Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Musterino_94372478_Ekno_101_20241031410530_ekstre.exe

Overview

General Information

Sample name:Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
Analysis ID:1559007
MD5:7766ffc22475dbdb07730fdd97e9c0c5
SHA1:f744e3b286f1daf7c8cf3df7cf3171d2e7c4675c
SHA256:f69515024de365946c3a58ce3315898196dcca5a2d5a9ba3f5b257818df4055a
Tags:exeuser-threatcat_ch
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • Musterino_94372478_Ekno_101_20241031410530_ekstre.exe (PID: 6904 cmdline: "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe" MD5: 7766FFC22475DBDB07730FDD97E9C0C5)
    • powershell.exe (PID: 5020 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 5164 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\imOLmwQ.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7428 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7084 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • imOLmwQ.exe (PID: 7400 cmdline: C:\Users\user\AppData\Roaming\imOLmwQ.exe MD5: 7766FFC22475DBDB07730FDD97E9C0C5)
    • schtasks.exe (PID: 7556 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8BD7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • imOLmwQ.exe (PID: 7624 cmdline: "C:\Users\user\AppData\Roaming\imOLmwQ.exe" MD5: 7766FFC22475DBDB07730FDD97E9C0C5)
    • imOLmwQ.exe (PID: 7636 cmdline: "C:\Users\user\AppData\Roaming\imOLmwQ.exe" MD5: 7766FFC22475DBDB07730FDD97E9C0C5)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
{"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}
SourceRuleDescriptionAuthorStrings
00000008.00000002.3112118306.000000000341F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000E.00000002.3113375057.000000000375E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000008.00000002.3107870895.000000000040B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000008.00000002.3107870895.000000000040B000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000008.00000002.3112118306.0000000003449000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 15 entries
            SourceRuleDescriptionAuthorStrings
            8.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              8.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                8.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x35005:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x35077:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x35101:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x35193:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x351fd:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3526f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x35305:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x35395:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    System Summary

                    barindex
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", ParentImage: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, ParentProcessId: 6904, ParentProcessName: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", ProcessId: 5020, ProcessName: powershell.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", ParentImage: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, ParentProcessId: 6904, ParentProcessName: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", ProcessId: 5020, ProcessName: powershell.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8BD7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8BD7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\imOLmwQ.exe, ParentImage: C:\Users\user\AppData\Roaming\imOLmwQ.exe, ParentProcessId: 7400, ParentProcessName: imOLmwQ.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8BD7.tmp", ProcessId: 7556, ProcessName: schtasks.exe
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 78.110.166.82, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, Initiated: true, ProcessId: 7216, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49736
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", ParentImage: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, ParentProcessId: 6904, ParentProcessName: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp", ProcessId: 7084, ProcessName: schtasks.exe
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", ParentImage: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, ParentProcessId: 6904, ParentProcessName: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", ProcessId: 5020, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe", ParentImage: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, ParentProcessId: 6904, ParentProcessName: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp", ProcessId: 7084, ProcessName: schtasks.exe
                    No Suricata rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "zqamcx.com", "Username": "sender@zqamcx.com", "Password": "Methodman991"}
                    Source: zqamcx.comVirustotal: Detection: 10%Perma Link
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeVirustotal: Detection: 34%Perma Link
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeJoe Sandbox ML: detected
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeJoe Sandbox ML: detected
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 78.110.166.82:587
                    Source: Joe Sandbox ViewIP Address: 78.110.166.82 78.110.166.82
                    Source: Joe Sandbox ViewASN Name: UKSERVERS-ASUKDedicatedServersHostingandCo-Location UKSERVERS-ASUKDedicatedServersHostingandCo-Location
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 78.110.166.82:587
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficDNS traffic detected: DNS query: zqamcx.com
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, imOLmwQ.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, imOLmwQ.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, imOLmwQ.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109837896.0000000001595000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109308908.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123376456.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123303542.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.0000000003427000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003835000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3122984966.0000000006BE2000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3109072613.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.i.lencr.org/0#
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109837896.0000000001595000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109308908.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123376456.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123303542.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.0000000003427000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003835000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3122984966.0000000006BE2000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3109072613.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://r11.o.lencr.org0#
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1922034960.000000000337B000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 00000009.00000002.1972777595.00000000029DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1928866653.0000000006470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlr
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929001727.00000000064B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.comrm$
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109837896.0000000001595000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123376456.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123303542.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.0000000003427000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003835000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3122984966.0000000006BE2000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3109072613.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109837896.0000000001595000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123376456.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123303542.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.0000000003427000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003835000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3122984966.0000000006BE2000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3109072613.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.0000000003427000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003835000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003766000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://zqamcx.com
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1923270481.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3107870895.000000000040B000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, imOLmwQ.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, O9KGcRw9bkp.cs.Net Code: KAZ
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.raw.unpack, O9KGcRw9bkp.cs.Net Code: KAZ
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\imOLmwQ.exe

                    System Summary

                    barindex
                    Source: 8.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_01729B408_2_01729B40
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_01724A888_2_01724A88
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_0172CDC08_2_0172CDC0
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_01723E708_2_01723E70
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_017241B88_2_017241B8
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_05F9C9A08_2_05F9C9A0
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_05F914808_2_05F91480
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_05F910B88_2_05F910B8
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_05F9F3708_2_05F9F370
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_06862F088_2_06862F08
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_068657608_2_06865760
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_0686DD3D8_2_0686DD3D
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_068600408_2_06860040
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_068636378_2_06863637
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_0686BD908_2_0686BD90
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_068650688_2_06865068
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeCode function: 8_2_068649E88_2_068649E8
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 9_2_00F8D51C9_2_00F8D51C
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_01899B4014_2_01899B40
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_01894A8814_2_01894A88
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_0189CDC014_2_0189CDC0
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_01893E7014_2_01893E70
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_018941B814_2_018941B8
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_068B2F0814_2_068B2F08
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_068B576014_2_068B5760
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_068B8C0A14_2_068B8C0A
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_068BDD3D14_2_068BDD3D
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_068B004014_2_068B0040
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_068B363714_2_068B3637
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_068BBD9014_2_068BBD90
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_068B506814_2_068B5068
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeCode function: 14_2_068B49E814_2_068B49E8
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeStatic PE information: invalid certificate
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1928403025.0000000005D30000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1923270481.00000000045A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1920367753.00000000015AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1932523679.0000000007F70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1923270481.0000000004329000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1933957722.000000000B000000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000000.1855009729.0000000000F6A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameVnFP.exe6 vs Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1922034960.0000000003424000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb9cb78e8-c1d3-4ab9-8530-a3a5b5ca79e5.exe4 vs Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3108403843.00000000011B9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeBinary or memory string: OriginalFilenameVnFP.exe6 vs Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 8.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: imOLmwQ.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, CMa60k.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, EgTglEucnUn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, EgTglEucnUn.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, MmVR.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, MmVR.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, ArCH2EoQvAw1fqWKFp.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, ArCH2EoQvAw1fqWKFp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, ArCH2EoQvAw1fqWKFp.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, OFidUOEaL5BQRP6ZWv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, OFidUOEaL5BQRP6ZWv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, ArCH2EoQvAw1fqWKFp.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, ArCH2EoQvAw1fqWKFp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, ArCH2EoQvAw1fqWKFp.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@1/1
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeFile created: C:\Users\user\AppData\Roaming\imOLmwQ.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6548:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5964:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3620:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMutant created: \Sessions\1\BaseNamedObjects\QkwBvKrlcDLYhwlIDXqdJly
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeFile created: C:\Users\user\AppData\Local\Temp\tmp7551.tmpJump to behavior
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeVirustotal: Detection: 34%
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeFile read: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\imOLmwQ.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\imOLmwQ.exe C:\Users\user\AppData\Roaming\imOLmwQ.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8BD7.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess created: C:\Users\user\AppData\Roaming\imOLmwQ.exe "C:\Users\user\AppData\Roaming\imOLmwQ.exe"
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess created: C:\Users\user\AppData\Roaming\imOLmwQ.exe "C:\Users\user\AppData\Roaming\imOLmwQ.exe"
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\imOLmwQ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8BD7.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess created: C:\Users\user\AppData\Roaming\imOLmwQ.exe "C:\Users\user\AppData\Roaming\imOLmwQ.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess created: C:\Users\user\AppData\Roaming\imOLmwQ.exe "C:\Users\user\AppData\Roaming\imOLmwQ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, ArCH2EoQvAw1fqWKFp.cs.Net Code: cinwiePwgV System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, ArCH2EoQvAw1fqWKFp.cs.Net Code: cinwiePwgV System.Reflection.Assembly.Load(byte[])
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exeStatic PE information: section name: .text entropy: 7.940612345814647
                    Source: imOLmwQ.exe.0.drStatic PE information: section name: .text entropy: 7.940612345814647
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, UYw6rXMZTokZeFQJ55.csHigh entropy of concatenated method names: 'j4uiuXHDiGP8p2NqbRn', 'NNZ9rwHIPpQ1gcEHZxB', 'KMY59cH827xI5sMU0fl', 'xdo0pWUbvE', 'Ws10FtIJib', 'cSr0TUYIaU', 'MHdtS2HSw162uDRUxVt', 'r80y6ZHcWc4TOj9NusJ'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, yDpdN5XPVhFPBrl8kfO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gOYTBxCHR2', 'NrMTyoDYiV', 'BVhT6OIiv2', 'bBXT4r02Vk', 'LfNTxJCwlb', 'hYqTkEQmnd', 'Lp7Tgm6T5N'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, UGJkmc6RmahHpPMaPi.csHigh entropy of concatenated method names: 't0ZvExl7XX', 'HdmvcP3EyU', 'RobvbWhfbe', 'REuvMdGu19', 'fX3v9y1NtK', 'fqBv8B5O86', 'MeevOVgoTf', 'cWgvhAMBs9', 'JcDvd5SKYn', 'kMNvBf71jP'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, wseRcTLnhJ8VtoI1hI.csHigh entropy of concatenated method names: 'QZJTSaZV9I', 'qunTWVt2wu', 'EJvT0rH6NL', 'JDJTj7cH9c', 'ux4TFTfyuk', 'uxMTorftdg', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, UCBSKilNVMnhypwelq.csHigh entropy of concatenated method names: 'FSPKnnxKaE', 'y9oKLL8R2L', 'i5QpP9d7vl', 'cN4pXr7glq', 'xBmKBWwEcL', 'fVaKyqhlmP', 'ixMK6cw5WE', 'PLoK434chp', 'ITEKxxGhPN', 'U7cKkHiLfx'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, Ql25VeIvvRyJsriAYa.csHigh entropy of concatenated method names: 'RwaFuqMy8I', 'dRxFKxcTB2', 'c5vFFnPsgO', 'h4HFGYLoYM', 'fUyFrEhUYW', 'gFSFtm266c', 'Dispose', 'JW7p3pvHYu', 'ppkpQ8CjxU', 'YpTpSSxlOf'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, dnARV9CgbytmkGKx9D.csHigh entropy of concatenated method names: 'hfwiIDE7N', 'T8h59hCDl', 'QbfDVJyaF', 'iWQmc1RMX', 'I8mc0cET8', 'cDdJCDUdw', 'PVaIwCpVy68Ka0b4dQ', 'HFbBvrEmksRe4gWbCf', 'o7f9ybPlCZpf40E9Wd', 'sw3pw1VXq'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, OFidUOEaL5BQRP6ZWv.csHigh entropy of concatenated method names: 'WCkQ4rxxaG', 'VPyQxkYrww', 'M4eQky8Byu', 'UH5Qg7N4HK', 'F7bQULW0Ko', 'O0vQlLf3FJ', 'RlTQIYDYxk', 'JG8QnhUeZm', 'hakQYyY6el', 'idEQLeQDkE'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, ArCH2EoQvAw1fqWKFp.csHigh entropy of concatenated method names: 'Aym7ssHk9c', 'Kym73R7TMf', 'KTn7QhPKtM', 'YZk7SaSo2F', 'dPH7WPmsU8', 'Gck707JAGr', 'jkV7jHmaUp', 'sl67oW2pBc', 'EA67Hy43AU', 'Clx7fweRJ5'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, r2YsjOQrC0liKvWJGi.csHigh entropy of concatenated method names: 'Dispose', 'HyJXYsriAY', 'PvaCMOs7vy', 'fvdRCcSqTs', 'y6QXLCFkc5', 'mCXXz67yJZ', 'ProcessDialogKey', 'S0uCPMHUux', 'fvyCXvDKPQ', 'ANxCCtseRc'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, E67jYcwHIZap81govC.csHigh entropy of concatenated method names: 'sZBXjFidUO', 'yL5XoBQRP6', 'NoQXfL97R4', 'H2TXZhK83T', 'MkiXuK0doe', 'UINXqAAwen', 'FfoR5lyAn8k9nW03mt', 'fghl2kjZMvmV1YuO46', 'VFyXXHZmPk', 'yUcX7OS9Sm'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, NoeUINbAAwenMQCKRx.csHigh entropy of concatenated method names: 'B9S0sciWIC', 'JkZ0Q4beyC', 'sw60WgJQUO', 'uGZ0j8IVXO', 'Q2r0op3IEh', 'zd4WUabWbU', 'SKtWlOntTl', 'naWWI6SBbw', 'C36WnHN1Xs', 'tLDWYRxrYj'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, MjFsd2coQL97R4M2Th.csHigh entropy of concatenated method names: 'wrgS5rxNSu', 'YBQSDJ66xW', 'TyLSECpSED', 'zy8Sc5lVir', 'Q9aSu5Dpnl', 'ebgSqQeArl', 'zm4SKycPAM', 'P0mSpMunhh', 'AwvSFHHnqn', 'LlJSTYEudx'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, q83TndJpCOFOuhkiK0.csHigh entropy of concatenated method names: 'mB2WA7kR8h', 'FFVWm1MD4B', 'NjaSRyMcvf', 'xPVS9KoGgH', 's2LS8Fux7E', 'gQbS1D1132', 'xwVSOuuZhR', 'x9nShDHVsv', 'BcoS23gBGo', 'pNvSdlZTjU'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, lyZjxZkjyOqh0CQWSg.csHigh entropy of concatenated method names: 'ToString', 'VeuqBOycuo', 'dTkqMkWgRI', 'rdFqRBmgBm', 'SxXq9jCTAK', 'FQ1q8p6ffY', 'n55q1GWYmB', 'pBDqOXQjqY', 'RAJqh15e68', 'TY0q2N1LXr'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, hf0ub2gWx3GrcWBuD0.csHigh entropy of concatenated method names: 'HtDKfunrgG', 'y9nKZ4edXg', 'ToString', 'uW1K3W2JOo', 'CYiKQiwAkr', 'uJfKSH99L4', 'q28KWuZANq', 'sXFK0YlRBW', 'I9kKjwoVbg', 'EWGKoGxQ78'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, y6StOj2VsAvgem3rYD.csHigh entropy of concatenated method names: 'wB0jNrQh0Q', 'zDhjaJKXyO', 'nWVjiIIP87', 'M1Xj5fHP2y', 'YebjAgUoCs', 'Ia8jDHQGhZ', 'tbhjmu0iQD', 'acUjEW8Kj2', 'nxNjc1AIko', 'mwCjJDqWqS'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, B32sUa4nRblmtfrWuT.csHigh entropy of concatenated method names: 'JCludfUcbJ', 'pEwuyjVIG5', 'UBqu49SN2M', 'j31uxZrKl2', 'teZuMPMs0w', 'Hg1uRYxx5W', 'bJBu9peGFU', 'tIpu8VqPBu', 'wy9u1E5OjD', 'Ei0uOPTNNI'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, oMHUuxY3vyvDKPQANx.csHigh entropy of concatenated method names: 'S1kFbZ7DrJ', 'a98FMfHc8K', 'MYhFRjoYpV', 'qwCF9M7ufF', 'tpEF8IHXh7', 'ydrF1LMogQ', 'RupFO7l7im', 'ST0FhU5aqb', 'eK1F2i6bp9', 'QN5FdOYKeP'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, wb3E6FzRZB9psCl1eV.csHigh entropy of concatenated method names: 'MavTD0alWC', 'X0gTEl74N0', 'auyTcHg8iQ', 'JOdTbMD9G4', 'vL5TMsXVgx', 'HvqT9KqqOJ', 'h91T8toG0X', 'EO8TtH2kcd', 'pYDTNCGudH', 'I5PTadyj7P'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.45c2120.1.raw.unpack, WFGXOCXXLtm89svQOhr.csHigh entropy of concatenated method names: 'USmTLWF30K', 'QdkTzseTsV', 'El4GPR3xBx', 'CatGX0olx5', 'pjqGCxPKJB', 'MkgG7AWaak', 'Ht3GwI2A9O', 'ileGsxcaMF', 'FbNG3rGfn7', 'HGAGQ9sOnm'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, UYw6rXMZTokZeFQJ55.csHigh entropy of concatenated method names: 'j4uiuXHDiGP8p2NqbRn', 'NNZ9rwHIPpQ1gcEHZxB', 'KMY59cH827xI5sMU0fl', 'xdo0pWUbvE', 'Ws10FtIJib', 'cSr0TUYIaU', 'MHdtS2HSw162uDRUxVt', 'r80y6ZHcWc4TOj9NusJ'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, yDpdN5XPVhFPBrl8kfO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gOYTBxCHR2', 'NrMTyoDYiV', 'BVhT6OIiv2', 'bBXT4r02Vk', 'LfNTxJCwlb', 'hYqTkEQmnd', 'Lp7Tgm6T5N'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, UGJkmc6RmahHpPMaPi.csHigh entropy of concatenated method names: 't0ZvExl7XX', 'HdmvcP3EyU', 'RobvbWhfbe', 'REuvMdGu19', 'fX3v9y1NtK', 'fqBv8B5O86', 'MeevOVgoTf', 'cWgvhAMBs9', 'JcDvd5SKYn', 'kMNvBf71jP'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, wseRcTLnhJ8VtoI1hI.csHigh entropy of concatenated method names: 'QZJTSaZV9I', 'qunTWVt2wu', 'EJvT0rH6NL', 'JDJTj7cH9c', 'ux4TFTfyuk', 'uxMTorftdg', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, UCBSKilNVMnhypwelq.csHigh entropy of concatenated method names: 'FSPKnnxKaE', 'y9oKLL8R2L', 'i5QpP9d7vl', 'cN4pXr7glq', 'xBmKBWwEcL', 'fVaKyqhlmP', 'ixMK6cw5WE', 'PLoK434chp', 'ITEKxxGhPN', 'U7cKkHiLfx'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, Ql25VeIvvRyJsriAYa.csHigh entropy of concatenated method names: 'RwaFuqMy8I', 'dRxFKxcTB2', 'c5vFFnPsgO', 'h4HFGYLoYM', 'fUyFrEhUYW', 'gFSFtm266c', 'Dispose', 'JW7p3pvHYu', 'ppkpQ8CjxU', 'YpTpSSxlOf'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, dnARV9CgbytmkGKx9D.csHigh entropy of concatenated method names: 'hfwiIDE7N', 'T8h59hCDl', 'QbfDVJyaF', 'iWQmc1RMX', 'I8mc0cET8', 'cDdJCDUdw', 'PVaIwCpVy68Ka0b4dQ', 'HFbBvrEmksRe4gWbCf', 'o7f9ybPlCZpf40E9Wd', 'sw3pw1VXq'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, OFidUOEaL5BQRP6ZWv.csHigh entropy of concatenated method names: 'WCkQ4rxxaG', 'VPyQxkYrww', 'M4eQky8Byu', 'UH5Qg7N4HK', 'F7bQULW0Ko', 'O0vQlLf3FJ', 'RlTQIYDYxk', 'JG8QnhUeZm', 'hakQYyY6el', 'idEQLeQDkE'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, ArCH2EoQvAw1fqWKFp.csHigh entropy of concatenated method names: 'Aym7ssHk9c', 'Kym73R7TMf', 'KTn7QhPKtM', 'YZk7SaSo2F', 'dPH7WPmsU8', 'Gck707JAGr', 'jkV7jHmaUp', 'sl67oW2pBc', 'EA67Hy43AU', 'Clx7fweRJ5'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, r2YsjOQrC0liKvWJGi.csHigh entropy of concatenated method names: 'Dispose', 'HyJXYsriAY', 'PvaCMOs7vy', 'fvdRCcSqTs', 'y6QXLCFkc5', 'mCXXz67yJZ', 'ProcessDialogKey', 'S0uCPMHUux', 'fvyCXvDKPQ', 'ANxCCtseRc'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, E67jYcwHIZap81govC.csHigh entropy of concatenated method names: 'sZBXjFidUO', 'yL5XoBQRP6', 'NoQXfL97R4', 'H2TXZhK83T', 'MkiXuK0doe', 'UINXqAAwen', 'FfoR5lyAn8k9nW03mt', 'fghl2kjZMvmV1YuO46', 'VFyXXHZmPk', 'yUcX7OS9Sm'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, NoeUINbAAwenMQCKRx.csHigh entropy of concatenated method names: 'B9S0sciWIC', 'JkZ0Q4beyC', 'sw60WgJQUO', 'uGZ0j8IVXO', 'Q2r0op3IEh', 'zd4WUabWbU', 'SKtWlOntTl', 'naWWI6SBbw', 'C36WnHN1Xs', 'tLDWYRxrYj'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, MjFsd2coQL97R4M2Th.csHigh entropy of concatenated method names: 'wrgS5rxNSu', 'YBQSDJ66xW', 'TyLSECpSED', 'zy8Sc5lVir', 'Q9aSu5Dpnl', 'ebgSqQeArl', 'zm4SKycPAM', 'P0mSpMunhh', 'AwvSFHHnqn', 'LlJSTYEudx'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, q83TndJpCOFOuhkiK0.csHigh entropy of concatenated method names: 'mB2WA7kR8h', 'FFVWm1MD4B', 'NjaSRyMcvf', 'xPVS9KoGgH', 's2LS8Fux7E', 'gQbS1D1132', 'xwVSOuuZhR', 'x9nShDHVsv', 'BcoS23gBGo', 'pNvSdlZTjU'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, lyZjxZkjyOqh0CQWSg.csHigh entropy of concatenated method names: 'ToString', 'VeuqBOycuo', 'dTkqMkWgRI', 'rdFqRBmgBm', 'SxXq9jCTAK', 'FQ1q8p6ffY', 'n55q1GWYmB', 'pBDqOXQjqY', 'RAJqh15e68', 'TY0q2N1LXr'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, hf0ub2gWx3GrcWBuD0.csHigh entropy of concatenated method names: 'HtDKfunrgG', 'y9nKZ4edXg', 'ToString', 'uW1K3W2JOo', 'CYiKQiwAkr', 'uJfKSH99L4', 'q28KWuZANq', 'sXFK0YlRBW', 'I9kKjwoVbg', 'EWGKoGxQ78'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, y6StOj2VsAvgem3rYD.csHigh entropy of concatenated method names: 'wB0jNrQh0Q', 'zDhjaJKXyO', 'nWVjiIIP87', 'M1Xj5fHP2y', 'YebjAgUoCs', 'Ia8jDHQGhZ', 'tbhjmu0iQD', 'acUjEW8Kj2', 'nxNjc1AIko', 'mwCjJDqWqS'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, B32sUa4nRblmtfrWuT.csHigh entropy of concatenated method names: 'JCludfUcbJ', 'pEwuyjVIG5', 'UBqu49SN2M', 'j31uxZrKl2', 'teZuMPMs0w', 'Hg1uRYxx5W', 'bJBu9peGFU', 'tIpu8VqPBu', 'wy9u1E5OjD', 'Ei0uOPTNNI'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, oMHUuxY3vyvDKPQANx.csHigh entropy of concatenated method names: 'S1kFbZ7DrJ', 'a98FMfHc8K', 'MYhFRjoYpV', 'qwCF9M7ufF', 'tpEF8IHXh7', 'ydrF1LMogQ', 'RupFO7l7im', 'ST0FhU5aqb', 'eK1F2i6bp9', 'QN5FdOYKeP'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, wb3E6FzRZB9psCl1eV.csHigh entropy of concatenated method names: 'MavTD0alWC', 'X0gTEl74N0', 'auyTcHg8iQ', 'JOdTbMD9G4', 'vL5TMsXVgx', 'HvqT9KqqOJ', 'h91T8toG0X', 'EO8TtH2kcd', 'pYDTNCGudH', 'I5PTadyj7P'
                    Source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.7f70000.4.raw.unpack, WFGXOCXXLtm89svQOhr.csHigh entropy of concatenated method names: 'USmTLWF30K', 'QdkTzseTsV', 'El4GPR3xBx', 'CatGX0olx5', 'pjqGCxPKJB', 'MkgG7AWaak', 'Ht3GwI2A9O', 'ileGsxcaMF', 'FbNG3rGfn7', 'HGAGQ9sOnm'
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeFile created: C:\Users\user\AppData\Roaming\imOLmwQ.exeJump to dropped file

