFF9AB49700F24A194E40ADB215DA34CE40EB80

Function 06E1BBC8 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efb09fdfa5e58444b4128ffd064b15584cb535460bf72e92f489871c3374a31d
Instruction ID: 4b4b04d4d9b563ca4fd77133176072b8ded714815ab8656d4d811ff836e65e60
Opcode Fuzzy Hash: efb09fdfa5e58444b4128ffd064b15584cb535460bf72e92f489871c3374a31d
Instruction Fuzzy Hash: 3121E7B1D106188BEB18CF9BC8457EEFEB6BFC9300F04D06AE4196A254DB740946CF90

Function 06E1593C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d48c3083037d01fbff2a30c35536f0a89c95258680ccf95f1eec47f19a4f4aac
Instruction ID: d885db3d97b8817fe2a771e3b20bc85745ac61aa00e101b53b6f432eb71d53fd
Opcode Fuzzy Hash: d48c3083037d01fbff2a30c35536f0a89c95258680ccf95f1eec47f19a4f4aac
Instruction Fuzzy Hash: 5B21E4B59003499FCB10CF9AD884ADEBFF4FB48364F108459E919A7210D375A954CFA5

Function 00C5D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1763603277.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c5d000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 8e88fa9ceb2dc42cdea5361680bf123b7ddd21900d4afc8310768e4145ade18e
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 3911CD76404340CFDB16CF00D5C4B16BF62FB94324F24C2A9DC0A0A256C33AE99ACBA1

Function 00C5D4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1763603277.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c5d000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: d18bd830a849617bfe79776d09d209ae57f696e5f1203382e9f0b216d830e1a0
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: FA11AFB6504280CFCB16CF14D5C4B16BF71FB94318F24C6A9DC4A0B656C336D99ACBA1

Function 06E1C692 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c34045a45ba116132029cca84a963a6d0ef479653e7be0645334f52709b0d2f
Instruction ID: 40ce13c461177209b11e904ea50ef0ce291cb405e5172664e5cd0e35bccd6a50
Opcode Fuzzy Hash: 0c34045a45ba116132029cca84a963a6d0ef479653e7be0645334f52709b0d2f
Instruction Fuzzy Hash: 07113D74D59318DFDB84CFA6D9448FCBFB6BF8A701B20A059E4199A211CB389902DF40

Function 00C6D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1763667920.0000000000C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c6d000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: 0336a92419dc5aabc383f37ac602ee08fb1c6e93a308a002ef8c9d47e96feb54
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 4811BB75A04280DFCB22CF10C5D4B15BBA1FB84314F28C6AAD84A4B296C33AD84ACB61

Function 06E1CA52 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 027786f477884f5f72ed70f8b26a1c84184d3053f75f1999cd23b99d9fbacd9e
Instruction ID: 270e7dcedde43262f1f187f4041d16d0c6317f559090bef267ae078fd9f3fbe8
Opcode Fuzzy Hash: 027786f477884f5f72ed70f8b26a1c84184d3053f75f1999cd23b99d9fbacd9e
Instruction Fuzzy Hash: 0501C030989308EFC742CFA4D8559FCBFB8AB06701F2561D5E446CB262E6348E81EB81

Function 06E17EF9 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5c964a79ade4a8148a5aacb2a4ccdd0e25062c68e9fdf71a0fca4be41a0f09d
Instruction ID: ec7e2d2b16e46d634fd659d4abe309923d5934716c633be37700ad80acbb6aba
Opcode Fuzzy Hash: b5c964a79ade4a8148a5aacb2a4ccdd0e25062c68e9fdf71a0fca4be41a0f09d
Instruction Fuzzy Hash: 0A01D471E593498FCB41CFA8C8456AE7BB1EB0A300F349496D864D7341E7309B02DB50

Function 06E1C600 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f525d24ae82139301ce4698b5b52b18583f13c5661f3944ad59a395856846366
Instruction ID: f61f3e93c7c174a7d3012c00f43b9ec9ef290d5b14e9917eb9c26bb1e741c4f2
Opcode Fuzzy Hash: f525d24ae82139301ce4698b5b52b18583f13c5661f3944ad59a395856846366
Instruction Fuzzy Hash: B5110970E15218DFDB48CFAAD9449EDBBBABF8A700F10D069E419AB354DB749901DF80

Function 00C5D759 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1763603277.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c5d000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0590f50f680f65d4a9294a591dbebdbabccc4cbc98245c4b2546385b6731431
Instruction ID: 8a2e6c8100b5f44bb73f77438bf5223e7fe68e553e474a976b6ab98486d498fd
Opcode Fuzzy Hash: b0590f50f680f65d4a9294a591dbebdbabccc4cbc98245c4b2546385b6731431
Instruction Fuzzy Hash: 2D012035004300DAE7304B16CD84757FFD8DF55361F18C45AED1A4A24AC339D8C4C675

