Edit tour

Windows Analysis Report
EKSTRE_1022.exe

Overview

General Information

Sample name:	EKSTRE_1022.exe
Analysis ID:	1541206
MD5:	b949a48b3046b4b4e6e68564b228fbb2
SHA1:	65bd4ceeb0b371e5c578479b7c1b83ae8b9ef29f
SHA256:	f68c0c40aa651d080967ea4ea3c389fc1e3dbafcd097ac10f01374d0f6ae52d3
Tags:	exeMassLoggeruser-lowmal3
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Contains functionality to log keystrokes (.Net Source)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

EKSTRE_1022.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)

powershell.exe (PID: 8016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8068 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 6884 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 8104 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

EKSTRE_1022.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)

EKSTRE_1022.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)

EKSTRE_1022.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)

EKSTRE_1022.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)

EKSTRE_1022.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)

JIlApjvRxj.exe (PID: 4520 cmdline: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe MD5: B949A48B3046B4B4E6E68564B228FBB2)

schtasks.exe (PID: 3500 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JIlApjvRxj.exe (PID: 7752 cmdline: "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000012.00000002.2646438586.0000000002F84000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xefa7:$a1: get_encryptedPassword 0xf2cf:$a2: get_encryptedUsername 0xed42:$a3: get_timePasswordChanged 0xee63:$a4: get_passwordField 0xefbd:$a5: set_encryptedPassword 0x10919:$a7: get_logins 0x105ca:$a8: GetOutlookPasswords 0x103bc:$a9: StartKeylogger 0x10869:$a10: KeyLoggerEventArgs 0x10419:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x10797:$a1: get_encryptedPassword 0x10abf:$a2: get_encryptedUsername 0x10532:$a3: get_timePasswordChanged 0x10653:$a4: get_passwordField 0x107ad:$a5: set_encryptedPassword 0x12109:$a7: get_logins 0x11dba:$a8: GetOutlookPasswords 0x11bac:$a9: StartKeylogger 0x12059:$a10: KeyLoggerEventArgs 0x11c09:$a11: KeyLoggerEventArgsEventHandler
0000000D.00000002.2647148367.0000000002D14000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x70b2f:$a1: get_encryptedPassword 0x8774f:$a1: get_encryptedPassword 0x70e57:$a2: get_encryptedUsername 0x87a77:$a2: get_encryptedUsername 0x708ca:$a3: get_timePasswordChanged 0x874ea:$a3: get_timePasswordChanged 0x709eb:$a4: get_passwordField 0x8760b:$a4: get_passwordField 0x70b45:$a5: set_encryptedPassword 0x87765:$a5: set_encryptedPassword 0x724a1:$a7: get_logins 0x890c1:$a7: get_logins 0x72152:$a8: GetOutlookPasswords 0x88d72:$a8: GetOutlookPasswords 0x71f44:$a9: StartKeylogger 0x88b64:$a9: StartKeylogger 0x723f1:$a10: KeyLoggerEventArgs 0x89011:$a10: KeyLoggerEventArgs 0x71fa1:$a11: KeyLoggerEventArgsEventHandler 0x88bc1:$a11: KeyLoggerEventArgsEventHandler
00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x7008f:$a1: get_encryptedPassword 0x86caf:$a1: get_encryptedPassword 0x703b7:$a2: get_encryptedUsername 0x86fd7:$a2: get_encryptedUsername 0x6fe2a:$a3: get_timePasswordChanged 0x86a4a:$a3: get_timePasswordChanged 0x6ff4b:$a4: get_passwordField 0x86b6b:$a4: get_passwordField 0x700a5:$a5: set_encryptedPassword 0x86cc5:$a5: set_encryptedPassword 0x71a01:$a7: get_logins 0x88621:$a7: get_logins 0x716b2:$a8: GetOutlookPasswords 0x882d2:$a8: GetOutlookPasswords 0x714a4:$a9: StartKeylogger 0x880c4:$a9: StartKeylogger 0x71951:$a10: KeyLoggerEventArgs 0x88571:$a10: KeyLoggerEventArgs 0x71501:$a11: KeyLoggerEventArgsEventHandler 0x88121:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: EKSTRE_1022.exe PID: 7828	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: EKSTRE_1022.exe PID: 7828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EKSTRE_1022.exe PID: 7828	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: EKSTRE_1022.exe PID: 7828	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x31757:$a1: get_encryptedPassword 0x423f3:$a1: get_encryptedPassword 0x31a70:$a2: get_encryptedUsername 0x4270c:$a2: get_encryptedUsername 0x31506:$a3: get_timePasswordChanged 0x421a2:$a3: get_timePasswordChanged 0x31627:$a4: get_passwordField 0x422c3:$a4: get_passwordField 0x3176d:$a5: set_encryptedPassword 0x42409:$a5: set_encryptedPassword 0x33070:$a7: get_logins 0x43d0c:$a7: get_logins 0x32d21:$a8: GetOutlookPasswords 0x439bd:$a8: GetOutlookPasswords 0x32b13:$a9: StartKeylogger 0x437af:$a9: StartKeylogger 0x32fc0:$a10: KeyLoggerEventArgs 0x43c5c:$a10: KeyLoggerEventArgs 0x32b70:$a11: KeyLoggerEventArgsEventHandler 0x4380c:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: EKSTRE_1022.exe PID: 7584	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: EKSTRE_1022.exe PID: 7584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: EKSTRE_1022.exe PID: 7584	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: EKSTRE_1022.exe PID: 7584	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12f56:$a1: get_encryptedPassword 0x1326f:$a2: get_encryptedUsername 0x12d05:$a3: get_timePasswordChanged 0x12e26:$a4: get_passwordField 0x12f6c:$a5: set_encryptedPassword 0x1486f:$a7: get_logins 0x14520:$a8: GetOutlookPasswords 0x14312:$a9: StartKeylogger 0x147bf:$a10: KeyLoggerEventArgs 0x1436f:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: JIlApjvRxj.exe PID: 4520	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: JIlApjvRxj.exe PID: 4520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: JIlApjvRxj.exe PID: 4520	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: JIlApjvRxj.exe PID: 4520	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: JIlApjvRxj.exe PID: 4520	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x12e08:$a1: get_encryptedPassword 0x13121:$a2: get_encryptedUsername 0x12bb7:$a3: get_timePasswordChanged 0x12cd8:$a4: get_passwordField 0x12e1e:$a5: set_encryptedPassword 0x14721:$a7: get_logins 0x143d2:$a8: GetOutlookPasswords 0x141c4:$a9: StartKeylogger 0x14671:$a10: KeyLoggerEventArgs 0x14221:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: JIlApjvRxj.exe PID: 7752	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
14.2.JIlApjvRxj.exe.40ba988.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
14.2.JIlApjvRxj.exe.40ba988.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.JIlApjvRxj.exe.40ba988.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.JIlApjvRxj.exe.40ba988.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
14.2.JIlApjvRxj.exe.40ba988.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
0.2.EKSTRE_1022.exe.409bee8.3.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.EKSTRE_1022.exe.409bee8.3.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EKSTRE_1022.exe.409bee8.3.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.EKSTRE_1022.exe.409bee8.3.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.EKSTRE_1022.exe.409bee8.3.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1414b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13649:$a3: \Google\Chrome\User Data\Default\Login Data 0x13957:$a4: \Orbitum\User Data\Default\Login Data 0x1474f:$a5: \Kometa\User Data\Default\Login Data
0.2.EKSTRE_1022.exe.3fd85f0.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.EKSTRE_1022.exe.3fd85f0.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EKSTRE_1022.exe.3fd85f0.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.EKSTRE_1022.exe.3fd85f0.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
0.2.EKSTRE_1022.exe.3fd85f0.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b57:$a4: \Orbitum\User Data\Default\Login Data 0x1294f:$a5: \Kometa\User Data\Default\Login Data
0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0x25dc7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0x260ef:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0x25b62:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0x25c83:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x25ddd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x27739:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x273ea:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x271dc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x27689:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler 0x27239:$a11: KeyLoggerEventArgsEventHandler
Click to see the 23 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EKSTRE_1022.exe", ParentImage: C:\Users\user\Desktop\EKSTRE_1022.exe, ParentProcessId: 7828, ParentProcessName: EKSTRE_1022.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", ProcessId: 8016, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe, ParentImage: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe, ParentProcessId: 4520, ParentProcessName: JIlApjvRxj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp", ProcessId: 3500, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EKSTRE_1022.exe", ParentImage: C:\Users\user\Desktop\EKSTRE_1022.exe, ParentProcessId: 7828, ParentProcessName: EKSTRE_1022.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", ProcessId: 8104, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EKSTRE_1022.exe", ParentImage: C:\Users\user\Desktop\EKSTRE_1022.exe, ParentProcessId: 7828, ParentProcessName: EKSTRE_1022.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", ProcessId: 8016, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EKSTRE_1022.exe", ParentImage: C:\Users\user\Desktop\EKSTRE_1022.exe, ParentProcessId: 7828, ParentProcessName: EKSTRE_1022.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", ProcessId: 8104, ProcessName: schtasks.exe