                    Boot Survival

                    barindex
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Source: Yara matchFile source: Process Memory Space: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe PID: 6904, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: imOLmwQ.exe PID: 7400, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: 16A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: 3320000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: 8120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: 9120000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: 92D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: A2D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: 1720000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: 33D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: 3200000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMemory allocated: F80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMemory allocated: 2980000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMemory allocated: 28D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMemory allocated: 7210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMemory allocated: 8210000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMemory allocated: 83A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMemory allocated: 93A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMemory allocated: 1890000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMemory allocated: 3710000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeMemory allocated: 1900000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 11999982
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5185Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5638Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWindow / User API: threadDelayed 4372Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWindow / User API: threadDelayed 5434Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWindow / User API: threadDelayed 2244
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWindow / User API: threadDelayed 7602
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 6976Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7192Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep count: 38 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -35048813740048126s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -200000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7388Thread sleep count: 4372 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99745s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99626s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99388s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7388Thread sleep count: 5434 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99039s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98930s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98811s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98702s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98047s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97483s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97374s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97155s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99543s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99312s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99203s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -99094s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98838s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98609s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98500s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98390s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98281s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -98062s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97953s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97719s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97602s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe TID: 7380Thread sleep time: -97156s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7464Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep count: 33 > 30
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -30437127721620741s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -100000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7736Thread sleep count: 2244 > 30
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -199782s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7736Thread sleep count: 7602 > 30
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99420s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99091s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98516s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98406s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98187s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98078s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97953s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97844s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97733s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97625s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97503s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97375s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99562s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99344s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -99000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98671s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98560s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98452s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98344s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -98109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97990s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -97312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exe TID: 7728Thread sleep time: -11999982s >= -30000s
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99859Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99745Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99626Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99500Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99388Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99281Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99172Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99039Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98930Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98811Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98702Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98593Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98484Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98375Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98265Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98156Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98047Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97922Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97812Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97703Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97593Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97483Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97374Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97265Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97155Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99543Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99422Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99312Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99203Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 99094Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98953Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98838Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98719Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98609Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98500Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98390Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98281Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98172Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 98062Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97953Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97844Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97719Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97602Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97484Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97375Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeThread delayed: delay time: 97156Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 100000
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99891
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99766
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99641
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99531
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99420
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99312
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99203
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99091
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98984
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98875
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98766
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98641
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98516
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98406
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98297
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98187
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98078
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97953
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97844
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97733
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97625
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97503
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97375
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99781
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99672
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99562
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99453
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99344
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99219
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99109
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 99000
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98890
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98781
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98671
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98560
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98452
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98344
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98219
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 98109
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97990
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97859
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97750
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97641
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97531
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97422
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 97312
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeThread delayed: delay time: 11999982
                    Source: imOLmwQ.exe, 00000009.00000002.1971415681.0000000000B6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-
                    Source: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109837896.0000000001595000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3109072613.00000000016D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\imOLmwQ.exe"
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\imOLmwQ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\imOLmwQ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeProcess created: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8BD7.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess created: C:\Users\user\AppData\Roaming\imOLmwQ.exe "C:\Users\user\AppData\Roaming\imOLmwQ.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeProcess created: C:\Users\user\AppData\Roaming\imOLmwQ.exe "C:\Users\user\AppData\Roaming\imOLmwQ.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\flat_officeFontsPreview.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\OFFSYM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Users\user\AppData\Roaming\imOLmwQ.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Users\user\AppData\Roaming\imOLmwQ.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Source: Yara matchFile source: 8.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.3112118306.000000000341F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3113375057.000000000375E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3107870895.000000000040B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3112118306.0000000003449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3113375057.0000000003788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3112118306.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3113375057.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1923270481.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe PID: 6904, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe PID: 7216, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: imOLmwQ.exe PID: 7636, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\imOLmwQ.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 8.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.3107870895.000000000040B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3112118306.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3113375057.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1923270481.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe PID: 6904, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe PID: 7216, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: imOLmwQ.exe PID: 7636, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Source: Yara matchFile source: 8.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43f0e18.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.Musterino_94372478_Ekno_101_20241031410530_ekstre.exe.43b45f8.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000008.00000002.3112118306.000000000341F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3113375057.000000000375E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3107870895.000000000040B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3112118306.0000000003449000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3113375057.0000000003788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.3112118306.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.3113375057.0000000003719000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1923270481.0000000004329000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe PID: 6904, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe PID: 7216, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: imOLmwQ.exe PID: 7636, type: MEMORYSTR
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation
                    1
                    DLL Side-Loading
                    1
                    DLL Side-Loading
                    11
                    Disable or Modify Tools
                    2
                    OS Credential Dumping
                    1
                    File and Directory Discovery
                    Remote Services11
                    Archive Collected Data
                    1
                    Encrypted Channel
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job
                    1
                    Scheduled Task/Job
                    11
                    Process Injection
                    1
                    Deobfuscate/Decode Files or Information
                    21
                    Input Capture
                    24
                    System Information Discovery
                    Remote Desktop Protocol2
                    Data from Local System
                    1
                    Non-Standard Port
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job
                    1
                    Obfuscated Files or Information
                    1
                    Credentials in Registry
                    1
                    Query Registry
                    SMB/Windows Admin Shares1
                    Email Collection
                    1
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing
                    NTDS111
                    Security Software Discovery
                    Distributed Component Object Model21
                    Input Capture
                    11
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading
                    LSA Secrets1
                    Process Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading
                    Cached Domain Credentials141
                    Virtualization/Sandbox Evasion
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion
                    DCSync1
                    Application Window Discovery
                    Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                    Process Injection
                    Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559007 Sample: Musterino_94372478_Ekno_101... Startdate: 20/11/2024 Architecture: WINDOWS Score: 100 48 zqamcx.com 2->48 52 Multi AV Scanner detection for domain / URL 2->52 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 9 other signatures 2->58 8 Musterino_94372478_Ekno_101_20241031410530_ekstre.exe 7 2->8         started        12 imOLmwQ.exe 5 2->12         started        signatures3 process4 file5 40 C:\Users\user\AppData\Roaming\imOLmwQ.exe, PE32 8->40 dropped 42 C:\Users\user\...\imOLmwQ.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmp7551.tmp, XML 8->44 dropped 46 Musterino_94372478...0530_ekstre.exe.log, ASCII 8->46 dropped 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 64 Adds a directory exclusion to Windows Defender 8->64 14 Musterino_94372478_Ekno_101_20241031410530_ekstre.exe 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        66 Machine Learning detection for dropped file 12->66 24 imOLmwQ.exe 12->24         started        26 schtasks.exe 12->26         started        28 imOLmwQ.exe 12->28         started        signatures6 process7 dnsIp8 50 zqamcx.com 78.110.166.82, 49736, 49738, 49739 UKSERVERS-ASUKDedicatedServersHostingandCo-Location United Kingdom 14->50 68 Installs a global keyboard hook 14->68 70 Loading BitLocker PowerShell Module 18->70 30 conhost.exe 18->30         started        32 WmiPrvSE.exe 18->32         started        34 conhost.exe 20->34         started        36 conhost.exe 22->36         started        72 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->72 74 Tries to steal Mail credentials (via file / registry access) 24->74 76 Tries to harvest and steal ftp login credentials 24->76 78 Tries to harvest and steal browser information (history, passwords, etc) 24->78 38 conhost.exe 26->38         started        signatures9 process10

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    Musterino_94372478_Ekno_101_20241031410530_ekstre.exe35%VirustotalBrowse
                    Musterino_94372478_Ekno_101_20241031410530_ekstre.exe100%Joe Sandbox ML
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\imOLmwQ.exe100%Joe Sandbox ML
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    zqamcx.com10%VirustotalBrowse
                    SourceDetectionScannerLabelLink
                    http://www.sakkal.comrm$0%Avira URL Cloudsafe
                    http://www.ascendercorp.com/typedesigners.htmlr0%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    zqamcx.com
                    78.110.166.82
                    truetrueunknown
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.apache.org/licenses/LICENSE-2.0Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://www.fontbureau.comMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        http://www.fontbureau.com/designersGMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          http://www.sakkal.comrm$Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929001727.00000000064B0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          http://www.fontbureau.com/designers/?Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.founder.com.cn/cn/bTheMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://account.dyn.com/Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1923270481.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3107870895.000000000040B000.00000040.00000400.00020000.00000000.sdmpfalse
                                high
                                http://r11.o.lencr.org0#Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109837896.0000000001595000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109308908.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123376456.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123303542.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.0000000003427000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003835000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3122984966.0000000006BE2000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3109072613.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003766000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  http://www.fontbureau.com/designers?Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.tiro.comMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      http://www.fontbureau.com/designersMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        http://www.goodfont.co.krMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://www.chiark.greenend.org.uk/~sgtatham/putty/0Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, imOLmwQ.exe.0.drfalse
                                            high
                                            http://www.carterandcone.comlMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              http://www.sajatypeworks.comMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://www.typography.netDMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  http://www.fontbureau.com/designers/cabarga.htmlNMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://www.founder.com.cn/cn/cTheMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.galapagosdesign.com/staff/dennis.htmMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://www.founder.com.cn/cnMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://www.fontbureau.com/designers/frere-user.htmlMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://x1.c.lencr.org/0Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109837896.0000000001595000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123376456.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123303542.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.0000000003427000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003835000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3122984966.0000000006BE2000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3109072613.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003766000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              http://x1.i.lencr.org/0Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109837896.0000000001595000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123376456.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123303542.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.0000000003427000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003835000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3122984966.0000000006BE2000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3109072613.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003766000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://www.jiyu-kobo.co.jp/Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://www.ascendercorp.com/typedesigners.htmlrMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1928866653.0000000006470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  unknown
                                                                  http://www.galapagosdesign.com/DPleaseMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    http://www.fontbureau.com/designers8Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      http://www.fonts.comMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://www.sandoll.co.krMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          http://zqamcx.comMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.0000000003427000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003835000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003766000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.urwpp.deDPleaseMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://www.zhongyicts.com.cnMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1922034960.000000000337B000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 00000009.00000002.1972777595.00000000029DB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  http://www.sakkal.comMusterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000000.00000002.1929289318.0000000007662000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    http://r11.i.lencr.org/0#Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109837896.0000000001595000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3109308908.0000000001569000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123376456.0000000006A5A000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3123303542.0000000006A50000.00000004.00000020.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.0000000003427000.00000004.00000800.00020000.00000000.sdmp, Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, 00000008.00000002.3112118306.00000000034F6000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003835000.00000004.00000800.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3122984966.0000000006BE2000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3109072613.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, imOLmwQ.exe, 0000000E.00000002.3113375057.0000000003766000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs
                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      78.110.166.82
                                                                                      zqamcx.comUnited Kingdom
                                                                                      42831UKSERVERS-ASUKDedicatedServersHostingandCo-Locationtrue
                                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                                      Analysis ID:1559007
                                                                                      Start date and time:2024-11-20 03:19:07 +01:00
                                                                                      Joe Sandbox product:CloudBasic
                                                                                      Overall analysis duration:0h 7m 28s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                      Number of analysed new started processes analysed:19
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample name:Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@21/15@1/1
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 75%
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      • Number of executed functions: 137
                                                                                      • Number of non-executed functions: 9
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe
                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                      • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                      • Execution Graph export aborted for target Musterino_94372478_Ekno_101_20241031410530_ekstre.exe, PID 6904 because it is empty
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtCreateKey calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                      TimeTypeDescription
                                                                                      02:20:25Task SchedulerRun new task: imOLmwQ path: C:\Users\user\AppData\Roaming\imOLmwQ.exe
                                                                                      21:20:19API Interceptor1814213x Sleep call for process: Musterino_94372478_Ekno_101_20241031410530_ekstre.exe modified
                                                                                      21:20:22API Interceptor48x Sleep call for process: powershell.exe modified
                                                                                      21:20:26API Interceptor1246380x Sleep call for process: imOLmwQ.exe modified
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      78.110.166.82COB756883.vbsGet hashmaliciousCobaltStrikeBrowse
                                                                                      • windowsupdatesolutions.com/ServerCOB.txt
                                                                                      Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                                                                                      • www.emolcl.com/namaste/puma.php
                                                                                      Ingreso_SII_Abril_2021.cmdGet hashmaliciousUnknownBrowse
                                                                                      • www.emolcl.com/namaste/puma.php
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      zqamcx.comHalkbank_Ekstre_20241118_081142_787116.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      PO NO170300999.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      Musterino_94372478_Ekno_101_20241031410530_ekstre.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      29.10.2024-29.10.2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      UKSERVERS-ASUKDedicatedServersHostingandCo-LocationHalkbank_Ekstre_20241118_081142_787116.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      (#U0130TOSAM) 11 KASIM 2024 HAFTALIK EKONOM#U0130 B#U00dcLTEN#U0130.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      PO NO170300999.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      sora.mips.elfGet hashmaliciousMiraiBrowse
                                                                                      • 78.157.201.124
                                                                                      RKsVnThLLP.exeGet hashmaliciousNjratBrowse
                                                                                      • 94.46.207.10
                                                                                      Musterino_94372478_Ekno_101_20241031410530_ekstre.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      New Order (2).exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      41570002689_20220814_05352297_HesapOzeti.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      29.10.2024-29.10.2024.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 78.110.166.82
                                                                                      botnet.mpsl.elfGet hashmaliciousMirai, MoobotBrowse
                                                                                      • 5.101.138.114
                                                                                      No context
                                                                                      No context
                                                                                      Process:C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1216
                                                                                      Entropy (8bit):5.34331486778365
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                      Malicious:true
                                                                                      Reputation:high, very likely benign file
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                      Process:C:\Users\user\AppData\Roaming\imOLmwQ.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1216
                                                                                      Entropy (8bit):5.34331486778365
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                      Malicious:false
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:data
                                                                                      Category:modified
                                                                                      Size (bytes):2232
                                                                                      Entropy (8bit):5.379736180876081
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:tWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugeoPUyus:tLHyIFKL3IZ2KRH9OugYs
                                                                                      MD5:10E0B87B6111C866FC3B823731B377C7
                                                                                      SHA1:B646EB7AF6029026F543BD48696E70F6551AA62B
                                                                                      SHA-256:B8FF8B3EB3D58E1CFA8BE5364CCAE333151F10B33CD4252E99D5165A6BE5B160
                                                                                      SHA-512:C42EA2C6876D6BC067CC2556597E4475E584D83BF0187EBE1D41645F481D6C4725C3BF65E4D6BAA5BDA076E2702BCE9DBE74ECF8B8D3C0A219D50A84F8AB6DAA
                                                                                      Malicious:false
                                                                                      Preview:@...e.................................,..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      File Type:ASCII text, with no line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):60
                                                                                      Entropy (8bit):4.038920595031593
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                      Malicious:false
                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                      Process:C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                                                                                      File Type:XML 1.0 document, ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):1573
                                                                                      Entropy (8bit):5.10849441056804
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtapVxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT2v
                                                                                      MD5:BB2AB0DF6DB250930E664CC2A1519E30
                                                                                      SHA1:B5A39E126088210DA318D90BE0398054FDFBC1AB
                                                                                      SHA-256:59F3189BA9C35D1781E015EF7F0424A0E42B34EC9DB527C4EB7A86157597C176
                                                                                      SHA-512:8C1CADD228FE9A40D46E397919E99CDB4F3CCEBE43E3BB71291FB8735FBFA3DC2086441C337864ECA4D9F48B7FA2E27668DCC3F06F4744113E0F11C4DA911E56
                                                                                      Malicious:true
                                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                                      Process:C:\Users\user\AppData\Roaming\imOLmwQ.exe
                                                                                      File Type:XML 1.0 document, ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):1573
                                                                                      Entropy (8bit):5.10849441056804
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtapVxvn:cge1wYrFdOFzOzN33ODOiDdKrsuT2v
                                                                                      MD5:BB2AB0DF6DB250930E664CC2A1519E30
                                                                                      SHA1:B5A39E126088210DA318D90BE0398054FDFBC1AB
                                                                                      SHA-256:59F3189BA9C35D1781E015EF7F0424A0E42B34EC9DB527C4EB7A86157597C176
                                                                                      SHA-512:8C1CADD228FE9A40D46E397919E99CDB4F3CCEBE43E3BB71291FB8735FBFA3DC2086441C337864ECA4D9F48B7FA2E27668DCC3F06F4744113E0F11C4DA911E56
                                                                                      Malicious:false
                                                                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail
                                                                                      Process:C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):771080
                                                                                      Entropy (8bit):7.934100256459323
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:VrOp+Ri3AgFdEswhJL6+pt8dQ9Hn/9J2bnDiFe1VQddXkAFEDQheJiySyOtt3MKD:7Q3AgEXhJL60t8Qb2DWY12dNhui13/BR
                                                                                      MD5:7766FFC22475DBDB07730FDD97E9C0C5
                                                                                      SHA1:F744E3B286F1DAF7C8CF3DF7CF3171D2E7C4675C
                                                                                      SHA-256:F69515024DE365946C3A58CE3315898196DCCA5A2D5A9BA3F5B257818DF4055A
                                                                                      SHA-512:DB2037BC633BCA7B9E0F8E75FA18868FC7EEF2E4DD1DA6FBACE26F5ECE3BF3C87BD0350A86640D5B7ED54BD937C98B514C25492045D409EA8C7FCA34B0DDC1DC
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../=g..............0..l... ........... ........@.. ....................................`.....................................O.......|................6........................................................... ............... ..H............text....k... ...l.................. ..`.rsrc...|............n..............@..@.reloc..............................@..B.......................H........6...(...........^...,............................................(......}.....{....r...p .....o5....{....o7...&*....0...........{......o9.....}........&.....*..................0..t........o.....{.....{....r...p(....o:.......+%.....{.....o....o;.....o......&....X....i2..{.....o<.......&.{....o=........*......+..E..........\b......2.{....oA...*n.(......}......}.....(....*....0...........{....o......3...%..;.o......{....o.....s......{.......o....,ir5..p..o......+...(...
                                                                                      Process:C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):26
                                                                                      Entropy (8bit):3.95006375643621
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                      Malicious:true
                                                                                      Preview:[ZoneTransfer]....ZoneId=0
                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.934100256459323
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.93%
                                                                                      • Windows Screen Saver (13104/52) 0.07%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                      File name:Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                                                                                      File size:771'080 bytes
                                                                                      MD5:7766ffc22475dbdb07730fdd97e9c0c5
                                                                                      SHA1:f744e3b286f1daf7c8cf3df7cf3171d2e7c4675c
                                                                                      SHA256:f69515024de365946c3a58ce3315898196dcca5a2d5a9ba3f5b257818df4055a
                                                                                      SHA512:db2037bc633bca7b9e0f8e75fa18868fc7eef2e4dd1da6fbace26f5ece3bf3c87bd0350a86640d5b7ed54bd937c98b514c25492045d409ea8c7fca34b0ddc1dc
                                                                                      SSDEEP:12288:VrOp+Ri3AgFdEswhJL6+pt8dQ9Hn/9J2bnDiFe1VQddXkAFEDQheJiySyOtt3MKD:7Q3AgEXhJL60t8Qb2DWY12dNhui13/BR
                                                                                      TLSH:D6F423817A781F11DA7847F0A5E212810F35BD3B2914C9CD19C91B4FABD2768C6E8F9A
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../=g..............0..l... ........... ........@.. ....................................`................................
                                                                                      Icon Hash:8bdb4b414d656d61
                                                                                      Entrypoint:0x4b8bf6
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:true
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x673D2F1F [Wed Nov 20 00:36:47 2024 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                      Signature Valid:false
                                                                                      Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                                                                      Signature Validation Error:The digital signature of the object did not verify
                                                                                      Error Number:-2146869232
                                                                                      Not Before, Not After
                                                                                      • 13/11/2018 00:00:00 08/11/2021 23:59:59
                                                                                      Subject Chain
                                                                                      • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                                                                      Version:3
                                                                                      Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                                                                      Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                                                                      Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                                                                      Serial:7C1118CBBADC95DA3752C46E47A27438
                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xb8ba40x4f.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x1d7c.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0xb8e000x3608
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xbc0000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000xb6bfc0xb6c0097e5837b941c2a4925a1cf66b066b45aFalse0.9597605484781122data7.940612345814647IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0xba0000x1d7c0x1e006572d3e8c0a0c744a9e34eb2143e19c4False0.80625data7.320917777279392IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0xbc0000xc0x200300a293513d2e3b0e814b8c09b643d2eFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                      RT_ICON0xba1000x1733PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9151372284896447
                                                                                      RT_GROUP_ICON0xbb8440x14data1.05
                                                                                      RT_VERSION0xbb8680x314data0.43274111675126903
                                                                                      RT_MANIFEST0xbbb8c0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 20, 2024 03:20:25.691132069 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:25.696029902 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:25.696106911 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:26.368973970 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:26.369952917 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:26.375194073 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:26.537760973 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:26.537971020 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:26.542870998 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:26.709705114 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:26.716906071 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:26.721848965 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:26.913279057 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:26.913325071 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:26.913361073 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:26.913443089 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:26.931724072 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:26.936602116 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:27.101604939 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:27.146519899 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:27.153208971 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:27.314543962 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:27.316133022 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:27.320996046 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:27.483717918 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:27.484077930 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:27.488960981 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:27.666388988 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:27.666733027 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:27.671788931 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:27.834573984 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:27.834804058 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:27.839659929 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.013581991 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.013784885 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:28.018641949 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.181256056 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.182303905 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:28.182375908 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:28.182389975 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:28.182415009 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:28.187294960 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.187338114 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.187372923 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.187388897 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.451390982 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.511672974 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:28.516525984 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.686357021 CET5874973678.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.690304041 CET49736587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:28.691358089 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:28.696296930 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:28.697570086 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:29.260633945 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.260799885 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:29.265696049 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.426975012 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.427119017 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:29.431967974 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.482530117 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:29.487456083 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.487703085 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:29.596244097 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.598035097 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:29.602847099 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.791377068 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.791409016 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.791424990 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.791472912 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:29.877441883 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:29.877511024 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:29.878987074 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:29.883902073 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.045746088 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.046955109 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.051758051 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.063126087 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.063750029 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.068594933 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.212011099 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.212382078 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.217191935 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.233392954 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.233726978 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.238584995 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.378463984 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.378863096 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.383683920 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.406928062 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.410830021 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.415690899 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.550586939 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.550924063 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.555754900 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.588140965 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.588162899 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.588179111 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.588232994 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.678575039 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.678644896 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.680265903 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.685081005 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.716253042 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.716514111 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.721344948 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.850684881 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.876033068 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.880896091 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.893086910 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:30.893337011 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:30.898164034 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.045312881 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.045856953 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.050672054 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.058334112 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.059993982 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.060220003 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.060220003 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.060252905 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.060424089 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.060447931 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.060472012 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.060525894 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.060549021 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.064893007 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.065023899 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.065038919 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.065287113 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.065311909 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.065392017 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.065406084 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.065418005 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.065540075 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.065551996 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.215807915 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.216346979 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.221146107 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.347132921 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.401367903 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.401866913 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.406804085 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.516520023 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.570987940 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.572031975 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.576860905 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.745418072 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.745635986 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.750485897 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.914825916 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.915824890 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.915900946 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.915934086 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.915985107 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:31.920804977 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.920836926 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:31.920871019 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:32.182503939 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:32.235270977 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:32.287040949 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:32.291884899 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:32.457045078 CET5874973978.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:32.461587906 CET49739587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:32.462733984 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:32.467546940 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:32.467648983 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:33.048914909 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.049093962 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:33.053975105 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.221709013 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.221949100 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:33.226908922 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.398705006 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.399297953 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:33.405446053 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.598756075 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.598778009 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.598793030 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.598808050 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.598846912 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:33.598903894 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:33.601006031 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:33.605876923 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.773092985 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.774507999 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:33.779423952 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.945871115 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:33.946212053 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:33.951133966 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.118314981 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.119115114 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.123964071 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.295665979 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.296390057 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.302659035 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.470202923 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.470455885 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.475341082 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.652803898 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.653042078 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.657879114 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.826086998 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.826674938 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.826776028 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.826824903 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.826888084 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.827033997 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.827091932 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.827157021 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.827181101 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.827233076 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:20:34.832082033 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.832092047 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.832159996 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.832169056 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:34.832180023 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:35.060146093 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:20:35.110289097 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:22:05.642002106 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:22:05.646935940 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:22:05.808867931 CET5874973878.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:22:05.838193893 CET49738587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:22:09.558959007 CET49741587192.168.2.478.110.166.82
                                                                                      Nov 20, 2024 03:22:09.563987970 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:22:09.731829882 CET5874974178.110.166.82192.168.2.4
                                                                                      Nov 20, 2024 03:22:09.732558012 CET49741587192.168.2.478.110.166.82
                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      Nov 20, 2024 03:20:25.621047974 CET5002553192.168.2.41.1.1.1
                                                                                      Nov 20, 2024 03:20:25.664935112 CET53500251.1.1.1192.168.2.4
                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      Nov 20, 2024 03:20:25.621047974 CET192.168.2.41.1.1.10x19edStandard query (0)zqamcx.comA (IP address)IN (0x0001)false
                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      Nov 20, 2024 03:20:25.664935112 CET1.1.1.1192.168.2.40x19edNo error (0)zqamcx.com78.110.166.82A (IP address)IN (0x0001)false
                                                                                      TimestampSource PortDest PortSource IPDest IPCommands
                                                                                      Nov 20, 2024 03:20:26.368973970 CET5874973678.110.166.82192.168.2.4220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Wed, 20 Nov 2024 02:20:26 +0000
                                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                                      220 and/or bulk e-mail.
                                                                                      Nov 20, 2024 03:20:26.369952917 CET49736587192.168.2.478.110.166.82EHLO 971342
                                                                                      Nov 20, 2024 03:20:26.537760973 CET5874973678.110.166.82192.168.2.4250-cphost14.qhoster.net Hello 971342 [8.46.123.75]
                                                                                      250-SIZE 52428800
                                                                                      250-8BITMIME
                                                                                      250-PIPELINING
                                                                                      250-PIPECONNECT
                                                                                      250-STARTTLS
                                                                                      250 HELP
                                                                                      Nov 20, 2024 03:20:26.537971020 CET49736587192.168.2.478.110.166.82STARTTLS
                                                                                      Nov 20, 2024 03:20:26.709705114 CET5874973678.110.166.82192.168.2.4220 TLS go ahead
                                                                                      Nov 20, 2024 03:20:29.260633945 CET5874973878.110.166.82192.168.2.4220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Wed, 20 Nov 2024 02:20:29 +0000
                                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                                      220 and/or bulk e-mail.
                                                                                      Nov 20, 2024 03:20:29.260799885 CET49738587192.168.2.478.110.166.82EHLO 971342
                                                                                      Nov 20, 2024 03:20:29.426975012 CET5874973878.110.166.82192.168.2.4250-cphost14.qhoster.net Hello 971342 [8.46.123.75]
                                                                                      250-SIZE 52428800
                                                                                      250-8BITMIME
                                                                                      250-PIPELINING
                                                                                      250-PIPECONNECT
                                                                                      250-STARTTLS
                                                                                      250 HELP
                                                                                      Nov 20, 2024 03:20:29.427119017 CET49738587192.168.2.478.110.166.82STARTTLS
                                                                                      Nov 20, 2024 03:20:29.596244097 CET5874973878.110.166.82192.168.2.4220 TLS go ahead
                                                                                      Nov 20, 2024 03:20:30.063126087 CET5874973978.110.166.82192.168.2.4220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Wed, 20 Nov 2024 02:20:29 +0000
                                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                                      220 and/or bulk e-mail.
                                                                                      Nov 20, 2024 03:20:30.063750029 CET49739587192.168.2.478.110.166.82EHLO 971342
                                                                                      Nov 20, 2024 03:20:30.233392954 CET5874973978.110.166.82192.168.2.4250-cphost14.qhoster.net Hello 971342 [8.46.123.75]
                                                                                      250-SIZE 52428800
                                                                                      250-8BITMIME
                                                                                      250-PIPELINING
                                                                                      250-PIPECONNECT
                                                                                      250-STARTTLS
                                                                                      250 HELP
                                                                                      Nov 20, 2024 03:20:30.233726978 CET49739587192.168.2.478.110.166.82STARTTLS
                                                                                      Nov 20, 2024 03:20:30.406928062 CET5874973978.110.166.82192.168.2.4220 TLS go ahead
                                                                                      Nov 20, 2024 03:20:33.048914909 CET5874974178.110.166.82192.168.2.4220-cphost14.qhoster.net ESMTP Exim 4.96.2 #2 Wed, 20 Nov 2024 02:20:32 +0000
                                                                                      220-We do not authorize the use of this system to transport unsolicited,
                                                                                      220 and/or bulk e-mail.
                                                                                      Nov 20, 2024 03:20:33.049093962 CET49741587192.168.2.478.110.166.82EHLO 971342
                                                                                      Nov 20, 2024 03:20:33.221709013 CET5874974178.110.166.82192.168.2.4250-cphost14.qhoster.net Hello 971342 [8.46.123.75]
                                                                                      250-SIZE 52428800
                                                                                      250-8BITMIME
                                                                                      250-PIPELINING
                                                                                      250-PIPECONNECT
                                                                                      250-STARTTLS
                                                                                      250 HELP
                                                                                      Nov 20, 2024 03:20:33.221949100 CET49741587192.168.2.478.110.166.82STARTTLS
                                                                                      Nov 20, 2024 03:20:33.398705006 CET5874974178.110.166.82192.168.2.4220 TLS go ahead