Function 06E1CAD8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a09a59719dfde43e36ade4714995ead2cb9081b9a38f967d21e98589b06430a
Instruction ID: d41d9ce04fd52bd6e19caf3314768b307da618178d8aac58da1760564191a593
Opcode Fuzzy Hash: 5a09a59719dfde43e36ade4714995ead2cb9081b9a38f967d21e98589b06430a
Instruction Fuzzy Hash: BE012834A44208EFD744DBA9C585AACBFF5AB4D700F24D094A409EB365DB749E00EB40

Function 06E1CA60 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d80598affaa7d505492e52dbc4082c4439be4d552de941effd749641727b816
Instruction ID: 5b295cb1da00a460fbc45bcf37e18a83c21163ab0db4b6bcc388f5ef61353243
Opcode Fuzzy Hash: 6d80598affaa7d505492e52dbc4082c4439be4d552de941effd749641727b816
Instruction Fuzzy Hash: A5F06D30988305DFD745CB65C5419FCBBB8AB4A741B20B1A4901B9E211D7388A81EBC1

Function 06E18440 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e339e21855ea9f0947353b8e09d82eda4e2e2833426ba027f8cf3337a24e098
Instruction ID: 41abc934ee9e1389912a3cb5b4709e471439a6985446d064246901fdb65af80b
Opcode Fuzzy Hash: 5e339e21855ea9f0947353b8e09d82eda4e2e2833426ba027f8cf3337a24e098
Instruction Fuzzy Hash: B401FF74E04209DFCB90DFA8C5406AEBBF9FB49300F1094A99819E7340EB319A02DB51

Function 06E1E70A Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3d5dc5ad116b5c14d9c4908f0d99b59ad921b704312e0734678821f0c1a0090
Instruction ID: 89cb9ddf832cb1857bafafdab5afcc22e0216c47154701f4fe14757d3cb48eee
Opcode Fuzzy Hash: c3d5dc5ad116b5c14d9c4908f0d99b59ad921b704312e0734678821f0c1a0090
Instruction Fuzzy Hash: 5C110930904205CFDB50EF98E989B98BBB5FB49310F20A296E409AB394DB309D81CF60

Function 06E1EAAC Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 149885caeeb0109196dcbecfbfc32d690c21ea568b1269ce6fc7ed749396265b
Instruction ID: ec64bcab6526ce9be6aa36c17c02297f0e5fa86631ace62e99f87853ee5c6154
Opcode Fuzzy Hash: 149885caeeb0109196dcbecfbfc32d690c21ea568b1269ce6fc7ed749396265b
Instruction Fuzzy Hash: D3017175908344CFD750CF94D44AAADBFB5BB09305F18A0A9F809DB312CB309942DF91

Function 06E18430 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1290bbc5c765769df45494f64ca8e44edc7ee2cd3fd811a00e796898f32fb6c6
Instruction ID: 98f7e36a9a45f897303b38ee163284f412302c607fd66eb83c528ccab870cdc6
Opcode Fuzzy Hash: 1290bbc5c765769df45494f64ca8e44edc7ee2cd3fd811a00e796898f32fb6c6
Instruction Fuzzy Hash: 7101A274E05209CFCB51DFA8C4406AEBFB4EB45314F2485AED814EB381DB358E06DB51

Function 06E16C28 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec47f1c71d0fe39c26c756be1a131d2c08a85e640c4ecc56b0f2f729749e49cc
Instruction ID: d8453ee7a870c02a36404ebb453b0e9599e0900f370598d61b14197a1632ba0c
Opcode Fuzzy Hash: ec47f1c71d0fe39c26c756be1a131d2c08a85e640c4ecc56b0f2f729749e49cc
Instruction Fuzzy Hash: 8A01F6B4E0420ADFCB94DFA8D5012AEBBF4EB48300F1094A99809E7340EB309A01DB51

Function 06E16C18 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54e59bf72613c2bd9e6a08c8ede5ff1163dce97222ba6c498f7f523443bc61f1
Instruction ID: 08dc93487f69ac899e320cae3cbf2313f231ad8ef4a35df896e871638393b47c
Opcode Fuzzy Hash: 54e59bf72613c2bd9e6a08c8ede5ff1163dce97222ba6c498f7f523443bc61f1
Instruction Fuzzy Hash: 850146B4E0020A9FCB90DFA8D9423AEBFF4FB49300F0094A99804E7741EB759A11CB91