                                                                                      Click to jump to process

                                                                                      Click to jump to process

                                                                                      Click to dive into process behavior distribution

                                                                                      Click to jump to process

                                                                                      Target ID:0
                                                                                      Start time:21:20:18
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"
                                                                                      Imagebase:0xeb0000
                                                                                      File size:771'080 bytes
                                                                                      MD5 hash:7766FFC22475DBDB07730FDD97E9C0C5
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1923270481.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1923270481.0000000004329000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:2
                                                                                      Start time:21:20:21
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"
                                                                                      Imagebase:0x4c0000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:3
                                                                                      Start time:21:20:21
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:4
                                                                                      Start time:21:20:21
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\imOLmwQ.exe"
                                                                                      Imagebase:0x4c0000
                                                                                      File size:433'152 bytes
                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:5
                                                                                      Start time:21:20:21
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:6
                                                                                      Start time:21:20:21
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp7551.tmp"
                                                                                      Imagebase:0x900000
                                                                                      File size:187'904 bytes
                                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:7
                                                                                      Start time:21:20:21
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:8
                                                                                      Start time:21:20:22
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\Desktop\Musterino_94372478_Ekno_101_20241031410530_ekstre.exe"
                                                                                      Imagebase:0xf70000
                                                                                      File size:771'080 bytes
                                                                                      MD5 hash:7766FFC22475DBDB07730FDD97E9C0C5
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3112118306.000000000341F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3107870895.000000000040B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3107870895.000000000040B000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3112118306.0000000003449000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3112118306.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3112118306.00000000033D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      Target ID:9
                                                                                      Start time:21:20:25
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\imOLmwQ.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\imOLmwQ.exe
                                                                                      Imagebase:0x5a0000
                                                                                      File size:771'080 bytes
                                                                                      MD5 hash:7766FFC22475DBDB07730FDD97E9C0C5
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:10
                                                                                      Start time:21:20:25
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                      Imagebase:0x7ff693ab0000
                                                                                      File size:496'640 bytes
                                                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:11
                                                                                      Start time:21:20:27
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\imOLmwQ" /XML "C:\Users\user\AppData\Local\Temp\tmp8BD7.tmp"
                                                                                      Imagebase:0x900000
                                                                                      File size:187'904 bytes
                                                                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:12
                                                                                      Start time:21:20:27
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7699e0000
                                                                                      File size:862'208 bytes
                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high
                                                                                      Has exited:true

                                                                                      Target ID:13
                                                                                      Start time:21:20:27
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\imOLmwQ.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\imOLmwQ.exe"
                                                                                      Imagebase:0x270000
                                                                                      File size:771'080 bytes
                                                                                      MD5 hash:7766FFC22475DBDB07730FDD97E9C0C5
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:low
                                                                                      Has exited:true

                                                                                      Target ID:14
                                                                                      Start time:21:20:27
                                                                                      Start date:19/11/2024
                                                                                      Path:C:\Users\user\AppData\Roaming\imOLmwQ.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"C:\Users\user\AppData\Roaming\imOLmwQ.exe"
                                                                                      Imagebase:0xfc0000
                                                                                      File size:771'080 bytes
                                                                                      MD5 hash:7766FFC22475DBDB07730FDD97E9C0C5
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3113375057.000000000375E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3113375057.0000000003788000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.3113375057.0000000003719000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.3113375057.0000000003719000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low
                                                                                      Has exited:false

                                                                                      Reset < >
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1919813569.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_154d000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7265e9ed2f9e5f36fe46def7fddce9ef97a982c4a7fdfd0902fcd4c8194a722a
                                                                                        • Instruction ID: 202b4970524d0c0fadc485d66d299a560ebd867b51f2e4c62764f6ffaff2bc4c
                                                                                        • Opcode Fuzzy Hash: 7265e9ed2f9e5f36fe46def7fddce9ef97a982c4a7fdfd0902fcd4c8194a722a
                                                                                        • Instruction Fuzzy Hash: B2210071600240DFDB05DF58D9C0B6ABFB5FBA831CF20C669E9094F25AC736D456CAA2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1919914222.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_155d000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: eb51ddbae3e13f469ad8f64260b32be202a728b15f1522fc23f671ba3e04e8ba
                                                                                        • Instruction ID: 65eb432be48a701f01bcd0156dd68de702baed29e4e78e003de8f964fcee4403
                                                                                        • Opcode Fuzzy Hash: eb51ddbae3e13f469ad8f64260b32be202a728b15f1522fc23f671ba3e04e8ba
                                                                                        • Instruction Fuzzy Hash: 05210472504200EFDB45DF98D9D0B2ABBB5FB84364F20CA6EED094F256C37AD446CA61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1919914222.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_155d000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ebf1729bb58bd399004218686a1b66fe2daa88a1f10a2b3742e5df3ea1c34d60
                                                                                        • Instruction ID: feb26ceff6f0ee305b06b733880887e474c3f5743727bd972bb98fd1fbac2f4a
                                                                                        • Opcode Fuzzy Hash: ebf1729bb58bd399004218686a1b66fe2daa88a1f10a2b3742e5df3ea1c34d60
                                                                                        • Instruction Fuzzy Hash: 1E210072604200DFDB55DF58D994B2ABBB5FB84314F20C96ADC0A4F266D33AD447CA61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1919914222.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_155d000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8b3fe3d6dcd4f7378f2aba9b8e29cef4d9efe7ebc672f79eefbcca24e2ea423e
                                                                                        • Instruction ID: 9f24b56a1e93cff660c95ae821c0d72c5b403d6e24650864be951de0b966ca6b
                                                                                        • Opcode Fuzzy Hash: 8b3fe3d6dcd4f7378f2aba9b8e29cef4d9efe7ebc672f79eefbcca24e2ea423e
                                                                                        • Instruction Fuzzy Hash: A6217F755083849FDB02CF64D994B15BF71FB46214F28C5EAD8498F2A7D33A980ACB62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1919813569.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_154d000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction ID: aeeecc561b938a3bd4d62aed1bd439bff2c1b0f30534f5c778e5624f403df045
                                                                                        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction Fuzzy Hash: 0211E172504280CFCB02CF54D5C4B5ABF71FB94318F24C6A9D8090F256C33AD45ACBA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1919914222.000000000155D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0155D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_155d000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction ID: 15fa828efe36699009e8d50515675d201b9ad26b1f2c661d7b91955b4f19ff79
                                                                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction Fuzzy Hash: 5F11A976504280DFDB42CF54C5D4B19BBB1FB84224F24C6AADC494F696C33AD44ACB61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1919813569.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_154d000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 957f15de63c4b0a45e3c1a3a7231ae6a86c6baea489c43f4202d0a7880ef56c8
                                                                                        • Instruction ID: 1dff8081f98fa26edd5c873a71fe3bc5f4b76d3ed6633d8abc4d3ecba7bb7da8
                                                                                        • Opcode Fuzzy Hash: 957f15de63c4b0a45e3c1a3a7231ae6a86c6baea489c43f4202d0a7880ef56c8
                                                                                        • Instruction Fuzzy Hash: 6E0188710043849BE711DA99CD84757BFF8FF51628F18C966ED094E246C2799440C671
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.1919813569.000000000154D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0154D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_154d000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 14e3cf5e64d3d37cb4a18e4a1b30a75827b42db2056a1fc842c8d1dd510a5e79
                                                                                        • Instruction ID: 4c4919a6e84d711c083c68f70a01feca77fb1bdcdb4254b2819ff66fde1b62a2
                                                                                        • Opcode Fuzzy Hash: 14e3cf5e64d3d37cb4a18e4a1b30a75827b42db2056a1fc842c8d1dd510a5e79
                                                                                        • Instruction Fuzzy Hash: 26F062724043849FE7118B5ADC88B66FFB8FF51628F18C85AED084E287C2799844CAB1

                                                                                        Execution Graph

                                                                                        Execution Coverage:11%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:114
                                                                                        Total number of Limit Nodes:9
                                                                                        execution_graph 42211 5f96780 DuplicateHandle 42212 5f96816 42211->42212 42125 5f96d93 42126 5f96dc6 42125->42126 42129 5f9630c 42126->42129 42128 5f96de6 42128->42128 42130 5f96317 42129->42130 42131 5f9750c 42130->42131 42134 5f99188 42130->42134 42139 5f990ff 42130->42139 42131->42128 42135 5f991a9 42134->42135 42136 5f991cd 42135->42136 42144 5f99338 42135->42144 42148 5f99327 42135->42148 42136->42131 42140 5f99109 42139->42140 42141 5f991cd 42140->42141 42142 5f99338 3 API calls 42140->42142 42143 5f99327 3 API calls 42140->42143 42141->42131 42142->42141 42143->42141 42145 5f99345 42144->42145 42146 5f9937e 42145->42146 42152 5f972cc 42145->42152 42146->42136 42149 5f99339 42148->42149 42150 5f9937e 42149->42150 42151 5f972cc 3 API calls 42149->42151 42150->42136 42151->42150 42153 5f972d7 42152->42153 42155 5f993f0 42153->42155 42156 5f972dc 42153->42156 42155->42155 42157 5f972e7 42156->42157 42160 5f9945f 42157->42160 42163 5f9850c 42157->42163 42159 5f99499 42159->42155 42167 5f9e778 42160->42167 42173 5f9e760 42160->42173 42166 5f98517 42163->42166 42164 5f9a6e8 42164->42160 42165 5f99188 3 API calls 42165->42164 42166->42164 42166->42165 42169 5f9e7a9 42167->42169 42170 5f9e7f5 42167->42170 42168 5f9e7b5 42168->42159 42169->42168 42178 5f9e9f0 42169->42178 42182 5f9e9e0 42169->42182 42170->42159 42174 5f9e77d 42173->42174 42175 5f9e7b5 42174->42175 42176 5f9e9f0 3 API calls 42174->42176 42177 5f9e9e0 3 API calls 42174->42177 42175->42159 42176->42175 42177->42175 42186 5f9ea40 42178->42186 42195 5f9ea30 42178->42195 42179 5f9e9fa 42179->42170 42183 5f9e9fa 42182->42183 42184 5f9ea40 2 API calls 42182->42184 42185 5f9ea30 2 API calls 42182->42185 42183->42170 42184->42183 42185->42183 42187 5f9ea51 42186->42187 42190 5f9ea74 42186->42190 42204 5f9df24 42187->42204 42190->42179 42191 5f9ec78 GetModuleHandleW 42193 5f9eca5 42191->42193 42192 5f9ea6c 42192->42190 42192->42191 42193->42179 42196 5f9ea3a 42195->42196 42199 5f9ea74 42195->42199 42197 5f9df24 GetModuleHandleW 42196->42197 42196->42199 42198 5f9ea5c 42197->42198 42198->42199 42203 5f9ecc8 GetModuleHandleW 42198->42203 42199->42179 42200 5f9ec78 GetModuleHandleW 42202 5f9eca5 42200->42202 42201 5f9ea6c 42201->42199 42201->42200 42202->42179 42203->42201 42205 5f9ec30 GetModuleHandleW 42204->42205 42207 5f9ea5c 42205->42207 42207->42190 42208 5f9ecc8 42207->42208 42209 5f9df24 GetModuleHandleW 42208->42209 42210 5f9ecec 42209->42210 42210->42192 42213 1720848 42215 172084e 42213->42215 42214 172091b 42215->42214 42217 1721370 42215->42217 42218 1721386 42217->42218 42219 1721474 42218->42219 42223 1727080 42218->42223 42231 1726f68 42218->42231 42235 1726ec7 42218->42235 42219->42215 42224 172708a 42223->42224 42226 17270a4 42224->42226 42239 686d668 42224->42239 42247 686d428 42224->42247 42251 686d419 42224->42251 42225 17270ea 42225->42218 42226->42225 42255 686ef0f 42226->42255 42233 1726f7e 42231->42233 42232 17270ea 42232->42218 42233->42232 42234 686ef0f GlobalMemoryStatusEx 42233->42234 42234->42232 42236 1726ef0 42235->42236 42237 1726f34 42236->42237 42238 686ef0f GlobalMemoryStatusEx 42236->42238 42237->42218 42238->42237 42241 686d43d 42239->42241 42243 686d676 42239->42243 42240 686d652 42240->42226 42241->42240 42245 686d668 GlobalMemoryStatusEx 42241->42245 42242 686d69e 42242->42226 42243->42242 42259 686e200 42243->42259 42245->42241 42249 686d43d 42247->42249 42248 686d652 42248->42226 42249->42248 42250 686d668 GlobalMemoryStatusEx 42249->42250 42250->42249 42253 686d43d 42251->42253 42252 686d652 42252->42226 42253->42252 42254 686d668 GlobalMemoryStatusEx 42253->42254 42254->42253 42256 686ef1a 42255->42256 42257 686d428 GlobalMemoryStatusEx 42256->42257 42258 686ef21 42257->42258 42258->42225 42262 686e228 42259->42262 42260 686d7ab 42260->42226 42263 686e245 42262->42263 42265 686e26d 42262->42265 42263->42260 42264 686e28e 42264->42260 42265->42264 42266 686e356 GlobalMemoryStatusEx 42265->42266 42267 686e386 42266->42267 42267->42260
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122752310.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6860000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                                                        • API String ID: 0-1342094364
                                                                                        • Opcode ID: 2d6b54e9452a0b7d026a7b717774924c1c1f374bed992add80f66bf7e253b1fa
                                                                                        • Instruction ID: b2ff7dc5e21727057b3f88d559c272e13ee0e51b1ac4496c89b96e02d2646e40
                                                                                        • Opcode Fuzzy Hash: 2d6b54e9452a0b7d026a7b717774924c1c1f374bed992add80f66bf7e253b1fa
                                                                                        • Instruction Fuzzy Hash: 30827E30E106158FCB64DF65CA44A9DB7F2FF89300F14C6A9E549AB264EB74ED85CB80

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 937 6865760-686577e 938 6865780-6865783 937->938 939 68657a4-68657a7 938->939 940 6865785-686579f 938->940 941 68657ca-68657cd 939->941 942 68657a9-68657c5 939->942 940->939 943 68657cf-68657d9 941->943 944 68657da-68657dd 941->944 942->941 946 68657f4-68657f6 944->946 947 68657df-68657ed 944->947 950 68657fd-6865800 946->950 951 68657f8 946->951 953 6865806-686581c 947->953 955 68657ef 947->955 950->938 950->953 951->950 957 6865a37-6865a41 953->957 958 6865822-686582b 953->958 955->946 959 6865a42-6865a77 958->959 960 6865831-686584e 958->960 963 6865a79-6865a7c 959->963 967 6865a24-6865a31 960->967 968 6865854-686587c 960->968 965 6865a82-6865a91 963->965 966 6865cb1-6865cb4 963->966 977 6865a93-6865aae 965->977 978 6865ab0-6865af4 965->978 969 6865cb6-6865cd2 966->969 970 6865cd7-6865cda 966->970 967->957 967->958 968->967 994 6865882-686588b 968->994 969->970 972 6865d85-6865d87 970->972 973 6865ce0-6865cec 970->973 974 6865d8e-6865d91 972->974 975 6865d89 972->975 980 6865cf7-6865cf9 973->980 974->963 981 6865d97-6865da0 974->981 975->974 977->978 990 6865c85-6865c9a 978->990 991 6865afa-6865b0b 978->991 982 6865d11-6865d15 980->982 983 6865cfb-6865d01 980->983 992 6865d17-6865d21 982->992 993 6865d23 982->993 988 6865d05-6865d07 983->988 989 6865d03 983->989 988->982 989->982 990->966 1002 6865c70-6865c7f 991->1002 1003 6865b11-6865b2e 991->1003 996 6865d28-6865d2a 992->996 993->996 994->959 997 6865891-68658ad 994->997 1000 6865d2c-6865d2f 996->1000 1001 6865d3b-6865d74 996->1001 1006 6865a12-6865a1e 997->1006 1007 68658b3-68658dd call 6861af0 997->1007 1000->981 1001->965 1020 6865d7a-6865d84 1001->1020 1002->990 1002->991 1003->1002 1016 6865b34-6865c2a call 6863ee8 1003->1016 1006->967 1006->994 1021 68658e3-686590b 1007->1021 1022 6865a08-6865a0d 1007->1022 1070 6865c2c-6865c36 1016->1070 1071 6865c38 1016->1071 1021->1022 1029 6865911-686593f 1021->1029 1022->1006 1029->1022 1034 6865945-686594e 1029->1034 1034->1022 1035 6865954-6865986 1034->1035 1043 6865991-68659ad 1035->1043 1044 6865988-686598c 1035->1044 1043->1006 1047 68659af-6865a06 call 6863ee8 1043->1047 1044->1022 1046 686598e 1044->1046 1046->1043 1047->1006 1072 6865c3d-6865c3f 1070->1072 1071->1072 1072->1002 1073 6865c41-6865c46 1072->1073 1074 6865c54 1073->1074 1075 6865c48-6865c52 1073->1075 1076 6865c59-6865c5b 1074->1076 1075->1076 1076->1002 1077 6865c5d-6865c69 1076->1077 1077->1002
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122752310.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6860000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $kq$$kq
                                                                                        • API String ID: 0-3550614674
                                                                                        • Opcode ID: 3cc944fa19cdf7a45197a3b9cca132116f9c4e8f62e9ce43e9a469b99327558d
                                                                                        • Instruction ID: afa359519f003decbd896ef000d3692029ba90427552e279d9697c2fddaaf9f8
                                                                                        • Opcode Fuzzy Hash: 3cc944fa19cdf7a45197a3b9cca132116f9c4e8f62e9ce43e9a469b99327558d
                                                                                        • Instruction Fuzzy Hash: E202AF30B102058FDB54DB6AD9946AEB7F2FF84700F148529E506EB394DB35EC86CB91

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1211 686dd3d-686dd43 1212 686dd45 1211->1212 1213 686dcfd-686dcff 1211->1213 1214 686dd47-686dd48 1212->1214 1215 686ddae-686ddb2 1212->1215 1216 686dcd3-686dcd8 1214->1216 1217 686dd4a-686dd4b 1214->1217 1218 686de16-686de1d 1215->1218 1219 686ddb4-686ddf3 call 686d3d8 call 686d1fc 1215->1219 1220 686dc63 1216->1220 1221 686dcda-686dcdb 1216->1221 1217->1215 1230 686ddf5-686de00 1219->1230 1231 686de1e-686de85 1219->1231 1221->1213 1235 686de07-686de0e 1230->1235 1241 686de87-686de89 1231->1241 1242 686de8e-686de9e 1231->1242 1235->1218 1243 686e12d-686e134 1241->1243 1244 686dea5-686deb5 1242->1244 1245 686dea0 1242->1245 1247 686e114-686e122 1244->1247 1248 686debb-686dec9 1244->1248 1245->1243 1251 686e135-686e1ae 1247->1251 1253 686e124-686e128 call 6861af0 1247->1253 1248->1251 1252 686decf 1248->1252 1252->1251 1254 686df86-686dfa7 1252->1254 1255 686e0c7-686e0e2 1252->1255 1256 686e0e4-686e106 1252->1256 1257 686df60-686df81 1252->1257 1258 686e06e-686e094 1252->1258 1259 686dfac-686dfcd 1252->1259 1260 686e02c-686e069 1252->1260 1261 686deed-686df0e 1252->1261 1262 686e108-686e112 1252->1262 1263 686ded6-686dee8 1252->1263 1264 686dfd2-686dffa 1252->1264 1265 686df13-686df35 1252->1265 1266 686dfff-686e027 1252->1266 1267 686df3a-686df5b 1252->1267 1268 686e099-686e0c5 1252->1268 1253->1243 1254->1243 1255->1243 1256->1243 1257->1243 1258->1243 1259->1243 1260->1243 1261->1243 1262->1243 1263->1243 1264->1243 1265->1243 1266->1243 1267->1243 1268->1243
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122752310.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6860000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: Xoq$$kq
                                                                                        • API String ID: 0-227003152
                                                                                        • Opcode ID: 6a7f8bd0f9283f27c0f0020cccc92e738dd18dc806fc7ffd595c70a4f8462b10
                                                                                        • Instruction ID: 2f6e9623f11a64cc14441187261f60734bb0a0f0d8915f9096a261738dcdabb4
                                                                                        • Opcode Fuzzy Hash: 6a7f8bd0f9283f27c0f0020cccc92e738dd18dc806fc7ffd595c70a4f8462b10
                                                                                        • Instruction Fuzzy Hash: 80B1F474B042188FDB58AB799C5527EBBA7BFC8741B14852DE107EB388DE34DC029791
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 13b7d5576a8c8d24bfdf6b85a3cdc2fe9b11bb8d62ffdd6f5ba806ebfa134daa
                                                                                        • Instruction ID: 3c3315d1adaa1bb8ba8f7b886071c968e736c04d56bab63392a2cb27aa9cc136
                                                                                        • Opcode Fuzzy Hash: 13b7d5576a8c8d24bfdf6b85a3cdc2fe9b11bb8d62ffdd6f5ba806ebfa134daa
                                                                                        • Instruction Fuzzy Hash: D953F731D10B1A8ACB51EF68C880699F7B1FF99300F11D79AE4587B125FB70AAD5CB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 767704dcd9b646e4bd452ebd5a4b9d9b3ade308b04aa19e72f8df742a3c18318
                                                                                        • Instruction ID: 7d6c563862aa01d6b409a694a349a82d19b3dc73ef4afb6cfa585a40e99be2f9
                                                                                        • Opcode Fuzzy Hash: 767704dcd9b646e4bd452ebd5a4b9d9b3ade308b04aa19e72f8df742a3c18318
                                                                                        • Instruction Fuzzy Hash: 58332E31D10B198EDB15DF68C8846ADF7B1FF99300F15C79AE448A7225EB70AAC5CB81

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2550 6862f08-6862f25 2551 6862f27-6862f2a 2550->2551 2552 6862f4e-6862f51 2551->2552 2553 6862f2c-6862f49 2551->2553 2554 6862f53-6862f5d 2552->2554 2555 6862f6b-6862f6e 2552->2555 2553->2552 2561 6862f64-6862f66 2554->2561 2557 6862f84-6862f87 2555->2557 2558 6862f70-6862f7f 2555->2558 2559 6862f9a-6862f9d 2557->2559 2560 6862f89-6862f8f 2557->2560 2558->2557 2565 6862f9f-6862fa8 2559->2565 2566 6862fa9-6862fac 2559->2566 2563 6862f95 2560->2563 2564 6863079-686307c 2560->2564 2561->2555 2563->2559 2568 6863081-6863084 2564->2568 2569 6862fb2-6862fb5 2566->2569 2570 68630af-68630b5 2566->2570 2571 6863086-6863088 2568->2571 2572 686308b-686308e 2568->2572 2573 6862fb7-6862fcd 2569->2573 2574 6862fd2-6862fd5 2569->2574 2570->2554 2575 68630bb 2570->2575 2571->2572 2576 6863090-68630a5 2572->2576 2577 68630aa-68630ad 2572->2577 2573->2574 2578 6862fd7-6862fdd 2574->2578 2579 686300d-6863010 2574->2579 2580 68630c0-68630c2 2575->2580 2576->2577 2577->2570 2577->2580 2584 6862fe3-6862feb 2578->2584 2585 68630e0-686310b 2578->2585 2581 6863012-6863015 2579->2581 2582 686301a-686301d 2579->2582 2586 68630c4 2580->2586 2587 68630c9-68630cc 2580->2587 2581->2582 2588 6863025-6863028 2582->2588 2589 686301f-6863020 2582->2589 2584->2585 2591 6862ff1-6862ffe 2584->2591 2599 6863115-6863118 2585->2599 2586->2587 2587->2551 2592 68630d2-68630df 2587->2592 2594 686303c-686303f 2588->2594 2595 686302a-6863037 2588->2595 2589->2588 2591->2585 2596 6863004-6863008 2591->2596 2597 6863041-6863047 2594->2597 2598 686304e-6863051 2594->2598 2595->2594 2596->2579 2597->2578 2601 6863049 2597->2601 2602 6863053-6863057 2598->2602 2603 686305e-6863061 2598->2603 2604 6863122-6863125 2599->2604 2605 686311a-6863121 2599->2605 2601->2598 2602->2592 2606 6863059 2602->2606 2603->2597 2607 6863063-6863066 2603->2607 2610 6863147-686314a 2604->2610 2611 6863127-686312b 2604->2611 2606->2603 2608 6863074-6863077 2607->2608 2609 6863068-686306f 2607->2609 2608->2564 2608->2568 2609->2608 2614 686314c-6863156 2610->2614 2615 686315b-686315e 2610->2615 2612 6863202-686323c 2611->2612 2613 6863131-6863139 2611->2613 2628 686323e-6863241 2612->2628 2613->2612 2616 686313f-6863142 2613->2616 2614->2615 2617 6863172-6863175 2615->2617 2618 6863160-6863167 2615->2618 2616->2610 2621 6863177-686317b 2617->2621 2622 6863193-6863196 2617->2622 2619 686316d 2618->2619 2620 68631fa-6863201 2618->2620 2619->2617 2621->2612 2625 6863181-6863189 2621->2625 2626 68631ae-68631b1 2622->2626 2627 6863198-68631a9 2622->2627 2625->2612 2629 686318b-686318e 2625->2629 2632 68631b3-68631b7 2626->2632 2633 68631cb-68631ce 2626->2633 2627->2626 2630 6863243-6863256 2628->2630 2631 6863259-686325c 2628->2631 2629->2622 2636 6863276-6863279 2631->2636 2637 686325e-686326f 2631->2637 2632->2612 2635 68631b9-68631c1 2632->2635 2638 68631d0-68631d4 2633->2638 2639 68631e8-68631ea 2633->2639 2635->2612 2645 68631c3-68631c6 2635->2645 2640 6863293-6863296 2636->2640 2641 686327b-686328c 2636->2641 2637->2630 2651 6863271 2637->2651 2638->2612 2646 68631d6-68631de 2638->2646 2642 68631f1-68631f4 2639->2642 2643 68631ec 2639->2643 2648 6863334-68634c8 2640->2648 2649 686329c-686329f 2640->2649 2653 68632a1-68632a8 2641->2653 2656 686328e 2641->2656 2642->2599 2642->2620 2643->2642 2645->2633 2646->2612 2647 68631e0-68631e3 2646->2647 2647->2639 2699 68635fe-6863611 2648->2699 2700 68634ce-68634d5 2648->2700 2649->2653 2654 68632ad-68632b0 2649->2654 2651->2636 2653->2654 2657 68632b2-68632b9 2654->2657 2658 68632be-68632c1 2654->2658 2656->2640 2657->2658 2659 68632c3-68632c8 2658->2659 2660 68632cb-68632ce 2658->2660 2659->2660 2662 68632d0-68632e1 2660->2662 2663 68632e8-68632eb 2660->2663 2662->2653 2670 68632e3 2662->2670 2664 6863305-6863308 2663->2664 2665 68632ed-68632fe 2663->2665 2668 6863326-6863329 2664->2668 2669 686330a-686331b 2664->2669 2665->2653 2674 6863300 2665->2674 2668->2648 2672 686332b-686332e 2668->2672 2669->2641 2677 6863321 2669->2677 2670->2663 2672->2648 2676 6863614-6863616 2672->2676 2674->2664 2678 686361d-6863620 2676->2678 2679 6863618 2676->2679 2677->2668 2678->2628 2681 6863626-686362f 2678->2681 2679->2678 2701 68634db-68634fe 2700->2701 2702 6863589-6863590 2700->2702 2711 6863506-686350e 2701->2711 2702->2699 2703 6863592-68635c5 2702->2703 2715 68635c7 2703->2715 2716 68635ca-68635f7 2703->2716 2712 6863513-6863554 2711->2712 2713 6863510 2711->2713 2724 6863556-6863567 2712->2724 2725 686356c-686357d 2712->2725 2713->2712 2715->2716 2716->2681 2724->2681 2725->2681
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122752310.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6860000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $
                                                                                        • API String ID: 0-3993045852
                                                                                        • Opcode ID: f21fd382053c19a716a9e157ee669a218eacdcef5f9d1ae6fa1f261616276dbe
                                                                                        • Instruction ID: 997e16aed9fe2bb5c4a3ec593b914bb02edb0a8749f467ff0ec7aa44b9ae4d28
                                                                                        • Opcode Fuzzy Hash: f21fd382053c19a716a9e157ee669a218eacdcef5f9d1ae6fa1f261616276dbe
                                                                                        • Instruction Fuzzy Hash: F122C271E002198FDF64DBA6C5906AEBBB2FF88310F208569EA15EB354DB35DC45CB90
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \VLm
                                                                                        • API String ID: 0-2808160488
                                                                                        • Opcode ID: dabac037dc7be1e7b48c7c8ff9e498736d67edf9e0418813d741992e3e5191f1
                                                                                        • Instruction ID: 2e36bf3ffa11a3534ea086cbc80cbb344c815d5d69055353dc06b760d7418956
                                                                                        • Opcode Fuzzy Hash: dabac037dc7be1e7b48c7c8ff9e498736d67edf9e0418813d741992e3e5191f1
                                                                                        • Instruction Fuzzy Hash: 97917E70E00219DFDF20CFA9D985B9DFBF2BF88314F248529E415A7254EB749886CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a7f978e9cbc80d8be46851abc02ed35613fc597828da189ded291656fbf6724c
                                                                                        • Instruction ID: 8138f91e7a0f0ce882c0140b4af36544478fcb166f86fe43173b1d6cc24e5559
                                                                                        • Opcode Fuzzy Hash: a7f978e9cbc80d8be46851abc02ed35613fc597828da189ded291656fbf6724c
                                                                                        • Instruction Fuzzy Hash: DCB14F71E00229CFDF15CFA9C9857ADFBF2AF88314F148129D516E7294EB749886CB81

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1839 172fcd8-172fcf7 1840 172feb2-172fed6 1839->1840 1841 172fcfd-172fd06 1839->1841 1845 172fedd-172ff76 1840->1845 1844 172fd0c-172fd61 1841->1844 1841->1845 1854 172fd63-172fd88 1844->1854 1855 172fd8b-172fd94 1844->1855 1886 172ff7d-172ff82 1845->1886 1854->1855 1857 172fd96 1855->1857 1858 172fd99-172fda9 1855->1858 1857->1858 1893 172fdab call 172ff88 1858->1893 1894 172fdab call 172fcd8 1858->1894 1895 172fdab call 172fcc8 1858->1895 1896 172fdab call 172feb8 1858->1896 1861 172fdb1-172fdb3 1863 172fdb5-172fdba 1861->1863 1864 172fe0d-172fe5a 1861->1864 1866 172fdf3-172fe06 1863->1866 1867 172fdbc-172fdf1 1863->1867 1877 172fe61-172fe66 1864->1877 1866->1864 1867->1877 1878 172fe70-172fe75 1877->1878 1879 172fe68 1877->1879 1881 172fe77 1878->1881 1882 172fe7f-172fe84 1878->1882 1879->1878 1881->1882 1884 172fe86-172fe91 1882->1884 1885 172fe99 1882->1885 1884->1885 1885->1840 1893->1861 1894->1861 1895->1861 1896->1861
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (&kq$(oq
                                                                                        • API String ID: 0-2620321033
                                                                                        • Opcode ID: 6af131cfbdf2260f33a01f188db1f71acc2647063e1d7c511db2aeb14f8a5e7a
                                                                                        • Instruction ID: d5fa51374219b702b87dee19545a276e929c676d6951f94e5cf998f12cdae0e8
                                                                                        • Opcode Fuzzy Hash: 6af131cfbdf2260f33a01f188db1f71acc2647063e1d7c511db2aeb14f8a5e7a
                                                                                        • Instruction Fuzzy Hash: BA71AF31F002299BDB15EFB9D8506AEBBB6AFC8700F14852DE501A7394DE34AD42C7A5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1897 17247f4-172488c 1900 17248d6-17248d8 1897->1900 1901 172488e-1724899 1897->1901 1902 17248da-17248f2 1900->1902 1901->1900 1903 172489b-17248a7 1901->1903 1910 17248f4-17248ff 1902->1910 1911 172493c-172493e 1902->1911 1904 17248ca-17248d4 1903->1904 1905 17248a9-17248b3 1903->1905 1904->1902 1906 17248b7-17248c6 1905->1906 1907 17248b5 1905->1907 1906->1906 1909 17248c8 1906->1909 1907->1906 1909->1904 1910->1911 1912 1724901-172490d 1910->1912 1913 1724940-1724952 1911->1913 1914 1724930-172493a 1912->1914 1915 172490f-1724919 1912->1915 1920 1724959-1724985 1913->1920 1914->1913 1916 172491b 1915->1916 1917 172491d-172492c 1915->1917 1916->1917 1917->1917 1919 172492e 1917->1919 1919->1914 1921 172498b-1724999 1920->1921 1922 17249a2-17249b0 1921->1922 1923 172499b-17249a1 1921->1923 1926 17249b8-17249c2 1922->1926 1923->1922 1927 17249cc-17249ff 1926->1927 1930 1724a01-1724a05 1927->1930 1931 1724a0f-1724a13 1927->1931 1930->1931 1932 1724a07-1724a0a call 1720ab8 1930->1932 1933 1724a23-1724a27 1931->1933 1934 1724a15-1724a19 1931->1934 1932->1931 1935 1724a37-1724a3b 1933->1935 1936 1724a29-1724a2d 1933->1936 1934->1933 1938 1724a1b-1724a1e call 1720ab8 1934->1938 1941 1724a4b 1935->1941 1942 1724a3d-1724a41 1935->1942 1936->1935 1940 1724a2f 1936->1940 1938->1933 1940->1935 1944 1724a4c 1941->1944 1942->1941 1943 1724a43 1942->1943 1943->1941 1944->1944
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \VLm$\VLm
                                                                                        • API String ID: 0-1686317364
                                                                                        • Opcode ID: b28c29584dda743aa655ab73a18f47e70527d20f3743e615796677d06d92e927
                                                                                        • Instruction ID: 5b79b7d5d8ba37a02b9da8a5d9e94145835dfeabee5688e4d5fae2e40bb2a467
                                                                                        • Opcode Fuzzy Hash: b28c29584dda743aa655ab73a18f47e70527d20f3743e615796677d06d92e927
                                                                                        • Instruction Fuzzy Hash: 6D7148B0E00269DFDB14CFA9C88479EFBF1BF88314F148129E456AB254EB749942CF91

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1945 1724800-172488c 1948 17248d6-17248d8 1945->1948 1949 172488e-1724899 1945->1949 1950 17248da-17248f2 1948->1950 1949->1948 1951 172489b-17248a7 1949->1951 1958 17248f4-17248ff 1950->1958 1959 172493c-172493e 1950->1959 1952 17248ca-17248d4 1951->1952 1953 17248a9-17248b3 1951->1953 1952->1950 1954 17248b7-17248c6 1953->1954 1955 17248b5 1953->1955 1954->1954 1957 17248c8 1954->1957 1955->1954 1957->1952 1958->1959 1960 1724901-172490d 1958->1960 1961 1724940-1724999 1959->1961 1962 1724930-172493a 1960->1962 1963 172490f-1724919 1960->1963 1970 17249a2-17249c2 1961->1970 1971 172499b-17249a1 1961->1971 1962->1961 1964 172491b 1963->1964 1965 172491d-172492c 1963->1965 1964->1965 1965->1965 1967 172492e 1965->1967 1967->1962 1975 17249cc-17249ff 1970->1975 1971->1970 1978 1724a01-1724a05 1975->1978 1979 1724a0f-1724a13 1975->1979 1978->1979 1980 1724a07-1724a0a call 1720ab8 1978->1980 1981 1724a23-1724a27 1979->1981 1982 1724a15-1724a19 1979->1982 1980->1979 1983 1724a37-1724a3b 1981->1983 1984 1724a29-1724a2d 1981->1984 1982->1981 1986 1724a1b-1724a1e call 1720ab8 1982->1986 1989 1724a4b 1983->1989 1990 1724a3d-1724a41 1983->1990 1984->1983 1988 1724a2f 1984->1988 1986->1981 1988->1983 1992 1724a4c 1989->1992 1990->1989 1991 1724a43 1990->1991 1991->1989 1992->1992
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \VLm$\VLm
                                                                                        • API String ID: 0-1686317364
                                                                                        • Opcode ID: 29166f9d172fb4d6d2abf7d7fd42b3110cd9c55bd2a8a5a969b2aa6c027bc52c
                                                                                        • Instruction ID: 58c721feb620c9744b22af44e8b03a950726183c85f708ee87b7c5bcd5d70828
                                                                                        • Opcode Fuzzy Hash: 29166f9d172fb4d6d2abf7d7fd42b3110cd9c55bd2a8a5a969b2aa6c027bc52c
                                                                                        • Instruction Fuzzy Hash: 3A714BB0E00259DFDB14CFA9C88479EFBF2BF88314F148129E456AB254EB749942CF95

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2060 1726ec7-1726f32 call 1726c30 2069 1726f34-1726f4d call 1726754 2060->2069 2070 1726f4e-1726f7c 2060->2070 2074 1726f7e-1726f81 2070->2074 2076 1726f83 call 1727910 2074->2076 2077 1726f91-1726f94 2074->2077 2082 1726f89-1726f8c 2076->2082 2078 1726f96-1726faa 2077->2078 2079 1726fc7-1726fca 2077->2079 2088 1726fb0 2078->2088 2089 1726fac-1726fae 2078->2089 2080 1726fde-1726fe1 2079->2080 2081 1726fcc-1726fd3 2079->2081 2086 1726fe3-1727018 2080->2086 2087 172701d-172701f 2080->2087 2084 17270db-17270e2 2081->2084 2085 1726fd9 2081->2085 2082->2077 2090 17270f1-17270f7 2084->2090 2091 17270e4 2084->2091 2085->2080 2086->2087 2092 1727021 2087->2092 2093 1727026-1727029 2087->2093 2095 1726fb3-1726fc2 2088->2095 2089->2095 2106 17270e4 call 686ed60 2091->2106 2107 17270e4 call 686ed70 2091->2107 2108 17270e4 call 686ef0f 2091->2108 2092->2093 2093->2074 2094 172702f-172703e 2093->2094 2099 1727040-1727043 2094->2099 2100 1727068-172707d 2094->2100 2095->2079 2096 17270ea 2096->2090 2102 172704b-1727066 2099->2102 2100->2084 2102->2099 2102->2100 2106->2096 2107->2096 2108->2096
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LRkq$LRkq
                                                                                        • API String ID: 0-2882777380
                                                                                        • Opcode ID: 0cdead7732f9eaae929390a7ba10df2dfc869a50965b084cbd55e80c113c831c
                                                                                        • Instruction ID: 8c38dbb819ad56842b884b6dbc0b7c3724da1c8034765b3e3290c34c6b2afe30
                                                                                        • Opcode Fuzzy Hash: 0cdead7732f9eaae929390a7ba10df2dfc869a50965b084cbd55e80c113c831c
                                                                                        • Instruction Fuzzy Hash: E251B231A002558FDB25DF68C550BAEF7B2FF89300F20846AE405EB395EB759846CB51