Function 06E17F41 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30db217b05d3e399540599c88b14d2f35891916858be473a590f549a974a3833
Instruction ID: 0aca73b03bc90af6f9d8c3a58c70f82f4548f06237b38efcf048d106f597f85d
Opcode Fuzzy Hash: 30db217b05d3e399540599c88b14d2f35891916858be473a590f549a974a3833
Instruction Fuzzy Hash: 17F09CB4D043099FCB01CFE8C9055DDBFB1BB4A310F259595E454E7251E7344A42DB50

Function 06E1E930 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785facecd8386e4e4665b4d0cce4a73164614f779ace5be53b50061c1d2f88bb
Instruction ID: 71b60580f58e84f150da094259ee1277a4ac8ba144ff9eb069cdc3dc88eea2ed
Opcode Fuzzy Hash: 785facecd8386e4e4665b4d0cce4a73164614f779ace5be53b50061c1d2f88bb
Instruction Fuzzy Hash: 0801E934E053098FDB04DFD4D6895EDBBB6EB84311B70A12AA80A9B358DB704C45CF50

Function 00C5D758 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1763603277.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_c5d000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2b848511815049e269ecdca0f7ca5af01d1fc397bfe4097c49ffb4a533a96b
Instruction ID: f23a486c31d972e44eb6a49c2ef553b4359569535e98e8a5a4875a07a5a7f314
Opcode Fuzzy Hash: 4e2b848511815049e269ecdca0f7ca5af01d1fc397bfe4097c49ffb4a533a96b
Instruction Fuzzy Hash: D2F0C2750043409EE7208A16DC84B62FFA8EF54765F18C45AED190A28AC2799884CAB0

Function 06E132D0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9bc30fa5d3d6760596df5220055a5b7e9e01b2b52d186296ac6714e228c800
Instruction ID: bf378524a32e5e48f916c39f30a379db006f7108b2cfea97e3404178baefff84
Opcode Fuzzy Hash: 1c9bc30fa5d3d6760596df5220055a5b7e9e01b2b52d186296ac6714e228c800
Instruction Fuzzy Hash: 9EF0FF74E04209DFCB40EFA8D4456AEBBF4EB45304F1095A9D814E7341DB759A06DB84

Function 06E183C8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e8f86150353d453b45c6afe4e4b6660c0c4a231155056476d05e0175e1c80d4
Instruction ID: 4ed8dc53556fa00a2e9b86b193a9f11e5b93d0b0996d3e7c6e1636b52fe40ee2
Opcode Fuzzy Hash: 1e8f86150353d453b45c6afe4e4b6660c0c4a231155056476d05e0175e1c80d4
Instruction Fuzzy Hash: A6F01D74D14308DFCB40DFA995052DEBFB5AB0A204F0195A6D454E3251EB344A46DB41

Function 06E143B0 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac70313ed8966641c26d574f17b29e5ac2b1cb264268b8149bd2f4cb4eb6dbe0
Instruction ID: 74ef93fe1099e1ca8371ab86d30bb8d20a6015f68ed0a0bf558f94c9572062c5
Opcode Fuzzy Hash: ac70313ed8966641c26d574f17b29e5ac2b1cb264268b8149bd2f4cb4eb6dbe0
Instruction Fuzzy Hash: A9F01DB4E01309DFCB41DFA9D9052EEBBF4BB49300F1095A9D818E3340EB309A02DB90

Function 06E17049 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aab3342ec5d7054f2353340ba9919960255abfbc80c9015142a254b397dbed0
Instruction ID: 843da8c9db6d64f904e7054867da14f538942f43c69e33d9673c73c9c65c3931
Opcode Fuzzy Hash: 2aab3342ec5d7054f2353340ba9919960255abfbc80c9015142a254b397dbed0
Instruction Fuzzy Hash: 23F0E2B2A04348AFDF85CBB8DC5599E7FBAEF44220B05C0ABE049DF225E23199419B54

Function 06E1E5A0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 470a70ff352b5ad03556813ac86bc8dc44526200e2aa92246053c5cda518e83a
Instruction ID: 4742df4d24cb120da7f2baaec32dbf00456b0ee36775493ef743ab68fd7e877a
Opcode Fuzzy Hash: 470a70ff352b5ad03556813ac86bc8dc44526200e2aa92246053c5cda518e83a
Instruction Fuzzy Hash: 84F0A430905208DFEB90DBA9D5447EDBBB9AB84300F5094A5E405A7284DBB05A40CF40