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2728 5f9ea40-5f9ea4f 2729 5f9ea7b-5f9ea7f 2728->2729 2730 5f9ea51-5f9ea5e call 5f9df24 2728->2730 2732 5f9ea81-5f9ea8b 2729->2732 2733 5f9ea93-5f9ead4 2729->2733 2735 5f9ea60-5f9ea6e call 5f9ecc8 2730->2735 2736 5f9ea74 2730->2736 2732->2733 2739 5f9eae1-5f9eaef 2733->2739 2740 5f9ead6-5f9eade 2733->2740 2735->2736 2746 5f9ebb0-5f9ec70 2735->2746 2736->2729 2741 5f9eaf1-5f9eaf6 2739->2741 2742 5f9eb13-5f9eb15 2739->2742 2740->2739 2744 5f9eaf8-5f9eaff call 5f9df30 2741->2744 2745 5f9eb01 2741->2745 2747 5f9eb18-5f9eb1f 2742->2747 2749 5f9eb03-5f9eb11 2744->2749 2745->2749 2779 5f9ec78-5f9eca3 GetModuleHandleW 2746->2779 2780 5f9ec72-5f9ec75 2746->2780 2750 5f9eb2c-5f9eb33 2747->2750 2751 5f9eb21-5f9eb29 2747->2751 2749->2747 2753 5f9eb40-5f9eb49 call 5f97080 2750->2753 2754 5f9eb35-5f9eb3d 2750->2754 2751->2750 2759 5f9eb4b-5f9eb53 2753->2759 2760 5f9eb56-5f9eb5b 2753->2760 2754->2753 2759->2760 2761 5f9eb79-5f9eb7d 2760->2761 2762 5f9eb5d-5f9eb64 2760->2762 2785 5f9eb80 call 5f9ef89 2761->2785 2786 5f9eb80 call 5f9ef98 2761->2786 2762->2761 2764 5f9eb66-5f9eb76 call 5f9c930 call 5f9df40 2762->2764 2764->2761 2767 5f9eb83-5f9eb86 2769 5f9eba9-5f9ebaf 2767->2769 2770 5f9eb88-5f9eba6 2767->2770 2770->2769 2781 5f9ecac-5f9ecc0 2779->2781 2782 5f9eca5-5f9ecab 2779->2782 2780->2779 2782->2781 2785->2767 2786->2767
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122366821.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_5f90000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 2c5546af00adb139c036395b2894fb56eaf7a1ca7fe924fce5950fd36325cfb0
                                                                                        • Instruction ID: eaebd690a448e42dd502d5345162932fd7f4dfd789172407c299782c01d0e402
                                                                                        • Opcode Fuzzy Hash: 2c5546af00adb139c036395b2894fb56eaf7a1ca7fe924fce5950fd36325cfb0
                                                                                        • Instruction Fuzzy Hash: 03812470A00B059FEB28DF29D44476ABBF6FF88304F10892DD58AD7A50D779E849CB91

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2787 686e228-686e243 2788 686e245-686e26c call 686d3e8 2787->2788 2789 686e26d-686e28c call 686d3f4 2787->2789 2795 686e292-686e2f1 2789->2795 2796 686e28e-686e291 2789->2796 2802 686e2f7-686e384 GlobalMemoryStatusEx 2795->2802 2803 686e2f3-686e2f6 2795->2803 2806 686e386-686e38c 2802->2806 2807 686e38d-686e3b5 2802->2807 2806->2807
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122752310.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6860000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bde548ae646b6554129184c2155053ef4f2a5f3b71fa4fd4ed0c6aaa03d5816f
                                                                                        • Instruction ID: 4d9f090a0e163d42b0431252e153124a5ac247a438b68d7ee024dcccc174d7c0
                                                                                        • Opcode Fuzzy Hash: bde548ae646b6554129184c2155053ef4f2a5f3b71fa4fd4ed0c6aaa03d5816f
                                                                                        • Instruction Fuzzy Hash: 62411372D083968FCB14CFB9D8046EEBFF5AF89210F15866AE444E7391DB349845CBA1
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05F96807
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122366821.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_5f90000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 08a66001e1db060026e57e8c8cc4e19ae73cb89b789b3e789a416b636ea1e847
                                                                                        • Instruction ID: c4066638d774fb8565e34dcc720230a8f68f29aff212390f4411f1e0aee109e0
                                                                                        • Opcode Fuzzy Hash: 08a66001e1db060026e57e8c8cc4e19ae73cb89b789b3e789a416b636ea1e847
                                                                                        • Instruction Fuzzy Hash: 5F21B3B59002589FDB10CF9AD584ADEBBF4EB48310F14841AE954A7250D378A944CFA5
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 05F96807
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122366821.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_5f90000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 4e3370d25886313bbb7849562e6c79cd83edc1a2664f88a6ee8b315f3cbfa1d9
                                                                                        • Instruction ID: 25b4267572b3036a1e4d5a81e1d1511d745cd0ca19b1ccbe7435b97057e2eb7a
                                                                                        • Opcode Fuzzy Hash: 4e3370d25886313bbb7849562e6c79cd83edc1a2664f88a6ee8b315f3cbfa1d9
                                                                                        • Instruction Fuzzy Hash: 1B21E2B5D00208DFDB10CFAAD584ADEBBF4FB48310F14841AE955A3360C378A944CFA1
                                                                                        APIs
                                                                                        • GlobalMemoryStatusEx.KERNELBASE(8B550583), ref: 0686E377
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122752310.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6860000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemoryStatus
                                                                                        • String ID:
                                                                                        • API String ID: 1890195054-0
                                                                                        • Opcode ID: 9031fe9a0d0ccc10ac0a1d99d72e95b47f0e32fe2245db6887318bfbec7f6d2a
                                                                                        • Instruction ID: 539f613d36030587efb163109d414d038288a71f6003f8dd3c1127c79917547e
                                                                                        • Opcode Fuzzy Hash: 9031fe9a0d0ccc10ac0a1d99d72e95b47f0e32fe2245db6887318bfbec7f6d2a
                                                                                        • Instruction Fuzzy Hash: 5C1120B1C00269DBCB10CF9AC548BDEFBF4AF48320F11812AE918A7250D378A944CFE5
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,05F9EA5C), ref: 05F9EC96
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122366821.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_5f90000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: f7b828dae1bc28b6c6566658bd96eb5f3ad1ed4bfcd421e177f100edbfc308e5
                                                                                        • Instruction ID: efc4e1238c10821bd54f68e691391970c9a26c1f845adf3ea1c8a0bcf0a71f06
                                                                                        • Opcode Fuzzy Hash: f7b828dae1bc28b6c6566658bd96eb5f3ad1ed4bfcd421e177f100edbfc308e5
                                                                                        • Instruction Fuzzy Hash: E41120B6C006488FDB24DF9AC444ADEFBF8AB48210F10842AD559B7210C379A545CFA1
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \VLm
                                                                                        • API String ID: 0-2808160488
                                                                                        • Opcode ID: b715eebc672cc586b9514e44dcb61e419096a05e9b8717219d8d3ca7ab320a60
                                                                                        • Instruction ID: 750cbcd6b92315eda559df365a4e13b8645edbf2c3694863a7624835af2b3ad6
                                                                                        • Opcode Fuzzy Hash: b715eebc672cc586b9514e44dcb61e419096a05e9b8717219d8d3ca7ab320a60
                                                                                        • Instruction Fuzzy Hash: 8E917C70E00219DFDB20CFA8D985BDDFBF2BF88314F248129E415A7254EB349986CB91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PHkq
                                                                                        • API String ID: 0-902561536
                                                                                        • Opcode ID: b1e729bdf9d67065bdfea4b45a59fdb9ec093c938fe6b610c34cd6707ff2b281
                                                                                        • Instruction ID: c41838229bada1b0214eecb32dedd0be5bbfeea5450f705e86477643cf363a01
                                                                                        • Opcode Fuzzy Hash: b1e729bdf9d67065bdfea4b45a59fdb9ec093c938fe6b610c34cd6707ff2b281
                                                                                        • Instruction Fuzzy Hash: 7231DF30B002118FDB159B38DA5466EBBF3AB89600B24456CD406DB3A9DE79DC46CB95
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LRkq
                                                                                        • API String ID: 0-1052062081
                                                                                        • Opcode ID: 4167b2623cc1c12f156748715f1115294db20d0740747d930bd466251244e6ae
                                                                                        • Instruction ID: f7cccaf54dfeffc0ca02a64b4767bec06679d9f327a83f92b8e668e811c637ab
                                                                                        • Opcode Fuzzy Hash: 4167b2623cc1c12f156748715f1115294db20d0740747d930bd466251244e6ae
                                                                                        • Instruction Fuzzy Hash: 6F318134E002298FDF29CF69D551BAEF7B1FF45300F10846AE905EB245EB759846CB91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LRkq
                                                                                        • API String ID: 0-1052062081
                                                                                        • Opcode ID: 7e5e395c0497d35e29dea736953cf327c5cf383f6f5c3635dbeb8133d29652f4
                                                                                        • Instruction ID: 1478cea55ac361c307776627de735924489f797830604b6b9de798111cac4542
                                                                                        • Opcode Fuzzy Hash: 7e5e395c0497d35e29dea736953cf327c5cf383f6f5c3635dbeb8133d29652f4
                                                                                        • Instruction Fuzzy Hash: 4821C4306052508FC716EB38E8506AEBBF2FFCA710F0484AED055CB769DA399D85C795
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 20f68c7f575ca776a032ea3723d5e43896ce144eb2bddd87e26a2e256bcc0f85
                                                                                        • Instruction ID: 096eb8812d15a9681862ca416c4a5ae8dd102a223a4803bca80ee1f37345a13b
                                                                                        • Opcode Fuzzy Hash: 20f68c7f575ca776a032ea3723d5e43896ce144eb2bddd87e26a2e256bcc0f85
                                                                                        • Instruction Fuzzy Hash: 3B123D317012169FCB2AAB38E99462DB2B6FB89711F20993DD405CB365CF35DC86C791
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 20d038e4816690cdad4bdd4adb57ee48390d4c366bb45374a9a59bd6832215c1
                                                                                        • Instruction ID: 60e077d0034ddf6888f40ba59ef211d3110ffa1d6324bec8b8855e5d7433dbb4
                                                                                        • Opcode Fuzzy Hash: 20d038e4816690cdad4bdd4adb57ee48390d4c366bb45374a9a59bd6832215c1
                                                                                        • Instruction Fuzzy Hash: 17C1A170B002258FDB15CF69D8807AEFBB2FB88314F18856AE609DB395DB74D945CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 28d166415e1c77840091ec7c9e8e990bb33d28ee12c5dc1f2b0087bc2d40fa92
                                                                                        • Instruction ID: e33cf343193011c6534fd3f9b575752ab197ffa6e974a308b79c88586075d15b
                                                                                        • Opcode Fuzzy Hash: 28d166415e1c77840091ec7c9e8e990bb33d28ee12c5dc1f2b0087bc2d40fa92
                                                                                        • Instruction Fuzzy Hash: 0EB15D34B002248FDB15DF68D594AADBBF2FB88314F188569E906E7355DB34ED42CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7deed1c4254a45e88833157e1d16378cb172c1e749d9e5fc665392232917e056
                                                                                        • Instruction ID: 9dd58c4343be3298f19fb0b5182cef9d45842b432ffd61bc1a5939489de3f7f0
                                                                                        • Opcode Fuzzy Hash: 7deed1c4254a45e88833157e1d16378cb172c1e749d9e5fc665392232917e056
                                                                                        • Instruction Fuzzy Hash: 38B15E70E00229DFDB11CFA9C98579DFBF2BF88314F148129D916E7254EB749986CB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: af771cffd2fc049418ed2f183b8a49f696c9c6eec6394a70ecd70363f7cad899
                                                                                        • Instruction ID: 8867d9f3400bb3723c02467ac2fb8adb45e76062e1a118bf6ecad8d7378d4b8c
                                                                                        • Opcode Fuzzy Hash: af771cffd2fc049418ed2f183b8a49f696c9c6eec6394a70ecd70363f7cad899
                                                                                        • Instruction Fuzzy Hash: B651F470D102288FDB18CFA9C884BADFBB1BF48710F15816AE815AB265D7749885CF95
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 307be81e62124d32d37279fdc919a7cf7a4f56a5cac34d2a3347bacd263c1561
                                                                                        • Instruction ID: e07d390a7d7e9e1dc5e70be00d28081e6c39dd824848d1a130ab3260d9fde9c0
                                                                                        • Opcode Fuzzy Hash: 307be81e62124d32d37279fdc919a7cf7a4f56a5cac34d2a3347bacd263c1561
                                                                                        • Instruction Fuzzy Hash: 6C51E470D102288FDB14CFA9C884B9DFBB1BF48710F15812AE815AB365D774A885CF95
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5808f4dccb11aa91d3a1c146521b9b812ed5e6e4b0676c94a6eca64b085b3afa
                                                                                        • Instruction ID: 512180ba47b0dd851d6f6a2d4c07da4042ef26458c8f707519ece33f4cf4e6bc
                                                                                        • Opcode Fuzzy Hash: 5808f4dccb11aa91d3a1c146521b9b812ed5e6e4b0676c94a6eca64b085b3afa
                                                                                        • Instruction Fuzzy Hash: CB419471E00219DBDB15DFA9C990ADEFBF6BF88700F248529E511B7254EB70A942CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bb18e5655707175d0da9b0983743674303397f027ffcef59ab385b18c0f71af5
                                                                                        • Instruction ID: 37fbb26acd03abe1ee225f6dac2878f8290d2efe7aea0d7f6557fc6a3768992d
                                                                                        • Opcode Fuzzy Hash: bb18e5655707175d0da9b0983743674303397f027ffcef59ab385b18c0f71af5
                                                                                        • Instruction Fuzzy Hash: 8351DC306432458FC715DB39FE8096A7B6AF79A314F00B6A9D0044B739DB38AD4ACF52
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 391a7999ea95c8eeec0d8675e11ac99a8db48efef17cf614f94b41cccb245a03
                                                                                        • Instruction ID: e9dda5a5714f72569e9ec96acc63d422666558bc527cc681de729a3d60870bb2
                                                                                        • Opcode Fuzzy Hash: 391a7999ea95c8eeec0d8675e11ac99a8db48efef17cf614f94b41cccb245a03
                                                                                        • Instruction Fuzzy Hash: 9F51DD306432458FC715DB39FE8096A7B6AF799314F00B5A9D0044B739DB38AD4ACF92
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e83f5048e4dd42dcaf52b940dbab39e7eb045dc901fefe453164366217b4baa5
                                                                                        • Instruction ID: 12c92f6d7e1d2f8b2bd37ec04c96c974a239e876ef49a4957dcea09be4b97410
                                                                                        • Opcode Fuzzy Hash: e83f5048e4dd42dcaf52b940dbab39e7eb045dc901fefe453164366217b4baa5
                                                                                        • Instruction Fuzzy Hash: 1D315C34E142159FCB15CFA8D594AAEFBF2BF8A300F108529E806E7360DB71AC42CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ac1fc57b16c093ee468d7305ade27d24927b83b92d6b60074ebd4693a0524487
                                                                                        • Instruction ID: 97fccf67896bd0b5a75e1ad9fc479d101dd6bb1ef9d7294d1735753940dedce6
                                                                                        • Opcode Fuzzy Hash: ac1fc57b16c093ee468d7305ade27d24927b83b92d6b60074ebd4693a0524487
                                                                                        • Instruction Fuzzy Hash: CC41D0B0D00359DFDB10DFA9C584ADEBFB5FF48310F24842AE809AB264DB759946CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 31f6b271d5d6c89752f491310a9d5e6d5f6513026fb1f9614afa95a13d054fd1
                                                                                        • Instruction ID: c2b6c4737d99f27034dc7da15a26ce5ef42b73507a4c7babd8b900093b8db49d
                                                                                        • Opcode Fuzzy Hash: 31f6b271d5d6c89752f491310a9d5e6d5f6513026fb1f9614afa95a13d054fd1
                                                                                        • Instruction Fuzzy Hash: 71315E34E142159BCB19CFA9D554A9EF7F6FF8A300F108529E806E7354DB71AC46CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e4aa6bf840c752dbfb5d1e994b3e23745e1278429a000306fb1d59c4855e0fb3
                                                                                        • Instruction ID: ba6280473fbafbce60f53f33d79645a666f8a4643e8e1e02e89e4954dccbd935
                                                                                        • Opcode Fuzzy Hash: e4aa6bf840c752dbfb5d1e994b3e23745e1278429a000306fb1d59c4855e0fb3
                                                                                        • Instruction Fuzzy Hash: C741CEB0D00359DFDB10DFA9C584A9EBFB5FF48310F248429E819AB254DB75A946CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 387a90cee1189fb6c9c7a413706ae448988c793f54bba5f8083e820802711ddf
                                                                                        • Instruction ID: 3a02f3f1f24d717065abae218a3c5a6a0771361d296af6ad2e3facb5dd424b17
                                                                                        • Opcode Fuzzy Hash: 387a90cee1189fb6c9c7a413706ae448988c793f54bba5f8083e820802711ddf
                                                                                        • Instruction Fuzzy Hash: 0E314234701225CFDB29DB78D9546AEB7B6BF89200F2005B8D502EB394DB3ADC02CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 99e964fccc95ea2966d262c15a6cbf63cca986267f67ad3c7b360f36921294c2
                                                                                        • Instruction ID: bed01555764cf0f098f0fa4c38bd1f05541e236a0fe977f05b9b892fa6c1f22b
                                                                                        • Opcode Fuzzy Hash: 99e964fccc95ea2966d262c15a6cbf63cca986267f67ad3c7b360f36921294c2
                                                                                        • Instruction Fuzzy Hash: 42314F34701221CFDB29DB38D9546AEB7B6BF89304F6105A8D502AB395DB39DC42CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2330d94973dd25c9d8bc9047dd5249fd917be1342e6c58b27684752ad94f95ec
                                                                                        • Instruction ID: 4dc8ac2502a1d9c3d8c27f5adbb1a689fb271b5656186669b4b07605df1accdc
                                                                                        • Opcode Fuzzy Hash: 2330d94973dd25c9d8bc9047dd5249fd917be1342e6c58b27684752ad94f95ec
                                                                                        • Instruction Fuzzy Hash: F2319F31E002259FCB15CFA8D98469EF7B6FF89304F148629E905EB355DB71AC46CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 580e830a1f3f142739fa8e84820514334f20fc3bd82f749c04e4dc105bb0bb03
                                                                                        • Instruction ID: 112745a5531bf13b6b638cf281184e33578abeb8bcab723b6d5806942974f682
                                                                                        • Opcode Fuzzy Hash: 580e830a1f3f142739fa8e84820514334f20fc3bd82f749c04e4dc105bb0bb03
                                                                                        • Instruction Fuzzy Hash: DA21A3306051514FCF32DB28F984B6D77AAEB89300F505976D406CB36ADB38DC4A8F92
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6fc2118ec51e70d68829a4f1d89be0f4daaad10befb9e71668d423f88cb14ad2
                                                                                        • Instruction ID: e3ee6648ecc8f7daca5e1ed1823381e11b204985c67024fff441adc59d79580d
                                                                                        • Opcode Fuzzy Hash: 6fc2118ec51e70d68829a4f1d89be0f4daaad10befb9e71668d423f88cb14ad2
                                                                                        • Instruction Fuzzy Hash: D6219E30E0022A9BDB15CFA8D58069EF7B6FF89304F148629E905EB345DB71EC46CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9e4e0156560d03be8ee470c0ff9634de132d52aada31e52ef4faae0ca6d3516b
                                                                                        • Instruction ID: 0f1aea5298ecd8225e1f98bf54a37687a14187dbb11403ea1045ab08c9fda03d
                                                                                        • Opcode Fuzzy Hash: 9e4e0156560d03be8ee470c0ff9634de132d52aada31e52ef4faae0ca6d3516b
                                                                                        • Instruction Fuzzy Hash: A021F534700215CFDB64DF78D958AADBBF1EB89304B1045A8E406EB3A5DB7A9D02CB51
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 61aee833d77ce696cc8552f71b6dec4a2532e51e109055cfdff838a187340466
                                                                                        • Instruction ID: 56bfc7faa167cef34f538b45c09e61e71ba6931a547a60902de31a1315d50b5c
                                                                                        • Opcode Fuzzy Hash: 61aee833d77ce696cc8552f71b6dec4a2532e51e109055cfdff838a187340466
                                                                                        • Instruction Fuzzy Hash: 3421A431E00225DBCB15CFA9D8546EEF7B2EF89304F148629E912F7355DB70A942CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 31c7be1b56852d45b75bccfd45e8c31a699bcb9cbf5dbba38b675173605917d1
                                                                                        • Instruction ID: 68ef21a44edd8f867d70dabb61700e302aefbb2bcc951c1fca8afcb611538b19
                                                                                        • Opcode Fuzzy Hash: 31c7be1b56852d45b75bccfd45e8c31a699bcb9cbf5dbba38b675173605917d1
                                                                                        • Instruction Fuzzy Hash: 3F215C30B002658FDB29DB68C9546AEB7F5BF89344F5004ADD446EB264DB369D02CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3110455446.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_16dd000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9dd6a69ec3d5f26efcdad44dbdc85bfb7d64e55338950ab7547e9996ce3ea934
                                                                                        • Instruction ID: af6d8ce23bd0b47d6dd7348297902009f02dc61baed31c14f4065d8b2a05224a
                                                                                        • Opcode Fuzzy Hash: 9dd6a69ec3d5f26efcdad44dbdc85bfb7d64e55338950ab7547e9996ce3ea934
                                                                                        • Instruction Fuzzy Hash: 2C210771A04240EFDB05EF78CDC0B26BB65FB84315F20C66DD9494B396C336D446CA61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b4c27555228319ba035d35fa13e72f5c16689f67e80cf85b344a32aebe49149d
                                                                                        • Instruction ID: 8ca63a484cc3fdbe676295115ff0f3f9801b5af5459cb0283d5f01e9b2d9e885
                                                                                        • Opcode Fuzzy Hash: b4c27555228319ba035d35fa13e72f5c16689f67e80cf85b344a32aebe49149d
                                                                                        • Instruction Fuzzy Hash: 7E21A430E002299BCB19CFA5D85499EF7B6EF89304F24852AED15FB351DB70AD46CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ab2fffa6ef05536f83dcb0ddf6d1c3c9538e907a87778c4cfe792cdfec6f6a51
                                                                                        • Instruction ID: 3326c2b4d4235f7d7b775851cba54f7b421dfd7b3b3de03bbec6b8ac8b68411a
                                                                                        • Opcode Fuzzy Hash: ab2fffa6ef05536f83dcb0ddf6d1c3c9538e907a87778c4cfe792cdfec6f6a51
                                                                                        • Instruction Fuzzy Hash: B121E470A052608FEB365B3CE844378BB56FB46314F94056EE40AC7397DA39CC86C746
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 529fcbc947806526f3e4468f7c704667816f0ae5a7b4c50c4882758a29d0e487
                                                                                        • Instruction ID: 4e42a96f7e6fd0a32d6dcb8d49285ddbdcf440e322aae82e3a955b68110ce2c8
                                                                                        • Opcode Fuzzy Hash: 529fcbc947806526f3e4468f7c704667816f0ae5a7b4c50c4882758a29d0e487
                                                                                        • Instruction Fuzzy Hash: 8B213D30B002698FDB24EB78C5546AEB7F5FB89240F9004B8D546EB364DB359D02CBA2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: de1ea25e1ffdc05810fdb8625841e064fb892287376d3b5ac2190623dc9e0e87
                                                                                        • Instruction ID: adf69b41b612a1ab06aae0be3c5878ea4d143b1357d3baaa232803b55c0be62e
                                                                                        • Opcode Fuzzy Hash: de1ea25e1ffdc05810fdb8625841e064fb892287376d3b5ac2190623dc9e0e87
                                                                                        • Instruction Fuzzy Hash: CE214D346011114FDF32DB28F984B2DB76AE789310F505A75E406CB36ADA39DC8A8F92
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 24c1e02a5412c165f1a0e7d0a942a705846ccd4de553e0de31b5f5bbd317d32b
                                                                                        • Instruction ID: 80592df57d4e0bf90363b6ce243dc2639799083171d0ba3d6c6ffc017d2e1944
                                                                                        • Opcode Fuzzy Hash: 24c1e02a5412c165f1a0e7d0a942a705846ccd4de553e0de31b5f5bbd317d32b
                                                                                        • Instruction Fuzzy Hash: BC213630700224CFDB24DB78D958AAEBBF1EB8C304F1001A8E406EB3A4DB769D01CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4d5089aca287017b0b0daa9c97834898734de7f615f781c073d808cb0ba7971c
                                                                                        • Instruction ID: c3601b805e32bf175dbdeba8912a0194631fb4c7fc63fe043f2596fd4c9743e2
                                                                                        • Opcode Fuzzy Hash: 4d5089aca287017b0b0daa9c97834898734de7f615f781c073d808cb0ba7971c
                                                                                        • Instruction Fuzzy Hash: DC11D0327083545FCB076F7858105AE3FB7EFC6210750486AE945DB392DE358D06C3A6
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 069f681d6ff5f7a64507756a9d6c60891695abd7ac92feb2bbcce427cacaeda9
                                                                                        • Instruction ID: 90c8eb666c81d8623ae97f592d423b1868d2b3e7b3ea81a96d9ca696f50e874b
                                                                                        • Opcode Fuzzy Hash: 069f681d6ff5f7a64507756a9d6c60891695abd7ac92feb2bbcce427cacaeda9
                                                                                        • Instruction Fuzzy Hash: 2311C430B412245FDF255A7CD84473FF256EB45310F204979F506DB342DAA5CC828BE2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: bc908917ce16a184f20ebb6b9712a2abd96190c4c6052722a1534b2e3f2573ad
                                                                                        • Instruction ID: af958cad2c0961f0d2d443f141f456bb674cebd586dd95feab2bdd1dfdcf67f5
                                                                                        • Opcode Fuzzy Hash: bc908917ce16a184f20ebb6b9712a2abd96190c4c6052722a1534b2e3f2573ad
                                                                                        • Instruction Fuzzy Hash: DC119131B452249FEF265A78D84437FF7A2EB45314F10497AF506DB242DAA5CC828BE2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b63bce03b78ac3950a10f2f9c5aca1fc2bd59ac701f0a3a36ab7fad4a11e896e
                                                                                        • Instruction ID: ee3695039791b247667692d48c2c704ceffa5e21cadf7aaa585fe5377faca3e7
                                                                                        • Opcode Fuzzy Hash: b63bce03b78ac3950a10f2f9c5aca1fc2bd59ac701f0a3a36ab7fad4a11e896e
                                                                                        • Instruction Fuzzy Hash: 1311C631E012658FCB61EFB884546ADBBF5FF98210F6445B9E805E7241E735C9438BA0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c2e23fb7c3044dcfca8cddfbc3bfa54c13daf7da1cd0976687ef449aab955c08
                                                                                        • Instruction ID: fe05f042ffc976466f0696f72c93a8d99c4e735f62f7b946df144bef4d73379d
                                                                                        • Opcode Fuzzy Hash: c2e23fb7c3044dcfca8cddfbc3bfa54c13daf7da1cd0976687ef449aab955c08
                                                                                        • Instruction Fuzzy Hash: C611E575B012529FCB319F749848A6FBBE5FB8C250F104469E906D7308E73889418B81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3110455446.00000000016DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016DD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_16dd000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction ID: 1d42db9972ce482e57f70151d238c1894ffbdcb4fabdc3b586e8ca3f14f41d23
                                                                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction Fuzzy Hash: E0118B76904280DFDB06DF68D9C4B15BFA2FB84214F24C6AAD8494B796C33AD44ACB61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2b6216a65e945db285679746551dc763b848b5df64abf5d9680d78eff66667ef
                                                                                        • Instruction ID: 2cdbc2fcc70345072250bd8a9333fe37dce35e113ba0a5af3561efce7a5bd6e9
                                                                                        • Opcode Fuzzy Hash: 2b6216a65e945db285679746551dc763b848b5df64abf5d9680d78eff66667ef
                                                                                        • Instruction Fuzzy Hash: E7018031E002658FCB21EFBD84545ADFBF5FF59221F6404BAE909E7241E631D8438BA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 09dac038fe5c43192e0e27d627dba46b0b0c6484537f11bed1ba704c8f03839a
                                                                                        • Instruction ID: 4b6d9921c0d8a63fa2bd2f448f30f29963d844c6988cc987c11d50b50e974a28
                                                                                        • Opcode Fuzzy Hash: 09dac038fe5c43192e0e27d627dba46b0b0c6484537f11bed1ba704c8f03839a
                                                                                        • Instruction Fuzzy Hash: 48110831A002458FDB00DF64D98468AFF71FF81310F58C2A9C8485F3AAD770A949C7A0
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e5a3db50f7cc1281b7f8f66c2bcf494353fb4c6503cf78eed5e16a3a99654c56
                                                                                        • Instruction ID: 8a01fad7212893f4d033d37f3959d563c3bc8d249bcfc58b02ccb2afbd03664b
                                                                                        • Opcode Fuzzy Hash: e5a3db50f7cc1281b7f8f66c2bcf494353fb4c6503cf78eed5e16a3a99654c56
                                                                                        • Instruction Fuzzy Hash: 3F01E439B00214CFDB28DF64D698B6C77B2EF88715F1440A8E5069B3A8DB35AD82CB41
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d9f9fd04327543c4530bd95f894ed7e0bc910b0607e5902b46ed62bc20fa4bc2
                                                                                        • Instruction ID: 5e41334f1988a75f243dbbae37a4214155d8717df1d057aa744c321bdc46fe1b
                                                                                        • Opcode Fuzzy Hash: d9f9fd04327543c4530bd95f894ed7e0bc910b0607e5902b46ed62bc20fa4bc2
                                                                                        • Instruction Fuzzy Hash: FE0184305012459FCB01EB68FD809ACBB73EF45710F4047A8C4116B2A5DF356E45CB95
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7fe4b69798744c2a655dbc373e577f991e5b8f8edb75b84398d1bf84be25837d
                                                                                        • Instruction ID: 8dd034dfb4f653f3164df232e0a476608d728f49692886403aaa5dd473bdf94c
                                                                                        • Opcode Fuzzy Hash: 7fe4b69798744c2a655dbc373e577f991e5b8f8edb75b84398d1bf84be25837d
                                                                                        • Instruction Fuzzy Hash: FBF02B37A04270CBDB21CFE994501ACFFA1FE6911179800D7D90ADB251D334D943C751
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1fe9bdd5cccadeb479a081035f82a4d13757579f9b3b14ccef2969f8de8e5d51
                                                                                        • Instruction ID: b1f50881fad25b11bf711177b86154199ca2d39c63e3b7241a1475f050af4db6
                                                                                        • Opcode Fuzzy Hash: 1fe9bdd5cccadeb479a081035f82a4d13757579f9b3b14ccef2969f8de8e5d51
                                                                                        • Instruction Fuzzy Hash: 20F04430A011099FCB00EFA4FA515ADBBB7EB44700F5096B8C405A7364EF31AE49CB95
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2332c4c820b03784d220b8f348bb9f0188d379470c41eac676547cdc051c5c65
                                                                                        • Instruction ID: 9c37e06a16ee56409bbf606d4f3cf875f641f39ada2d4acde1e0dad3e7525f74
                                                                                        • Opcode Fuzzy Hash: 2332c4c820b03784d220b8f348bb9f0188d379470c41eac676547cdc051c5c65
                                                                                        • Instruction Fuzzy Hash: 21D05E311497928FC3124F64B0200C6BBB0BB57662358026BE9D2CA1A2DB250456DB91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122752310.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6860000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq$$kq
                                                                                        • API String ID: 0-1324371161
                                                                                        • Opcode ID: 6f3d67dc983d39118e224233625ba22cffddf8486464dafe2c5a61bc8578bf4f
                                                                                        • Instruction ID: e9a8cdf0f10bc95646d6b700f3c6a060df50227597e900df655d0a511fbf983d
                                                                                        • Opcode Fuzzy Hash: 6f3d67dc983d39118e224233625ba22cffddf8486464dafe2c5a61bc8578bf4f
                                                                                        • Instruction Fuzzy Hash: 27123F30B00219CFDB64DF65C954AAEB7B2BF89300F2085A9E509EB364DB359D85CF91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122752310.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6860000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: $kq$$kq$$kq$$kq$$kq$$kq
                                                                                        • API String ID: 0-1342094364
                                                                                        • Opcode ID: 07562b92db91bf45f42098920c61bdaa0adfdf5fa94874120144d1d835217f66
                                                                                        • Instruction ID: 9511c4ae1d3e34070ce2e0d7329c2a30e8656b573cf8d0725f4da29755fbfb2c
                                                                                        • Opcode Fuzzy Hash: 07562b92db91bf45f42098920c61bdaa0adfdf5fa94874120144d1d835217f66
                                                                                        • Instruction Fuzzy Hash: 8E022930A00219CFDB58EBA5C554A6EB7F2FF94705F24C529E405EB3A8DA35DC82CB91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122752310.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6860000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: 0oNp$DqNp$PHkq
                                                                                        • API String ID: 0-4000632471
                                                                                        • Opcode ID: d14b99b1adfdc4815031ade09e5f50c27d4b6d8154fcc521645d12c0dd4a3385
                                                                                        • Instruction ID: c2fd708985c85debe58a0f81388da4c23deadc8a9290ae43dffa4d222f3fe7c3
                                                                                        • Opcode Fuzzy Hash: d14b99b1adfdc4815031ade09e5f50c27d4b6d8154fcc521645d12c0dd4a3385
                                                                                        • Instruction Fuzzy Hash: 14228C30B001058FDB64DB69D984BAEB7E2FF88310F208569E506DB3A5DB75EC85CB91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122752310.0000000006860000.00000040.00000800.00020000.00000000.sdmp, Offset: 06860000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_6860000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: XPpq$\Opq
                                                                                        • API String ID: 0-2429731126
                                                                                        • Opcode ID: 8be7834e64136d0a4e1ad8d5df37fc6ffe44e52ba7dd5aab8dafb96fe98bfd3b
                                                                                        • Instruction ID: aed14a8d90b302a0bd5f03c9d1f63b05f209c9973124f7529c6e86f1a6cc9a62
                                                                                        • Opcode Fuzzy Hash: 8be7834e64136d0a4e1ad8d5df37fc6ffe44e52ba7dd5aab8dafb96fe98bfd3b
                                                                                        • Instruction Fuzzy Hash: 0DD10431F101148FDF54DB69D890AAEB7F2FB89314F24946AE606EB391CA35EC45CB90
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3111060106.0000000001720000.00000040.00000800.00020000.00000000.sdmp, Offset: 01720000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_1720000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \VLm
                                                                                        • API String ID: 0-2808160488
                                                                                        • Opcode ID: 62e4430235c3efd0ddadc4921fa12b09e494ad9807be0cfeac831a844b1f4e45
                                                                                        • Instruction ID: cdb3f809c194b3b21df84b049b9e8cb02bec1dd68bf82a10af87ffcc9cc7cf4b
                                                                                        • Opcode Fuzzy Hash: 62e4430235c3efd0ddadc4921fa12b09e494ad9807be0cfeac831a844b1f4e45
                                                                                        • Instruction Fuzzy Hash: 39B13C71E00229CFDF14CFA9C9857ADFBF2BF89314F148129D856A7294EB749846CB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122366821.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_5f90000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 579fca7e73e5bdc57854c4b3f354acbdf86fd745776cc14757847b95a72ada7c
                                                                                        • Instruction ID: 8a79b6dbfd995e493cefa17892cb82cd29e5d3d80cc409d682214960f4e01bad
                                                                                        • Opcode Fuzzy Hash: 579fca7e73e5bdc57854c4b3f354acbdf86fd745776cc14757847b95a72ada7c
                                                                                        • Instruction Fuzzy Hash: 47B19471E0061A9FDF24DFA9C840BAFBBB6FB89710F10852AD505E7390CB399945CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122366821.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_5f90000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48362d4d43425a222970ae4cd346adde33bb3d07a39b38455c33d50b7e190d96
                                                                                        • Instruction ID: 242f02f3754c40a55e2a0aeefd694d7ee55e7305da8ebb8689d8eb1e1e91dd93
                                                                                        • Opcode Fuzzy Hash: 48362d4d43425a222970ae4cd346adde33bb3d07a39b38455c33d50b7e190d96
                                                                                        • Instruction Fuzzy Hash: 3DA17132F00609CFDF09DFB4C88499EB7B6FF85300B25856AE906AB261DB35D955CB80
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122366821.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_5f90000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4fcca4b49cbcded307ea1a47499db97cbade017c860fa8271115f8210d0836ac
                                                                                        • Instruction ID: 693675e6ce6b6733aa55e37542bbd2572480977358109a343724e8cc86defdd6
                                                                                        • Opcode Fuzzy Hash: 4fcca4b49cbcded307ea1a47499db97cbade017c860fa8271115f8210d0836ac
                                                                                        • Instruction Fuzzy Hash: 77814F75D0064A8FEF25CF99C580EEEBBB2FB48310F15852AE44AE7251C338D941CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000008.00000002.3122366821.0000000005F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 05F90000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_8_2_5f90000_Musterino_94372478_Ekno_101_20241031410530_ekstre.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: edce572633e4c6d63d200cddfe4d2b85858b7a0c3db4476ff4fb6263b56a4b4c
                                                                                        • Instruction ID: 428a3e48ad9a6f5dc744ecf08537860190a8f4e6c75ee3ba6c5a33638735d57e
                                                                                        • Opcode Fuzzy Hash: edce572633e4c6d63d200cddfe4d2b85858b7a0c3db4476ff4fb6263b56a4b4c
                                                                                        • Instruction Fuzzy Hash: B6C1E6B08097468BF730DF65E94C1D97BB1BB85324F528709D1616B2E9EBB8148BCF84

                                                                                        Execution Graph

                                                                                        Execution Coverage:6.8%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:67
                                                                                        Total number of Limit Nodes:2
                                                                                        execution_graph 16228 f84668 16229 f84672 16228->16229 16233 f84758 16228->16233 16238 f83e28 16229->16238 16231 f8468d 16234 f8477d 16233->16234 16242 f84868 16234->16242 16246 f84858 16234->16246 16239 f83e33 16238->16239 16254 f85c24 16239->16254 16241 f86faf 16241->16231 16244 f8488f 16242->16244 16243 f8496c 16243->16243 16244->16243 16250 f844b0 16244->16250 16248 f84868 16246->16248 16247 f8496c 16248->16247 16249 f844b0 CreateActCtxA 16248->16249 16249->16247 16251 f858f8 CreateActCtxA 16250->16251 16253 f859bb 16251->16253 16255 f85c2f 16254->16255 16258 f85c44 16255->16258 16257 f87055 16257->16241 16259 f85c4f 16258->16259 16262 f85c74 16259->16262 16261 f8713a 16261->16257 16263 f85c7f 16262->16263 16266 f85ca4 16263->16266 16265 f8722d 16265->16261 16267 f85caf 16266->16267 16269 f8852b 16267->16269 16272 f8abe4 16267->16272 16268 f88569 16268->16265 16269->16268 16276 f8ccd8 16269->16276 16280 f8abff 16272->16280 16284 f8ac10 16272->16284 16273 f8abee 16273->16269 16277 f8ccf9 16276->16277 16278 f8cd1d 16277->16278 16292 f8ce88 16277->16292 16278->16268 16281 f8ac10 16280->16281 16287 f8ad08 16281->16287 16282 f8ac1f 16282->16273 16286 f8ad08 GetModuleHandleW 16284->16286 16285 f8ac1f 16285->16273 16286->16285 16288 f8ad19 16287->16288 16289 f8ad3c 16287->16289 16288->16289 16290 f8af40 GetModuleHandleW 16288->16290 16289->16282 16291 f8af6d 16290->16291 16291->16282 16293 f8ce95 16292->16293 16295 f8cecf 16293->16295 16296 f8ba40 16293->16296 16295->16278 16297 f8ba4b 16296->16297 16299 f8dbe8 16297->16299 16300 f8d23c 16297->16300 16299->16299 16301 f8d247 16300->16301 16302 f85ca4 GetModuleHandleW 16301->16302 16303 f8dc57 16302->16303 16303->16299 16304 f8cfa0 16305 f8cfe6 16304->16305 16309 f8d588 16305->16309 16312 f8d578 16305->16312 16306 f8d0d3 16315 f8d1dc 16309->16315 16313 f8d1dc DuplicateHandle 16312->16313 16314 f8d5b6 16312->16314 16313->16314 16314->16306 16316 f8d5f0 DuplicateHandle 16315->16316 16317 f8d5b6 16316->16317 16317->16306

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 316 f8ad08-f8ad17 317 f8ad19-f8ad26 call f8a02c 316->317 318 f8ad43-f8ad47 316->318 323 f8ad28 317->323 324 f8ad3c 317->324 319 f8ad49-f8ad53 318->319 320 f8ad5b-f8ad9c 318->320 319->320 327 f8ada9-f8adb7 320->327 328 f8ad9e-f8ada6 320->328 374 f8ad2e call f8afa0 323->374 375 f8ad2e call f8af90 323->375 324->318 330 f8adb9-f8adbe 327->330 331 f8addb-f8addd 327->331 328->327 329 f8ad34-f8ad36 329->324 332 f8ae78-f8af38 329->332 334 f8adc9 330->334 335 f8adc0-f8adc7 call f8a038 330->335 333 f8ade0-f8ade7 331->333 367 f8af3a-f8af3d 332->367 368 f8af40-f8af6b GetModuleHandleW 332->368 338 f8ade9-f8adf1 333->338 339 f8adf4-f8adfb 333->339 337 f8adcb-f8add9 334->337 335->337 337->333 338->339 341 f8ae08-f8ae11 call f8a048 339->341 342 f8adfd-f8ae05 339->342 347 f8ae1e-f8ae23 341->347 348 f8ae13-f8ae1b 341->348 342->341 349 f8ae41-f8ae45 347->349 350 f8ae25-f8ae2c 347->350 348->347 372 f8ae48 call f8b2a0 349->372 373 f8ae48 call f8b270 349->373 350->349 352 f8ae2e-f8ae3e call f8a058 call f8a068 350->352 352->349 355 f8ae4b-f8ae4e 357 f8ae50-f8ae6e 355->357 358 f8ae71-f8ae77 355->358 357->358 367->368 369 f8af6d-f8af73 368->369 370 f8af74-f8af88 368->370 369->370 372->355 373->355 374->329 375->329
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00F8AF5E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1972313450.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_f80000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: ecebb83e925ab54cd64bb02240bb24100314c1ce453cdc214df973ced57e0ef2
                                                                                        • Instruction ID: b114e28bab3ae12a3f135e121be6df2a23ac7764aee1bb304445a63e49459a49
                                                                                        • Opcode Fuzzy Hash: ecebb83e925ab54cd64bb02240bb24100314c1ce453cdc214df973ced57e0ef2
                                                                                        • Instruction Fuzzy Hash: 25714670A00B058FE724EF2AD44179ABBF5FF88314F00892ED48AD7A50D775E949DB91

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 376 f858ec-f858f4 377 f858fc-f859b9 CreateActCtxA 376->377 379 f859bb-f859c1 377->379 380 f859c2-f85a1c 377->380 379->380 387 f85a2b-f85a2f 380->387 388 f85a1e-f85a21 380->388 389 f85a40 387->389 390 f85a31-f85a3d 387->390 388->387 391 f85a41 389->391 390->389 391->391
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 00F859A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1972313450.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_f80000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 8301cc9114e4839335e8df63dea2b78dae52caa0472ee45e49ee07743123a8b0
                                                                                        • Instruction ID: a4e736426ab6d82e4c4dc326a140e22de7ad1e55ca34ef434967672d8d4d61e3
                                                                                        • Opcode Fuzzy Hash: 8301cc9114e4839335e8df63dea2b78dae52caa0472ee45e49ee07743123a8b0
                                                                                        • Instruction Fuzzy Hash: 3F41DFB0C00719CFDB24DFA9C8847CDBBB5BF89714F24816AD408AB265DB796946CF90

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 393 f844b0-f859b9 CreateActCtxA 396 f859bb-f859c1 393->396 397 f859c2-f85a1c 393->397 396->397 404 f85a2b-f85a2f 397->404 405 f85a1e-f85a21 397->405 406 f85a40 404->406 407 f85a31-f85a3d 404->407 405->404 408 f85a41 406->408 407->406 408->408
                                                                                        APIs
                                                                                        • CreateActCtxA.KERNEL32(?), ref: 00F859A9
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1972313450.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_f80000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID: Create
                                                                                        • String ID:
                                                                                        • API String ID: 2289755597-0
                                                                                        • Opcode ID: 7410d2a9090347dea5bec84d67b2ffed7331cf8f256501854da9dec70449a3bd
                                                                                        • Instruction ID: 05ede79a0864ffd235af7903b3da27824a009afbc366d8f1f30157b8737ce976
                                                                                        • Opcode Fuzzy Hash: 7410d2a9090347dea5bec84d67b2ffed7331cf8f256501854da9dec70449a3bd
                                                                                        • Instruction Fuzzy Hash: 3341E2B0C0071DCBDB24DFA9C884BCDBBB5BF89704F20816AD408AB255DB756945CF90

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 410 f8d1dc-f8d684 DuplicateHandle 412 f8d68d-f8d6aa 410->412 413 f8d686-f8d68c 410->413 413->412
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F8D5B6,?,?,?,?,?), ref: 00F8D677
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1972313450.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_f80000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: 65adabb1cae3abb297fe9abd8509a061bb1ec74ab017e709f1f0a7f1768fc343
                                                                                        • Instruction ID: afcdca81079424d27b344b3a5f60d58668d5e756d9d1caf2b2ba2f2b7328dc72
                                                                                        • Opcode Fuzzy Hash: 65adabb1cae3abb297fe9abd8509a061bb1ec74ab017e709f1f0a7f1768fc343
                                                                                        • Instruction Fuzzy Hash: C921E3B5D00208EFDB10DF9AD984ADEBBF4EB48324F14801AE918A7351D374A940DFA4