Function 06E143C0 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 025f5d287a5f5d7590b9985761c3a8dba74b5a2629ea3385d1a1e5a396b04f55
Instruction ID: e9144ac3c09955c91929c8744f1b1065621a97b14ea55048f347636367741dee
Opcode Fuzzy Hash: 025f5d287a5f5d7590b9985761c3a8dba74b5a2629ea3385d1a1e5a396b04f55
Instruction Fuzzy Hash: A8F0F9B4D0520ADFCB40DFA9D5415EEBBF4BB48300F1095A9D818E3340EB309A02DF91

Function 06E17F50 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89176bde35ff708edf015332981821b9789e5f947f324608826fba38f005f668
Instruction ID: 872aa09dd800b8b3a09407353d7f11e001a4987f06efcce16063ba1ddfd1bbb6
Opcode Fuzzy Hash: 89176bde35ff708edf015332981821b9789e5f947f324608826fba38f005f668
Instruction Fuzzy Hash: 53F097B4E0520ADFCB44DFA9D5455AEBBF5BB49300F2095A9E829E3340EB309A41DB91

Function 06E1E753 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 541e11ff2c3e2ee457bd38867500331c9ec99f517ce471ea3a0a8d88ff49d707
Instruction ID: 76b41cfad66f33fa864b377294937b4827df73347adaadf836723e2995a588bc
Opcode Fuzzy Hash: 541e11ff2c3e2ee457bd38867500331c9ec99f517ce471ea3a0a8d88ff49d707
Instruction Fuzzy Hash: 0F012C30904205CFC710DFA8E889B9CBBB5FB49310F24A2A6E419AB395DB309D81CF50

Function 06E1E468 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56f9c0437df9ae1bbd3ef6b6fe29e9322fce1470fc1bdf88b1561f1a305c442d
Instruction ID: 9c1468a4945d7227dc42bd61669f9e5a0a169900e45e64d6523b273004e669cd
Opcode Fuzzy Hash: 56f9c0437df9ae1bbd3ef6b6fe29e9322fce1470fc1bdf88b1561f1a305c442d
Instruction Fuzzy Hash: 7AF06270E143169FD754CF65C806AEEBFF1BF08211F144599AC10EB242E7398406CBD0

Function 06E13D21 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04ea497e49c8e191d2df4909e58ea82e071bbb3e55c22f89bdd7e02f12eba131
Instruction ID: c50108be6239d5355a3c0761494709ff77eef7159c71017474470bb9bc615512
Opcode Fuzzy Hash: 04ea497e49c8e191d2df4909e58ea82e071bbb3e55c22f89bdd7e02f12eba131
Instruction Fuzzy Hash: 46F03A74D14208AFDB80DFB9D84A2EDBFF5EB0A304F0099AAD814E3210EB745A41DF40

Function 06E183D8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd11eded4b59ea3462f29fa7bb9c0822c53391d46770b8e38d9429a2fd5134a0
Instruction ID: 4c7a918edc01a3b6eb02b968df861f1784ac2fb2281498da82daef842f4c9475
Opcode Fuzzy Hash: dd11eded4b59ea3462f29fa7bb9c0822c53391d46770b8e38d9429a2fd5134a0
Instruction Fuzzy Hash: 5CF0B7B4D14209DFCB84DFA9D5455AEBBF9EB09304F00A9AAD418E3200EB745A41DB81

Function 06E13D30 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88b75b4d962638d97834ef8761c010232dda448af1cd57620bf53159c9ccf569
Instruction ID: 280ff08dda598842d97f36caad36ca37dd88a88243a444efbffcab5ea9af4065
Opcode Fuzzy Hash: 88b75b4d962638d97834ef8761c010232dda448af1cd57620bf53159c9ccf569
Instruction Fuzzy Hash: 76F0B7B4D14209EFCB80DFB9D5465EDBBF5AB09304F10A9AAD828E7310EB705640DF40

Function 06E1E478 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df7dcd6df7db3cdbf885779506108083b8dc72457ee48be3c258c1d2cacedaad
Instruction ID: 5c93c6b6a35c7af93347dc3a8e331a7510beae333503639d892d7105fd30b662
Opcode Fuzzy Hash: df7dcd6df7db3cdbf885779506108083b8dc72457ee48be3c258c1d2cacedaad
Instruction Fuzzy Hash: B9F0DAB0D0431A9FDB54DFA9C841AAEBBF4BB48200F1085AAE918E7201E7759541CB91