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 416 f8d5e9-f8d5ee 417 f8d5f0-f8d684 DuplicateHandle 416->417 418 f8d68d-f8d6aa 417->418 419 f8d686-f8d68c 417->419 419->418
                                                                                        APIs
                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F8D5B6,?,?,?,?,?), ref: 00F8D677
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1972313450.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_f80000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID: DuplicateHandle
                                                                                        • String ID:
                                                                                        • API String ID: 3793708945-0
                                                                                        • Opcode ID: a9b9a94f78721d7ab5ba76d9cc8c88be26c011be41b5791ef9640df730d35b0f
                                                                                        • Instruction ID: b1e8dac0efbf88cc94ea71779befec009df6c7ab69459e2462daafa0ce02ed4b
                                                                                        • Opcode Fuzzy Hash: a9b9a94f78721d7ab5ba76d9cc8c88be26c011be41b5791ef9640df730d35b0f
                                                                                        • Instruction Fuzzy Hash: AB21E6B5D00259EFDB10CF9AD984ADEBFF5EB48324F14801AE958A3350D378A944CFA4

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 422 f8aef8-f8af38 423 f8af3a-f8af3d 422->423 424 f8af40-f8af6b GetModuleHandleW 422->424 423->424 425 f8af6d-f8af73 424->425 426 f8af74-f8af88 424->426 425->426
                                                                                        APIs
                                                                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00F8AF5E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1972313450.0000000000F80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F80000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_f80000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID: HandleModule
                                                                                        • String ID:
                                                                                        • API String ID: 4139908857-0
                                                                                        • Opcode ID: 6b22b4d3adbd39304a7abe0d18174eecb082834497201028afc9c970ecf72a71
                                                                                        • Instruction ID: 5fd734bc8f3f22ec838329d40197577772b91077674d02070fa8e93325c71170
                                                                                        • Opcode Fuzzy Hash: 6b22b4d3adbd39304a7abe0d18174eecb082834497201028afc9c970ecf72a71
                                                                                        • Instruction Fuzzy Hash: 3511E0B5C002498FDB20DF9AD844ADEFBF4EF88324F10846AD559A7214C379A545CFA5
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1971926306.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_d1d000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 749f42b3ac41fec87641d9652f6a91d1d9e3b97b377306609cef261d423ee7e5
                                                                                        • Instruction ID: 06c7097c8aadb23f539f05484267632e0c2f8d1af1f0b7deae7a48c4a845009f
                                                                                        • Opcode Fuzzy Hash: 749f42b3ac41fec87641d9652f6a91d1d9e3b97b377306609cef261d423ee7e5
                                                                                        • Instruction Fuzzy Hash: 7F216A71100200EFDB04DF04E9C0B57BF66FB98314F24C169E8090B256C736E886C7B2
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1972101526.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_f3d000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ef53c812816cb2145ffc78a3003dba315a556ee515d1682e11211ad4e00a7661
                                                                                        • Instruction ID: 19aabfbd39324e077728a1739482deeb19e995ba52b7e1bb92d9f119cc1591d0
                                                                                        • Opcode Fuzzy Hash: ef53c812816cb2145ffc78a3003dba315a556ee515d1682e11211ad4e00a7661
                                                                                        • Instruction Fuzzy Hash: 6F212671904204EFDB05DF14E9C0B27BBA5FB84334F20C66DE8494B396C736D846DA61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1972101526.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_f3d000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 651eb50c6c71ab8e7efe9e2b07ad15a29b9c3889e99ebce97fe8aef138a1b0ed
                                                                                        • Instruction ID: 4b8e47fa1f3cab78e1349494b7119c2c97f4fd9a92f89d709df95d5de2a12137
                                                                                        • Opcode Fuzzy Hash: 651eb50c6c71ab8e7efe9e2b07ad15a29b9c3889e99ebce97fe8aef138a1b0ed
                                                                                        • Instruction Fuzzy Hash: BC21F5B1504200DFCB18DF14E5C4B16BB65FB84734F20C569D84A4B25AC336D847DA61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1972101526.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_f3d000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d4aa16b31d7653e9c761bb92d50922c0f6bd1fbe2463d511fd6857de2ae0b683
                                                                                        • Instruction ID: 437544e1a76286c47c7034fc79f19344b6cc6d7ec93ebd85d0783ff2431734ca
                                                                                        • Opcode Fuzzy Hash: d4aa16b31d7653e9c761bb92d50922c0f6bd1fbe2463d511fd6857de2ae0b683
                                                                                        • Instruction Fuzzy Hash: 192180755093808FCB06CF24D994715BF71EB46324F28C5EAD8498F2A7C33A980ADB62
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1971926306.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_d1d000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction ID: a7c7e23eecc2e78060e2c8d82c1b25ad5c19f8d9f77cc12cd167fabf05f0dcca
                                                                                        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                                                                        • Instruction Fuzzy Hash: A2112672504240DFCB16CF00D5C4B56BF72FB94324F28C6A9DC090B256C33AE85ACBA1
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1972101526.0000000000F3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F3D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_f3d000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction ID: 996be3665a5de8b36d41f48cdb1adbbff3b48ad0309448b7e336a27446082e41
                                                                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction Fuzzy Hash: 8C11BB75904280DFCB06CF10D9C4B16BBA1FB84324F24C6AAD8494B296C33AD80ADB61
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1971926306.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_d1d000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d83288d38a4b32ffbd94db1a0ae5c22f0c9b4a54491040d5ec4cb469c38bb8c3
                                                                                        • Instruction ID: 89acf373fd1047bebbf9314820e1f4d26e04ff0716c52b0e0e7ee0423a3a417a
                                                                                        • Opcode Fuzzy Hash: d83288d38a4b32ffbd94db1a0ae5c22f0c9b4a54491040d5ec4cb469c38bb8c3
                                                                                        • Instruction Fuzzy Hash: FC01A771108340AAE7204A29ED847A7FFD9EF51324F1CC92AED4A4A2C6CB79DC80C671
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000009.00000002.1971926306.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_9_2_d1d000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b7b08d5569a9098194a96cfc21f91efe32fec3f8d81d100dde78b3f7e7d44a23
                                                                                        • Instruction ID: 1da0af74411d150cfc81f7f017e4dcdf20f4039662f45a641e559e2b2a49087a
                                                                                        • Opcode Fuzzy Hash: b7b08d5569a9098194a96cfc21f91efe32fec3f8d81d100dde78b3f7e7d44a23
                                                                                        • Instruction Fuzzy Hash: 21F06871408344AEE7208A16DC84762FFE8EF51734F18C45AED094A286C7799C44CA71

                                                                                        Execution Graph

                                                                                        Execution Coverage:15.3%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:30
                                                                                        Total number of Limit Nodes:3
                                                                                        execution_graph 24198 1890848 24200 189084e 24198->24200 24199 189091b 24200->24199 24202 1891370 24200->24202 24204 1891386 24202->24204 24203 1891474 24203->24200 24204->24203 24208 1896f68 24204->24208 24212 1896ec7 24204->24212 24216 1897080 24204->24216 24210 1896f7e 24208->24210 24209 18970ea 24209->24204 24210->24209 24223 68bef0f 24210->24223 24214 1896eeb 24212->24214 24213 1896f34 24213->24204 24214->24213 24215 68bef0f GlobalMemoryStatusEx 24214->24215 24215->24213 24217 189708a 24216->24217 24219 18970a4 24217->24219 24222 68bd428 GlobalMemoryStatusEx 24217->24222 24231 68bd419 24217->24231 24218 18970ea 24218->24204 24219->24218 24220 68bef0f GlobalMemoryStatusEx 24219->24220 24220->24218 24222->24219 24224 68bef1a 24223->24224 24227 68bd428 24224->24227 24226 68bef21 24226->24209 24229 68bd43d 24227->24229 24228 68bd652 24228->24226 24229->24228 24230 68bd668 GlobalMemoryStatusEx 24229->24230 24230->24229 24233 68bd428 24231->24233 24232 68bd652 24232->24219 24233->24232 24234 68bd668 GlobalMemoryStatusEx 24233->24234 24234->24233
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 173b4d18f956c078eaa2d876c9d129372913e961ad340401953885d2c47dd1a0
                                                                                        • Instruction ID: d13df004172ac16de8565dda0479c823cd9e2a7321ea8aa95e5ece166320755b
                                                                                        • Opcode Fuzzy Hash: 173b4d18f956c078eaa2d876c9d129372913e961ad340401953885d2c47dd1a0
                                                                                        • Instruction Fuzzy Hash: 6A530931C10B1A8ACB55EF68C880599F7B1FF99300F55D79AE458BB125FB70AAC4CB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 91f13926ddf638ce955a2ed5c0449a8c562fb82f9d2c2126ec801398850c672a
                                                                                        • Instruction ID: 49d9f8a52892e7211304c36a6a654b63cda55e56ac1341a22f93f0a161abdd5b
                                                                                        • Opcode Fuzzy Hash: 91f13926ddf638ce955a2ed5c0449a8c562fb82f9d2c2126ec801398850c672a
                                                                                        • Instruction Fuzzy Hash: 95331E31D10B198EDB15DF68C8846ADF7B1FF99300F15C79AE448A7225EB70AAC5CB81
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \VLm
                                                                                        • API String ID: 0-2808160488
                                                                                        • Opcode ID: 41f8c4fad666b445804d8a2cca8f78a76f9cbe790b769f68956ace4eae799a31
                                                                                        • Instruction ID: bcd5e7f89b0d8f934c3a3566974c28ee480563e0bfd437d22ae8ad33351687c7
                                                                                        • Opcode Fuzzy Hash: 41f8c4fad666b445804d8a2cca8f78a76f9cbe790b769f68956ace4eae799a31
                                                                                        • Instruction Fuzzy Hash: 00913E70E00209DFDF14CFA9DA8579DBBF2BF88314F188129E415E7254DB749946CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c5f2f198a5850daea0b03ce2a3fa96ccc9a5d79da63d9d74c6aa0245682aa1fa
                                                                                        • Instruction ID: b97968c02cc93d7ad2c82455ce5ea191fae66f6c087782743b3e5482547ab85b
                                                                                        • Opcode Fuzzy Hash: c5f2f198a5850daea0b03ce2a3fa96ccc9a5d79da63d9d74c6aa0245682aa1fa
                                                                                        • Instruction Fuzzy Hash: 8BB14E74E00209CFDF14CFA9CA9179DBBF2AF88314F188529D815E7394EB749946CB81

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1795 189fcd8-189fcf7 1796 189fcfd-189fd06 1795->1796 1797 189feb2-189fed6 1795->1797 1800 189fedd-189ff76 1796->1800 1801 189fd0c-189fd61 1796->1801 1797->1800 1842 189ff7d-189ff82 1800->1842 1810 189fd8b-189fd94 1801->1810 1811 189fd63-189fd88 1801->1811 1812 189fd99-189fda9 1810->1812 1813 189fd96 1810->1813 1811->1810 1849 189fdab call 189fcc8 1812->1849 1850 189fdab call 189fcd8 1812->1850 1851 189fdab call 189feb8 1812->1851 1852 189fdab call 189ff88 1812->1852 1813->1812 1817 189fdb1-189fdb3 1819 189fe0d-189fe5a 1817->1819 1820 189fdb5-189fdba 1817->1820 1832 189fe61-189fe66 1819->1832 1822 189fdbc-189fdf1 1820->1822 1823 189fdf3-189fe06 1820->1823 1822->1832 1823->1819 1834 189fe68 1832->1834 1835 189fe70-189fe75 1832->1835 1834->1835 1837 189fe7f-189fe84 1835->1837 1838 189fe77 1835->1838 1840 189fe99-189fe9a 1837->1840 1841 189fe86-189fe91 1837->1841 1838->1837 1840->1797 1841->1840 1849->1817 1850->1817 1851->1817 1852->1817
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: (&kq$(oq
                                                                                        • API String ID: 0-2620321033
                                                                                        • Opcode ID: 52cb582723754fbb429a7f356254b7f2242df1d7b3f9ed997d75803e50b87627
                                                                                        • Instruction ID: 8e5e8d4781d06f7e3474e6fc94f3007de225d4953605aaef3d5eab8a34629d97
                                                                                        • Opcode Fuzzy Hash: 52cb582723754fbb429a7f356254b7f2242df1d7b3f9ed997d75803e50b87627
                                                                                        • Instruction Fuzzy Hash: 9F719D31F002199BDB19DFA9C850AAEBBF6AFC8700F148529E505EB384DF34AD41C7A5

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1853 18947f4-189488c 1857 189488e-1894899 1853->1857 1858 18948d6-18948d8 1853->1858 1857->1858 1860 189489b-18948a7 1857->1860 1859 18948da-18948f2 1858->1859 1866 189493c-189493e 1859->1866 1867 18948f4-18948ff 1859->1867 1861 18948a9-18948b3 1860->1861 1862 18948ca-18948d4 1860->1862 1864 18948b5 1861->1864 1865 18948b7-18948c6 1861->1865 1862->1859 1864->1865 1865->1865 1868 18948c8 1865->1868 1870 1894940-1894952 1866->1870 1867->1866 1869 1894901-189490d 1867->1869 1868->1862 1871 189490f-1894919 1869->1871 1872 1894930-189493a 1869->1872 1877 1894959-1894985 1870->1877 1873 189491b 1871->1873 1874 189491d-189492c 1871->1874 1872->1870 1873->1874 1874->1874 1876 189492e 1874->1876 1876->1872 1878 189498b-1894999 1877->1878 1879 189499b-18949a1 1878->1879 1880 18949a2-18949ff 1878->1880 1879->1880 1887 1894a0f-1894a13 1880->1887 1888 1894a01-1894a05 1880->1888 1889 1894a23-1894a27 1887->1889 1890 1894a15-1894a19 1887->1890 1888->1887 1891 1894a07-1894a0a call 1890ab8 1888->1891 1894 1894a29-1894a2d 1889->1894 1895 1894a37-1894a3b 1889->1895 1890->1889 1893 1894a1b-1894a1e call 1890ab8 1890->1893 1891->1887 1893->1889 1894->1895 1897 1894a2f 1894->1897 1898 1894a4b 1895->1898 1899 1894a3d-1894a41 1895->1899 1897->1895 1901 1894a4c 1898->1901 1899->1898 1900 1894a43 1899->1900 1900->1898 1901->1901
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \VLm$\VLm
                                                                                        • API String ID: 0-1686317364
                                                                                        • Opcode ID: 1706ac30e42cb1d2525dd93e52dbff54d858add6fa48fbef97858d4107f73915
                                                                                        • Instruction ID: 20720ef57715aaf8c765579eb48ea56b1ba4e40eb2f03bbb7d05014d51c8cad6
                                                                                        • Opcode Fuzzy Hash: 1706ac30e42cb1d2525dd93e52dbff54d858add6fa48fbef97858d4107f73915
                                                                                        • Instruction Fuzzy Hash: F3714B70E002499FDF10CFA9CA817DEBBF1AF89314F188129E415EB264EB749946CB95

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1902 1894800-189488c 1905 189488e-1894899 1902->1905 1906 18948d6-18948d8 1902->1906 1905->1906 1908 189489b-18948a7 1905->1908 1907 18948da-18948f2 1906->1907 1914 189493c-189493e 1907->1914 1915 18948f4-18948ff 1907->1915 1909 18948a9-18948b3 1908->1909 1910 18948ca-18948d4 1908->1910 1912 18948b5 1909->1912 1913 18948b7-18948c6 1909->1913 1910->1907 1912->1913 1913->1913 1916 18948c8 1913->1916 1918 1894940-1894985 1914->1918 1915->1914 1917 1894901-189490d 1915->1917 1916->1910 1919 189490f-1894919 1917->1919 1920 1894930-189493a 1917->1920 1926 189498b-1894999 1918->1926 1921 189491b 1919->1921 1922 189491d-189492c 1919->1922 1920->1918 1921->1922 1922->1922 1924 189492e 1922->1924 1924->1920 1927 189499b-18949a1 1926->1927 1928 18949a2-18949ff 1926->1928 1927->1928 1935 1894a0f-1894a13 1928->1935 1936 1894a01-1894a05 1928->1936 1937 1894a23-1894a27 1935->1937 1938 1894a15-1894a19 1935->1938 1936->1935 1939 1894a07-1894a0a call 1890ab8 1936->1939 1942 1894a29-1894a2d 1937->1942 1943 1894a37-1894a3b 1937->1943 1938->1937 1941 1894a1b-1894a1e call 1890ab8 1938->1941 1939->1935 1941->1937 1942->1943 1945 1894a2f 1942->1945 1946 1894a4b 1943->1946 1947 1894a3d-1894a41 1943->1947 1945->1943 1949 1894a4c 1946->1949 1947->1946 1948 1894a43 1947->1948 1948->1946 1949->1949
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \VLm$\VLm
                                                                                        • API String ID: 0-1686317364
                                                                                        • Opcode ID: 2a2e1eeb45966bb77992655105ee5a023d5fd5156c152b1e4d1fcd4b783b6add
                                                                                        • Instruction ID: fa470bcd5986fca402da06ff390997be0aaf7306c6303e3439ce6a874f30053c
                                                                                        • Opcode Fuzzy Hash: 2a2e1eeb45966bb77992655105ee5a023d5fd5156c152b1e4d1fcd4b783b6add
                                                                                        • Instruction Fuzzy Hash: E7714D71E002499FDF14CFA9CA807DEBBF2AF88314F188129E415EB254EB749946CB95

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2017 1896ec7-1896ee6 2018 1896eeb-1896f32 call 1896c30 2017->2018 2027 1896f4e-1896f64 2018->2027 2028 1896f34-1896f4d call 1896754 2018->2028 2027->2018 2032 1896f66-1896f7c 2027->2032 2035 1896f7e-1896f81 2032->2035 2036 1896f91-1896f94 2035->2036 2037 1896f83 call 1897910 2035->2037 2038 1896fc7-1896fca 2036->2038 2039 1896f96-1896faa 2036->2039 2040 1896f89-1896f8c 2037->2040 2041 1896fcc-1896fd3 2038->2041 2042 1896fde-1896fe1 2038->2042 2052 1896fac-1896fae 2039->2052 2053 1896fb0 2039->2053 2040->2036 2046 1896fd9 2041->2046 2047 18970db-18970e2 2041->2047 2043 189701d-189701f 2042->2043 2044 1896fe3-1897018 2042->2044 2050 1897021 2043->2050 2051 1897026-1897029 2043->2051 2044->2043 2046->2042 2048 18970f1-18970f7 2047->2048 2049 18970e4 2047->2049 2065 18970e4 call 68bef0f 2049->2065 2066 18970e4 call 68bed60 2049->2066 2067 18970e4 call 68bed70 2049->2067 2050->2051 2051->2035 2054 189702f-189703e 2051->2054 2055 1896fb3-1896fc2 2052->2055 2053->2055 2059 1897068-189707d 2054->2059 2060 1897040-1897043 2054->2060 2055->2038 2056 18970ea 2056->2048 2059->2047 2062 189704b-1897066 2060->2062 2062->2059 2062->2060 2065->2056 2066->2056 2067->2056
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LRkq$LRkq
                                                                                        • API String ID: 0-2882777380
                                                                                        • Opcode ID: afd59ae9b21c4445495a7aa2af9c624a1491144a67b821b8112ac25dd925ac37
                                                                                        • Instruction ID: 95253a9f5e05ff33f4ebad895aa7a8fb1a607f403577f7db674ff07670218c1c
                                                                                        • Opcode Fuzzy Hash: afd59ae9b21c4445495a7aa2af9c624a1491144a67b821b8112ac25dd925ac37
                                                                                        • Instruction Fuzzy Hash: 4F519230A102499FDF16DF78C4547AEBBB2EF86300F2484AAE405EB351EB759D46CB51

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2688 68be228-68be243 2689 68be26d-68be28c call 68bd3f4 2688->2689 2690 68be245-68be26c call 68bd3e8 2688->2690 2696 68be28e-68be291 2689->2696 2697 68be292-68be2f1 2689->2697 2704 68be2f3-68be2f6 2697->2704 2705 68be2f7-68be384 GlobalMemoryStatusEx 2697->2705 2708 68be38d-68be3b5 2705->2708 2709 68be386-68be38c 2705->2709 2709->2708
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3122275206.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_68b0000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c4c3e4e861064d337b170b21cbd4bcd24025a1ab42625960b1d2e5e3213688c3
                                                                                        • Instruction ID: bcbcca2aa1044ed4ecb4f63e96ed428718d2757d1fb82db75c02e662c211c117
                                                                                        • Opcode Fuzzy Hash: c4c3e4e861064d337b170b21cbd4bcd24025a1ab42625960b1d2e5e3213688c3
                                                                                        • Instruction Fuzzy Hash: F4412372D0435A8FCB04DFA9D8146EEBBF5AF89210F15866AD408E7351DB389984CBE1

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2712 68be310-68be34e 2713 68be356-68be384 GlobalMemoryStatusEx 2712->2713 2714 68be38d-68be3b5 2713->2714 2715 68be386-68be38c 2713->2715 2715->2714
                                                                                        APIs
                                                                                        • GlobalMemoryStatusEx.KERNELBASE(8B550214), ref: 068BE377
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3122275206.00000000068B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_68b0000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID: GlobalMemoryStatus
                                                                                        • String ID:
                                                                                        • API String ID: 1890195054-0
                                                                                        • Opcode ID: dd6ae2e7cbef9cf0462aa57b5366ca79b5487a686fc0d16ae5f96c4582e31ac4
                                                                                        • Instruction ID: 578245d630395d74e24a1f97ae16bd397447fa244699423e757819d9c698f3f6
                                                                                        • Opcode Fuzzy Hash: dd6ae2e7cbef9cf0462aa57b5366ca79b5487a686fc0d16ae5f96c4582e31ac4
                                                                                        • Instruction Fuzzy Hash: C21120B1C002699FCB10CF9AC544BDEFBF8AF48320F10816AE818A7350D378A944CFA5
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: \VLm
                                                                                        • API String ID: 0-2808160488
                                                                                        • Opcode ID: 8bad13afa123ffb7d6a82746ea02b7a4360ab0606c9af88c7d211701f1fb89d2
                                                                                        • Instruction ID: de9e59f8f6962ce081591d6308000a0654c916ce14a213fe16d59115648bea55
                                                                                        • Opcode Fuzzy Hash: 8bad13afa123ffb7d6a82746ea02b7a4360ab0606c9af88c7d211701f1fb89d2
                                                                                        • Instruction Fuzzy Hash: FA913BB0E00609CFDF10CFA9DA8179DBBF2BF48314F188129E855E7254DB749986CB91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: PHkq
                                                                                        • API String ID: 0-902561536
                                                                                        • Opcode ID: 593edfe8aaf479eb1ddcfc92521d145dbfeaa498dda18d1a544d8fc82f9e337a
                                                                                        • Instruction ID: d6413b518a639eaecb532cf18d89d0699eec3f697bb29d94c9c7369913aae5dc
                                                                                        • Opcode Fuzzy Hash: 593edfe8aaf479eb1ddcfc92521d145dbfeaa498dda18d1a544d8fc82f9e337a
                                                                                        • Instruction Fuzzy Hash: C541B130B002058FDF199B38C5946AE7FA6EF89310F288468D506DB395DF39DD46CB91
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LRkq
                                                                                        • API String ID: 0-1052062081
                                                                                        • Opcode ID: d2f1b6b79928b15e36780cb0782e1e87c30fad6926da3a2336cdc2ebbe8a0869
                                                                                        • Instruction ID: b5791b9de0d77140e8808910dedb4559f7b2b24d06cab3d681341ae5cb74713d
                                                                                        • Opcode Fuzzy Hash: d2f1b6b79928b15e36780cb0782e1e87c30fad6926da3a2336cdc2ebbe8a0869
                                                                                        • Instruction Fuzzy Hash: 9D319E34E1030A8FDF25CFA8C54479EB7B2FF85300F248429E505EB250EB75AA81CB50
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: LRkq
                                                                                        • API String ID: 0-1052062081
                                                                                        • Opcode ID: d229555bfbd54b7d64d6eb9135fe282c40a9995cbc35771856c957df9c74d87d
                                                                                        • Instruction ID: 679448852ea069f151dca10d979a202f4afaae9f4d1fc6eef2317d70e5456926
                                                                                        • Opcode Fuzzy Hash: d229555bfbd54b7d64d6eb9135fe282c40a9995cbc35771856c957df9c74d87d
                                                                                        • Instruction Fuzzy Hash: CC11A3307092854FC7126B3884606AEBFB2EF8B310B1488EAD085CB3A2DE355C86C751
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e6d380d96b8fc4eb8aa1a533b840f0a4182f79b26177703569bda398b07a7ba1
                                                                                        • Instruction ID: f33b0b965c0866d15b71d7881e9956d6bba20dcc87b94207b1dcebc7adc4dbef
                                                                                        • Opcode Fuzzy Hash: e6d380d96b8fc4eb8aa1a533b840f0a4182f79b26177703569bda398b07a7ba1
                                                                                        • Instruction Fuzzy Hash: A1124D30B503029FCB16AB3CE994669B3A2FBC9355B244939D005DB765CF39EC86CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b31db3d84c772a0ca3a050678a349eb542bbb387014dbc33373b95a00fd63211
                                                                                        • Instruction ID: d8c79399018764464503a464ea91963b1950051c04667604bc5c285ae79b015e
                                                                                        • Opcode Fuzzy Hash: b31db3d84c772a0ca3a050678a349eb542bbb387014dbc33373b95a00fd63211
                                                                                        • Instruction Fuzzy Hash: BFD1CF70F002058FDF11CF69D8807AEBBB6EB89314F18856AE509EB396DB34D945CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 27f5b2de120b357c14178b72687b8adc04c13111c97685347fdf2568efb4b796
                                                                                        • Instruction ID: 76ec2a630fc30abde8146596e88178a48673b0ffe679f551a29bb76daf34d00f
                                                                                        • Opcode Fuzzy Hash: 27f5b2de120b357c14178b72687b8adc04c13111c97685347fdf2568efb4b796
                                                                                        • Instruction Fuzzy Hash: 1AC16C74E002049FDF15DF68D984AAEBBF2EF89314F188469E906E7355DB349D82CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d58394bc9f5aa9296d84e429ca6c867d1a55c762816aae2a158ab7cd0bf4cd59
                                                                                        • Instruction ID: a6798211ce5bc7972d6892a35be99daafd8cd89b5b2c3fc9d23b63e27f13c6c4
                                                                                        • Opcode Fuzzy Hash: d58394bc9f5aa9296d84e429ca6c867d1a55c762816aae2a158ab7cd0bf4cd59
                                                                                        • Instruction Fuzzy Hash: F8B13C74E00249CFDF14CFA9CA917DDBBF1AF48314F188129E815EB254EB749986CB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7593b724b3c091e84cf8141b759b1dfe40dd415500052fb7b8f8be042042df21
                                                                                        • Instruction ID: 5b8f25281e92b05beaaf1a526c867726a4c585ac16dc43e57782ece0bb79b241
                                                                                        • Opcode Fuzzy Hash: 7593b724b3c091e84cf8141b759b1dfe40dd415500052fb7b8f8be042042df21
                                                                                        • Instruction Fuzzy Hash: FC61B172E101598BDF25CB58C9807BEFBF2EB84310F1D896AD445EB642C336AE44DB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3c97cd52234cc216796d441f5f8cef66d3e84b5ef1811d321a4c05501c1dbfc4
                                                                                        • Instruction ID: 114c6d98839d8355bbad9cee9ffc17f8c0ee48fcd90d2991c51751983752cdda
                                                                                        • Opcode Fuzzy Hash: 3c97cd52234cc216796d441f5f8cef66d3e84b5ef1811d321a4c05501c1dbfc4
                                                                                        • Instruction Fuzzy Hash: 0E5113B0D002188FDF14CFA9C994B9DBBF1BF48310F288129E819AB355E774A984CF95
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 24b5297175c42ef37b5753b89a1c9126a6bb8b6fa71ed916920d121ed2007e22
                                                                                        • Instruction ID: 29d06dd82703b3b0c1962af0db32db6cd8b373d82836bad995ee8432e90cb702
                                                                                        • Opcode Fuzzy Hash: 24b5297175c42ef37b5753b89a1c9126a6bb8b6fa71ed916920d121ed2007e22
                                                                                        • Instruction Fuzzy Hash: 1251F3B0D002188FDF14CFA9C994B9DBBF1BF48710F288129E819AB355D774A984CF95
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6fc81a0ed6cc8d4516fb98ae620e38f75532bd7f47f644892c1b0aa2464a6c8e
                                                                                        • Instruction ID: 2993bc1bcbbd2dae6088d64ba44682a4687e2e80b6d9654d02cdb5ce15c78c78
                                                                                        • Opcode Fuzzy Hash: 6fc81a0ed6cc8d4516fb98ae620e38f75532bd7f47f644892c1b0aa2464a6c8e
                                                                                        • Instruction Fuzzy Hash: 40415371E002199BDF14CFA9C980ADEBBF5BF88700F288129E515F7354DB70AA45CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6dece5e0ffbae3d8e76833d27abb77961da57890b36e2ffe05fa91c3a7b21bf6
                                                                                        • Instruction ID: e732daa2baf0a5257978aa7fd9d7a06a4bd2b4afb2f7a1847dbf08624154f18e
                                                                                        • Opcode Fuzzy Hash: 6dece5e0ffbae3d8e76833d27abb77961da57890b36e2ffe05fa91c3a7b21bf6
                                                                                        • Instruction Fuzzy Hash: F151D7352552868FDB15DB3CFE80A947F72FB92714304C5A9D0056B23BDA386E89CF81
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c78072d03a476be80b0bc357cf7c17a49672280c9df069546acc7a5fc1f07370
                                                                                        • Instruction ID: 8d8eb3de5cc091b7d13c08263ad0b859f72f8e60dfd2ce330a56ed4ccd190dc2
                                                                                        • Opcode Fuzzy Hash: c78072d03a476be80b0bc357cf7c17a49672280c9df069546acc7a5fc1f07370
                                                                                        • Instruction Fuzzy Hash: CE51B7352552868FDB15DB2CFE80A847F62F792714300C6A9D0056B33ADB786E89DF92
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7600a74825a5b2fdc8ef6cb916bbc730f978ee397eec6cadd3c7a05588319db5
                                                                                        • Instruction ID: 50f2a3223357c88dc6486dbad5e3cac3c155d47127972d9bdf17342c09071c5c
                                                                                        • Opcode Fuzzy Hash: 7600a74825a5b2fdc8ef6cb916bbc730f978ee397eec6cadd3c7a05588319db5
                                                                                        • Instruction Fuzzy Hash: 18315234E102469FCB19CFA9C5946AEBBF2FF89310F148569E906E7350DB70AD82CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b3dea2ff5cda65256a1852e7c63855a0e01ddccc4dc3c858541e04172c20ccc3
                                                                                        • Instruction ID: 30b54f366eb4a2f4359ab6114143ed69a3f9a97ba6996c7164c9bfeb75e89049
                                                                                        • Opcode Fuzzy Hash: b3dea2ff5cda65256a1852e7c63855a0e01ddccc4dc3c858541e04172c20ccc3
                                                                                        • Instruction Fuzzy Hash: 7941FFB0D00349EFDB10DFA9C584ADEBFB5FF48310F148429E809AB254DB759946CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6364602ecb178e2189ad909829b597c3592c66fb817a1d8221da395462e9a632
                                                                                        • Instruction ID: 477f3f1d4af8f370f3f32a5ebd84a1451b19784e61ef58629037753da3db30a1
                                                                                        • Opcode Fuzzy Hash: 6364602ecb178e2189ad909829b597c3592c66fb817a1d8221da395462e9a632
                                                                                        • Instruction Fuzzy Hash: 6C313034E102099BCF19CFA9D95469EBBF2BF89310F148529E90AE7354DB71AD82CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b0bddfdd6717129b28f0d6b84b8c5d0460a415c2f2b4eb081a560c3bb8a9726a
                                                                                        • Instruction ID: e7ba2bdea2b70b1b4180524ffc1803fce18a19fad35119c46df7473b0372dfc5
                                                                                        • Opcode Fuzzy Hash: b0bddfdd6717129b28f0d6b84b8c5d0460a415c2f2b4eb081a560c3bb8a9726a
                                                                                        • Instruction Fuzzy Hash: 9F41CEB0D00349EFDB10DFA9C584ADEBFB5FF48314F148429E819AB254DB75A945CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 74a67bfc3902ad9e5c85cdbe6e787c77dccb0bd51a005ed127bd12a8ef88cd75
                                                                                        • Instruction ID: d579bdd949e2c8e13ce0c60a05518f7c6e7220133aa851b2a9421fafe95e2691
                                                                                        • Opcode Fuzzy Hash: 74a67bfc3902ad9e5c85cdbe6e787c77dccb0bd51a005ed127bd12a8ef88cd75
                                                                                        • Instruction Fuzzy Hash: FD318F30E0024A9BDF05CFA9D59069EFBB6FF89304F148669E809FB251DB709982CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: cb89906981c441fdd5ee3185b52ea2e19002456ff8966ee6419c69aec680ba38
                                                                                        • Instruction ID: 0bf333ef051cb32dfb69d7ef2a7aab6239d95b255f8aa3cd1bb529ce6a988f91
                                                                                        • Opcode Fuzzy Hash: cb89906981c441fdd5ee3185b52ea2e19002456ff8966ee6419c69aec680ba38
                                                                                        • Instruction Fuzzy Hash: FA215C34E0020A9BDF15CFA9D58069EF7B6BF89304F148629E819FB255DB709986CB90
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 50e39b514b9f29e75d4de9fcd56f1d1acf8e3b259d57035d154f7242efd119a4
                                                                                        • Instruction ID: 49dc4e71e4ab5e4228b002cc47750d683b0f7ec0eb89fa6f6f5517e8cef6358e
                                                                                        • Opcode Fuzzy Hash: 50e39b514b9f29e75d4de9fcd56f1d1acf8e3b259d57035d154f7242efd119a4
                                                                                        • Instruction Fuzzy Hash: 8A21D6306041025FEF22D73CE98879D3B66EB41720F148961D406CB27ADB38DE858B91
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6fa0d658b157af14c7d9ce0d048833922c7fd46f494ed733ccd71ccff89b5efe
                                                                                        • Instruction ID: d26c55499523cd5e7a081963b888cb3d8218d1a3377d3db04735004731482d47
                                                                                        • Opcode Fuzzy Hash: 6fa0d658b157af14c7d9ce0d048833922c7fd46f494ed733ccd71ccff89b5efe
                                                                                        • Instruction Fuzzy Hash: 1D21C470E006059BCF19CFA8C4546EEBBB2BF89314F14856EE815F7351EB709A42CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ff6a34e76e568f1756f417ab822f2bc711cbd94934b2da6af5c0d0a74c6d74bf
                                                                                        • Instruction ID: c95e73b337cd4b0c71634fcca9b47140747b94b3226dd410c2bcda025c880b1e
                                                                                        • Opcode Fuzzy Hash: ff6a34e76e568f1756f417ab822f2bc711cbd94934b2da6af5c0d0a74c6d74bf
                                                                                        • Instruction Fuzzy Hash: 68218B307082468FDF25EB78C9597AE77F1AF4A354F5404A8D406EB261DB369E01CB92
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4f6519cb96d813eab06edf688507def8bdf1f65093e6ba667cfa70bf3a0a254e
                                                                                        • Instruction ID: cf4fc366a0738fea1082c0327ea0a3b1b102bdb170b880e5a811153fc15dd63f
                                                                                        • Opcode Fuzzy Hash: 4f6519cb96d813eab06edf688507def8bdf1f65093e6ba667cfa70bf3a0a254e
                                                                                        • Instruction Fuzzy Hash: 4021A770A483428BEF32577DD4883687B62E746325F18486AD447CB362DB2DCA45C781
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ea1dd109b05c1923df3a7019d0840b685a2d03a38f8b99354a0fcd3661a1905a
                                                                                        • Instruction ID: a00440c4e5ffe62b27576e3a11d8d3b1c63d3221818ea5c1cfeb9b15032c0029
                                                                                        • Opcode Fuzzy Hash: ea1dd109b05c1923df3a7019d0840b685a2d03a38f8b99354a0fcd3661a1905a
                                                                                        • Instruction Fuzzy Hash: 2F212630700246CFDF55DB78C958AAD7BF1EF89315B2444A9E406EB361EB369E01CB51
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110357411.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_184d000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8b482c4dfbbd7d054f30785d27c6ca33463ef66f929e9ee328fd301e402cc6bd
                                                                                        • Instruction ID: 1fa546dba82966f6949e08e49692683f48fb19c3db06421c36d61a3de26bf17f
                                                                                        • Opcode Fuzzy Hash: 8b482c4dfbbd7d054f30785d27c6ca33463ef66f929e9ee328fd301e402cc6bd
                                                                                        • Instruction Fuzzy Hash: 24213471600608DFDB01DF58C9C0B26FBA5FB94318F20C66DEC0A8B352CB3AD546CA61
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4bf7a464060fa12643980325382e0f4a310a75bdc7cf6cf765b6761629272ab8
                                                                                        • Instruction ID: 97e1f18718014cb1ebad8adf3e2aa7b10921e11331fe58c42bd49fa397e19985
                                                                                        • Opcode Fuzzy Hash: 4bf7a464060fa12643980325382e0f4a310a75bdc7cf6cf765b6761629272ab8
                                                                                        • Instruction Fuzzy Hash: EB218E70E0060A9BCF19CFA9C95499EB7B6AF89314F14852EE815FB350EB70AA41CB50
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2db514662290a870fcea250894ad1bafcedc9acc0d38a3c1d9c889e4acde5a51
                                                                                        • Instruction ID: e92dbcd485b6150dac897bf1762f08809a374bc97c2f1459107c10c1504ea628
                                                                                        • Opcode Fuzzy Hash: 2db514662290a870fcea250894ad1bafcedc9acc0d38a3c1d9c889e4acde5a51
                                                                                        • Instruction Fuzzy Hash: 1C213C30B0820A8FDF14EB68C9596AE77F5AB89355F5404A8D506FB364DB369E00CB92
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fadb741fdb0e02d82eb1a79cc3ebd8b14959196fc35fd9b00dede42e06323847
                                                                                        • Instruction ID: 43e3d4ecf8f9ec28501e0428997ed41c97ef739ba82a8cdc5eb81242e9b02d6a
                                                                                        • Opcode Fuzzy Hash: fadb741fdb0e02d82eb1a79cc3ebd8b14959196fc35fd9b00dede42e06323847
                                                                                        • Instruction Fuzzy Hash: 70219334A441025FEF22D73CE988B9D7756E745720F148935D40BD727ADB38DE848B91
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f3804e7171bb7faf48d1cc3605f1f35459d9dffecb0f69763bf05065cdf2cffb
                                                                                        • Instruction ID: 72a5dc78df4a5f2ad2185afd1be7e06673eed5ceb4f0850ec2a5a9f061985ed9
                                                                                        • Opcode Fuzzy Hash: f3804e7171bb7faf48d1cc3605f1f35459d9dffecb0f69763bf05065cdf2cffb
                                                                                        • Instruction Fuzzy Hash: D4211634700205CFDF24DB78C958AAE7BF1EF89355B1444A9E406EB3A5DB369E01CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4089f852eeed921d94fbb46bec86a55f81a1e97469ef3c8934575c8c8eba1856
                                                                                        • Instruction ID: 62cf62711cf527917fb683b00cccb392f70d4ae0e7518643df34c6f8cf93d64d
                                                                                        • Opcode Fuzzy Hash: 4089f852eeed921d94fbb46bec86a55f81a1e97469ef3c8934575c8c8eba1856
                                                                                        • Instruction Fuzzy Hash: 6911E632B483545FCB066FBC581066F3FA7EFC5250B544469E509DB392DE348D1183A5
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 9f5ea42797d332411325e0f6c01e159f7332b10df0151213601224e6bc2ff794
                                                                                        • Instruction ID: 6b5c8a4c94ca7d251440c3b60bda072ff8ba16390d7f49bc3486da82d9c0400c
                                                                                        • Opcode Fuzzy Hash: 9f5ea42797d332411325e0f6c01e159f7332b10df0151213601224e6bc2ff794
                                                                                        • Instruction Fuzzy Hash: F4119430B053049BEF22567C8C5037A7759EB42319F28497AF506EF343DA65CE858BD1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3ef5fceef573bb4cbb1f862fd55711f536dcd513e3347d9c5f6c0e8d0fcb8908
                                                                                        • Instruction ID: 16fb6c2ddf655c877f93e7e5935eb1e53eb881599383ac1c9e3297d7b5809a84
                                                                                        • Opcode Fuzzy Hash: 3ef5fceef573bb4cbb1f862fd55711f536dcd513e3347d9c5f6c0e8d0fcb8908
                                                                                        • Instruction Fuzzy Hash: 5E119432E052568FCF529FBC84941ED7FF5AF5A360B2C00B9E845EB242D631CA42CB91
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a3166415493a68cd014add3ab679cefd52e155d92f94986b336bda990b9c170e
                                                                                        • Instruction ID: 1b5ad9e171023cab2b26e7c7ccea781f0dcbd16986788689a92ff60185ef53fb
                                                                                        • Opcode Fuzzy Hash: a3166415493a68cd014add3ab679cefd52e155d92f94986b336bda990b9c170e
                                                                                        • Instruction Fuzzy Hash: D311A030B002089BEF659A7CCC4477E739AEB45315F288979F506EF352DA65CE858BC1
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a3b0126fb03d0ee525534b8ffffb46de765ef272ffadfb7bc5bd57d19101e2e3
                                                                                        • Instruction ID: 05d1c556690eb22b500683342a781e1041d772190167cb895a25fe436c3b188a
                                                                                        • Opcode Fuzzy Hash: a3b0126fb03d0ee525534b8ffffb46de765ef272ffadfb7bc5bd57d19101e2e3
                                                                                        • Instruction Fuzzy Hash: 9011CA75F003525FDF119B7854496AEBFF5FF88260F1484A5E946E7315EA388901CB81
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110357411.000000000184D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0184D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_184d000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction ID: dc4d0dfdbd4be388f51b1b5016aee96c44a07f56c44cf8adf2e19816352f9694
                                                                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                                                                        • Instruction Fuzzy Hash: 8B11A9755046848FDB02CF58C9C4B15FBA2FB84314F24C6AADC498B652C33AD44ACB61
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1806193088c32ca870d0e470ef0f069fec7d160dffa49f3912f0b0f39f9cead5
                                                                                        • Instruction ID: a6220f3f5687520786c3ca88055daa26d153e6d0ddc54d86c3a6e4d2b8cd038e
                                                                                        • Opcode Fuzzy Hash: 1806193088c32ca870d0e470ef0f069fec7d160dffa49f3912f0b0f39f9cead5
                                                                                        • Instruction Fuzzy Hash: B2018432E002168FCF21EFBC84441AD7BF9EF59361F190479E806E7341E631DA428B91
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d30af352ac4ab63836504169e24bfe8fe0ce9cec3d3054c3058de3ebbaf75c69
                                                                                        • Instruction ID: d486384decb59ea957dc32fcc7fd3f81e802d094a3b7b6f2a98b7e07e8107347
                                                                                        • Opcode Fuzzy Hash: d30af352ac4ab63836504169e24bfe8fe0ce9cec3d3054c3058de3ebbaf75c69
                                                                                        • Instruction Fuzzy Hash: CF11C230A002454FDB11DF68D98468ABFB1EF81310F18C2A9C8489F29AD7749D4ACBA0
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8490b7a92dd82c3ab101e95c0c59a7072ef0f29a90b3b290ca142aaaf1d3b3ea
                                                                                        • Instruction ID: 0269069b670d7e85c4dd9111aab3846e732f40d26c4a4dcbe57ca50ae0fd7147
                                                                                        • Opcode Fuzzy Hash: 8490b7a92dd82c3ab101e95c0c59a7072ef0f29a90b3b290ca142aaaf1d3b3ea
                                                                                        • Instruction Fuzzy Hash: F00171709401499FDB01EFB8EA915DDFF72EB41700B4086A9C445AB265EF31AE498B94
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: c074be7165f6c7543baca210735cff9268bde1d1539139af870d0a80462ea4a1
                                                                                        • Instruction ID: f0f3f5fe91084368684ea9e9889eb8f5d5662baa86804204554248ebc8ef8072
                                                                                        • Opcode Fuzzy Hash: c074be7165f6c7543baca210735cff9268bde1d1539139af870d0a80462ea4a1
                                                                                        • Instruction Fuzzy Hash: D901D639B40204CFDB14DB64D558B6837B2FB89315F1444A8E506DB2B4DB35AE52CF40
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8f0fc61e824a112d275d7c509f1bdbcc5f4d316647be91f3260b8ffc75392340
                                                                                        • Instruction ID: 230684befc90f7b1ed513bc75fd487b9ae804eb756aa99e08a0151923cf8dab9
                                                                                        • Opcode Fuzzy Hash: 8f0fc61e824a112d275d7c509f1bdbcc5f4d316647be91f3260b8ffc75392340
                                                                                        • Instruction Fuzzy Hash: 27F0F637A08252CBDF218BAC94941ACBFA1EE6933175D00D7E806DB251D334DB42C751
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7dc4fc9d20a18fda02305930a3f74f8ddcb0f568ed930ea4138ba12ec991df4b
                                                                                        • Instruction ID: 1e11a960e222fdee87afa561e75151093cc6b8169c6f2e163a1e079eeab82894
                                                                                        • Opcode Fuzzy Hash: 7dc4fc9d20a18fda02305930a3f74f8ddcb0f568ed930ea4138ba12ec991df4b
                                                                                        • Instruction Fuzzy Hash: D6F0E170950109AFDB00EFB8FA5169DFBB2EB40700F5086B8C405BB274EF35AE458B95
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.3110738188.0000000001890000.00000040.00000800.00020000.00000000.sdmp, Offset: 01890000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_1890000_imOLmwQ.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 6d3860101f18144dd2961b4d08fbbd2f53998d3ec2e4e2e755c7f455da82ebe9
                                                                                        • Instruction ID: bc89bafe95435e06feec79aee5523d20b67e86bfc7accafac2d8457a7b9f4d16
                                                                                        • Opcode Fuzzy Hash: 6d3860101f18144dd2961b4d08fbbd2f53998d3ec2e4e2e755c7f455da82ebe9
                                                                                        • Instruction Fuzzy Hash: 87C0127664442057D3140B8DB524697B7F4F7C9B66B08463FF90A83600CB3009528B80