Function 06E1EA82 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488ee38d7a25915b41a3ce1534f5fd7cb1ff8106c2fc3a6b4481d97c78aa88d2
Instruction ID: 6a184dd31c8d356d1f2290652a7dd6a72e1e208d0b7f30b9310cb89891dcf755
Opcode Fuzzy Hash: 488ee38d7a25915b41a3ce1534f5fd7cb1ff8106c2fc3a6b4481d97c78aa88d2
Instruction Fuzzy Hash: 19F0F9B6914204CFC740DF68E48289CBFF5BB19315744A169F815DB321DB309842DF80

Function 06E1E5F1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1a21b50bbb851875eca9e2d81fc858376c9da2033324a4d98ebad2d813dd561
Instruction ID: 6cf46d92cc8052476bd4ac5f5bbf1b180ace3ff61d9dad316498eaadcde0edb2
Opcode Fuzzy Hash: e1a21b50bbb851875eca9e2d81fc858376c9da2033324a4d98ebad2d813dd561
Instruction Fuzzy Hash: 53F09A34A06218CFDB54CF54D945BE8BB76EF84210F20A1AAE40D97314DB300E8ACF51

Function 06E1E9BC Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f592509e8615dd185ef104bb6a4b6a83362ce8ea4547a73719bef441ade0d065
Instruction ID: e67279759021ea4c2b7eeea637d9e361414817c2db26d515c77fee50178090c3
Opcode Fuzzy Hash: f592509e8615dd185ef104bb6a4b6a83362ce8ea4547a73719bef441ade0d065
Instruction Fuzzy Hash: ACF06730E112458FCB40DFA4D5856EDBFB2FB48300B60A02AF81AAB348CB340802CF00

Function 06E18508 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543068d043b066cb9e78ee4042d6a1d2895b7e7fe847f95315cf8b6f6a6193aa
Instruction ID: 881b9cb2f3913e1d53a6940e91c3553d3de7f4178e2fbe704279d75d92d24afe
Opcode Fuzzy Hash: 543068d043b066cb9e78ee4042d6a1d2895b7e7fe847f95315cf8b6f6a6193aa
Instruction Fuzzy Hash: 7AF0C974E15208EFCB90DFB8D4456AEBFF4EB0A300F10A5A9D809E3200EB345A40DB41

Function 06E1FA99 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b2d30e27490adf3a067c29210ddc095cd58a76cf1cc67a237e8151c07c7470c
Instruction ID: a11880f87917c49e93ee244ee77b5c34aad35e32af120a1141b6b70d6f45d8ff
Opcode Fuzzy Hash: 6b2d30e27490adf3a067c29210ddc095cd58a76cf1cc67a237e8151c07c7470c
Instruction Fuzzy Hash: 4FF03474905248AFCB46DFA9D4456ACBFB0EB4A302F0081AAE854AB351CB384A52EF51

Function 06E1E011 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a92b10ea501091811cd24042351259da8b6b67c632198834714d4e46d33bda5
Instruction ID: 7a3f14863cf74f040e0890ce3ea13a7e1326a6b4a1ecd5e648638ec1635617ff
Opcode Fuzzy Hash: 4a92b10ea501091811cd24042351259da8b6b67c632198834714d4e46d33bda5
Instruction Fuzzy Hash: 38E0D8B0840345DFE750DF79C949A997FF1EF08325F64C5A5E426CB2A1EB3985028F80

Function 06E1FAA8 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17e7015f3b7a299ef9b9dccaf3eeaa49c407d97f40881430aacc69b85b0643c5
Instruction ID: 120a17aa07c05cb9caee011ccfbb138bbf0218583e6e10ec2edcb15a7680c21b
Opcode Fuzzy Hash: 17e7015f3b7a299ef9b9dccaf3eeaa49c407d97f40881430aacc69b85b0643c5
Instruction Fuzzy Hash: A5F03974E0020CEBCB44EFA9D40569CBFB5EB49301F40C1AAE818A3340DA345A51EF81

Function 06E14E90 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be1a1cbedae0764cd695825448ba557e6596b068fdf41a25f88a767808d1dddf
Instruction ID: f1e114dc63232ddedf1418a76907b749661c1a49d8cfac5573a04c38a155d5f5
Opcode Fuzzy Hash: be1a1cbedae0764cd695825448ba557e6596b068fdf41a25f88a767808d1dddf
Instruction Fuzzy Hash: 73E08C30901208DFCB80EBA494046AD7AF8AB01304F5065A9D4059B380DB310B45E682

Function 06E15FBD Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d60c7187495769de8c9c7cfaca99a750ddc0938546cb6fd232f8f9f9a055e978
Instruction ID: b01480ab7d3352c302ec0c7a93a61bee846f3c94f1c3ca569c331df0720668aa
Opcode Fuzzy Hash: d60c7187495769de8c9c7cfaca99a750ddc0938546cb6fd232f8f9f9a055e978
Instruction Fuzzy Hash: F0E0C272C0022CAB8B00AFA9DC054EFFF38EF05640B828025E814AB201D3705A21DBC0

Function 06E1E020 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8488d117c546838186ac75ff18a03b65253528479756b614639ab5bf3dae183
Instruction ID: 0ef000b9508fce4b3170837a92658d0408866148982491d20e0fc9654fdcdcfc
Opcode Fuzzy Hash: b8488d117c546838186ac75ff18a03b65253528479756b614639ab5bf3dae183
Instruction Fuzzy Hash: DEE092B0D40209DFD780EFA9C905A9EBBF0AF08204F11C5A9D419EB251EBB496048F91

Function 06E1ACB0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75be9c9743d6bdc6bbd736fea06f53ae486c17fdab2b2f31c00837f09e4171dc
Instruction ID: 4540f24f13eb830cf532467d88a548f15e01b294f18abbc15a64ec19223fcb5b
Opcode Fuzzy Hash: 75be9c9743d6bdc6bbd736fea06f53ae486c17fdab2b2f31c00837f09e4171dc
Instruction Fuzzy Hash: B4E01770D26208EFCB80EFF9E84A6ADBFF4AB05201F5050A9E808A3350EB705A45DB41

Function 06E1AD87 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d456decb9c98554aed504a12836501f9372a6ce7acb41fc21c7ad8f349508f55
Instruction ID: 24373e61c26e7683404c1fea7b133e56aeb1f42fc1faa16769df9aff9a4fee81
Opcode Fuzzy Hash: d456decb9c98554aed504a12836501f9372a6ce7acb41fc21c7ad8f349508f55
Instruction Fuzzy Hash: 78E09278D047488BDB54DFE8D4841ACBBF6FB89301B106529E82AAB345DB3018469F01

Function 06E1A2A0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f24165998cfe2daced1ff780ed2782e6d6fc81f83d89d77b716ee30607b8b3b
Instruction ID: 57b00c0170f26a3d627099e5859b58b268387a268d9550b959ccf347c1cc5b15
Opcode Fuzzy Hash: 1f24165998cfe2daced1ff780ed2782e6d6fc81f83d89d77b716ee30607b8b3b
Instruction Fuzzy Hash: 46D0A93240020083D2057386F80B3AC3FA8A70B225FA83030B01CC8152CEB85808CF95

Function 06E15FC8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction ID: 3cb7a905df42f29b052cff5f288f6ff35394efdb8cb6bb0d7c2b96e15ce13b28
Opcode Fuzzy Hash: fcc788c89ca91730e34b729ea8219a5e8389f3dd18a4f57a8284d2c23dda9339
Instruction Fuzzy Hash: ACD09E72D001399B8B10AFE9DC054DFFF79EF49650B518126E925AB100D3715A21DBD1

Function 06E1BCD5 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8bd9e1151c9f791632b8c21c029e461a0a15d09ad508a1208519df13e12cdc
Instruction ID: 86af664a07b6db80d8064c71577c983eb0f8fe5bd5271b080d45e1ce3bd3317b
Opcode Fuzzy Hash: af8bd9e1151c9f791632b8c21c029e461a0a15d09ad508a1208519df13e12cdc
Instruction Fuzzy Hash: FBD01738969269CFEB58CF11CC095FDBF3AFB5A201F04A559A41E62210CB300946EED0

Function 06E155D0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc3e4621c61bb8351c8f78cb4a63471e4e44fc61323292c512ac81f7c62362e
Instruction ID: 6d68f2371750f54ecdc380cd9be9a9e9766c5c61ef580bc8827f2c0e5708062d
Opcode Fuzzy Hash: 7fc3e4621c61bb8351c8f78cb4a63471e4e44fc61323292c512ac81f7c62362e
Instruction Fuzzy Hash: F0D012760482845EC74267648C1C8617FB9BFA63017579497E4C0CE076D510499AF75A

Function 06E1C36C Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6493788ac5b6288f93aeba2ace7a780836aac5ea0d1fd599799e1ef0c06704fa
Instruction ID: b0fa9777eb8b604552f49c66758e8f85159967d56a828c63b898eecb7bcf3134
Opcode Fuzzy Hash: 6493788ac5b6288f93aeba2ace7a780836aac5ea0d1fd599799e1ef0c06704fa
Instruction Fuzzy Hash: E8E04634418511CFEB90DFACC48889CBB75FB44300F11A0E2E80A6B116CB30A980DF61

Function 06E1A56C Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94775162598f212e6fefdcaafdd478340223795cd1bc54aa7138692c348aa5dd
Instruction ID: 310c372dba6e8cf0bd397b61c55542e9b2a9ae55dde75641eb97cff85e83a7d4
Opcode Fuzzy Hash: 94775162598f212e6fefdcaafdd478340223795cd1bc54aa7138692c348aa5dd
Instruction Fuzzy Hash: 81D05235A4A208CFEB10CB48E940BECBBBAFBC6220F0011E5D00D96214CB301E8A8F11

Function 06E1E518 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4754407db1ba87effa6fecd292b4842f6ebdbd9b8f28b66af17f721a1f70c00
Instruction ID: 16637cd2f572f7faab4abefcde3f981e5256042a1fd7cc192d8faff589b61ff6
Opcode Fuzzy Hash: c4754407db1ba87effa6fecd292b4842f6ebdbd9b8f28b66af17f721a1f70c00
Instruction Fuzzy Hash: 55D012361542089F8BC0EFD5E800C667BDCBB14710700D432F504CB422F622F434EB51

Function 06E1BD51 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97acc80cf45fb4abf8205d1564ab221cd984015d7728b5cd4b78185f55bf31cc
Instruction ID: d137199d1c5193f3c77e3ecb2dbfd22f878b11dec19beb0e90816a9c4749dec3
Opcode Fuzzy Hash: 97acc80cf45fb4abf8205d1564ab221cd984015d7728b5cd4b78185f55bf31cc
Instruction Fuzzy Hash: 47D01272949004DFDB405F98F44E0ECB734FB9675271110B3DA1ED901297360E6AEFA0

Function 06E1EA02 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364c6f9c2b1ff802ca6ee53600e3ba5778acb0e7dfa6f58cab091cec6a1bd1a0
Instruction ID: b0380175c9ffde71f3babaddba303bc0458ae7ed30a5b71e743951b61eeaa35c
Opcode Fuzzy Hash: 364c6f9c2b1ff802ca6ee53600e3ba5778acb0e7dfa6f58cab091cec6a1bd1a0
Instruction Fuzzy Hash: 50D01730904200CFD700CF58E089A99BFF6BB09315F19A069E8049B221CB309881CF49

Function 06E1E8FA Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405ebf8a3ee8c83349a0246fffb9bedf33c25cdc6b7eb439849fdd2de60dda90
Instruction ID: 06f7f1ad6b72c50425cbc5b735e202ac2b2bb5ad16fb2fbc5a196dda5481a0d8
Opcode Fuzzy Hash: 405ebf8a3ee8c83349a0246fffb9bedf33c25cdc6b7eb439849fdd2de60dda90
Instruction Fuzzy Hash: E0D0C7315052058FD754DB14D589ED87BBAFB85304F30A7A6D0095F359CF70598D4F44

Function 06E1A2B0 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11a915df988af20fb30b647f4a3357d59f4ce5252ec6a06e7b0530f9398e859
Instruction ID: 7a678185e2338be397d4e2d8013d166e0886204fe86f14839d114393586433e1
Opcode Fuzzy Hash: d11a915df988af20fb30b647f4a3357d59f4ce5252ec6a06e7b0530f9398e859
Instruction Fuzzy Hash: ADC08C3005170587C20877DAF50F3B87FA8AB02306F906020B00C014604EB40804CFA1

Function 06E1C19F Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1434bfbf1b0534d2663c8637ca4983eca7f8b7174a955a4e428453c0505df9c
Instruction ID: 723d2d66deb12545efa3585702f7ee0beb28b8c23e17f2429469b7cf8722d82a
Opcode Fuzzy Hash: b1434bfbf1b0534d2663c8637ca4983eca7f8b7174a955a4e428453c0505df9c
Instruction Fuzzy Hash: C6C0127800C240DBCB405F64C4AA1573FB4BF1620070001E1D85D5D0668E224400DFB5

Function 06E17029 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.1770793265.0000000006E10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_6e10000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f18431c960a387b66c6054c67a8bf60a086921688b30c5bb030a8456063cbeb2
Instruction ID: 96c08d6feddabce255bc6c062d0a935c30e29aeebec1ffcff1a7369b6681081e
Opcode Fuzzy Hash: f18431c960a387b66c6054c67a8bf60a086921688b30c5bb030a8456063cbeb2
Instruction Fuzzy Hash: E7B012FA54024074C94151F08858A895B2137A57147527401E25400016A1610163F21B

Analysis Process: TWmzcmqkuotC.exePID: 7592, Parent PID: 7340COMMON

Executed Functions

Function 029608E0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1779989712.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2960000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13a785343bdea7e0e21cdfb9f08bd3a646e9f7ca7b8aa9eaaf7e1aa2f187e178
Instruction ID: be88889d2b9c178acad711bf4113ac5eec25ce466d156df4aa04bd70a4548dff
Opcode Fuzzy Hash: 13a785343bdea7e0e21cdfb9f08bd3a646e9f7ca7b8aa9eaaf7e1aa2f187e178
Instruction Fuzzy Hash: 57619F34B402059FDB19EF78D99866E7BF2FF88314B104A29E00ADB7A5DF349C058B81

Function 029608CF Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1779989712.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2960000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 234849c41f94a372a6afc16c2ceea5c2aa9ac7d5854d0b1c20b09d84c7cb44c4
Instruction ID: 9b85264e2e8299f3c6e9db4d2ae48dde0bff9edff1e355a828060eb7461f3cd2
Opcode Fuzzy Hash: 234849c41f94a372a6afc16c2ceea5c2aa9ac7d5854d0b1c20b09d84c7cb44c4
Instruction Fuzzy Hash: 9E417C34A406058FCB19FF78E6985AE7FE6FF943147004E28D00A9B698EF3898458B80

Function 02960A98 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1779989712.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2960000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94de7c0614fae42dc58675e1cd0d39ada02f4694d8b3f942ce177d282348cb26
Instruction ID: b6a4432fd5f90d51cd7258179217fa425b1a198da7de2db27dac576b4ae8cdf7
Opcode Fuzzy Hash: 94de7c0614fae42dc58675e1cd0d39ada02f4694d8b3f942ce177d282348cb26
Instruction Fuzzy Hash: C231DD34B001059FDB44AB79C954B6E7BF2BF89710F2048A8E146EF3A6CA71DC019791

Function 02961038 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1779989712.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2960000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41f2bd2cbb4ed89ebf097629476f36461d019b7a6d517e558579759aa8df3ebc
Instruction ID: 2b65c19eaf9a6c75e8e9baf18ab51268bcf55586e2136d31721afa23a8da38b4
Opcode Fuzzy Hash: 41f2bd2cbb4ed89ebf097629476f36461d019b7a6d517e558579759aa8df3ebc
Instruction Fuzzy Hash: 5021C971F003059FDB44ABBD495836FBAEAEFC5210B148829D04AD7355DD348C0647A5

Function 02960F19 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1779989712.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2960000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d46529e6f75c15e3fb3b510b1c7b6e796866ea62e2d7b82a66ed4632e7adb6c0
Instruction ID: 3f890e0e57e234832dfe5680319995d22f3dbe53a623b384810d7b51441c01cc
Opcode Fuzzy Hash: d46529e6f75c15e3fb3b510b1c7b6e796866ea62e2d7b82a66ed4632e7adb6c0
Instruction Fuzzy Hash: 5C319F34A003099FCB02EFB8DA546ADBBB6FF89304F104A69D009AB358DB359A45CB51

Function 02960F28 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1779989712.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2960000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 431f89e6e6e67759c70b9572e0b1d0ed60ba9d6149fa565dae160e7cfb827cb7
Instruction ID: 90f18adb03121a0b1b7d9d2b822167e17aab712c1bfdedfef6e95811950fe906
Opcode Fuzzy Hash: 431f89e6e6e67759c70b9572e0b1d0ed60ba9d6149fa565dae160e7cfb827cb7
Instruction Fuzzy Hash: B5218074E00209DFCB01EBB8DA44AADBBB6FF98304F104A69D009A7358DB359A85CF51

Function 029609CA Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.1779989712.0000000002960000.00000040.00000800.00020000.00000000.sdmp, Offset: 02960000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2960000_TWmzcmqkuotC.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acc41fed9aabef39e080fd415e9c2e9fffa0d8f30d6e8ade0dad9d88fa317d6e
Instruction ID: 719644caf00831180d6468728d4b13b167d5d3db1baa866ae6b5c224d78ea916
Opcode Fuzzy Hash: acc41fed9aabef39e080fd415e9c2e9fffa0d8f30d6e8ade0dad9d88fa317d6e
Instruction Fuzzy Hash: 91118E32B40B105BDB18BF7D845817E7AE6BF842203104E3DD02A9B2E4EF74DC0A4B95

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report product sample requirement.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TWmzcmqkuotC.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\product sample requirement.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1yewi1od.ii5.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4fcgsw2b.fo1.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cjk12krn.g5p.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cyd2q3f5.c0l.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ir3lksmf.hg3.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l00opidz.oys.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_prteouww.rsg.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qz5z2kog.pcy.psm1

C:\Users\user\AppData\Local\Temp\tmp1AB0.tmp

Windows Analysis Report
product sample requirement.exe