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-24T15:21:03.866696+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49710	193.122.6.168	80	TCP
2024-10-24T15:21:07.054215+0200	2803274	2	Potentially Bad Traffic	192.168.2.8	49714	193.122.6.168	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe

ReversingLabs: Detection: 36%

Multi AV Scanner detection for submitted file

Source: EKSTRE_1022.exe

ReversingLabs: Detection: 36%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: EKSTRE_1022.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: EKSTRE_1022.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49716 version: TLS 1.0

Source: EKSTRE_1022.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RJtO.pdbSHA256 source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr
Source:	Binary string: RJtO.pdb source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 4x nop then jmp 02652404h	0_2_02651BB5
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 4x nop then jmp 02652404h	0_2_02651E65
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 4x nop then jmp 02652404h	0_2_02651F7D
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 4x nop then jmp 010C5782h	13_2_010C5358
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 4x nop then jmp 010C51B9h	13_2_010C4F08
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 4x nop then jmp 010C5782h	13_2_010C56AF
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 4x nop then jmp 047C172Ch	14_2_047C0EDD
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 4x nop then jmp 047C172Ch	14_2_047C118D
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 4x nop then jmp 02CB5782h	18_2_02CB5358
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 4x nop then jmp 02CB51B9h	18_2_02CB4F08
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 4x nop then jmp 02CB5782h	18_2_02CB56AF

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 193.122.6.168 193.122.6.168
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View	IP Address: 188.114.96.3 188.114.96.3

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49714 -> 193.122.6.168:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49710 -> 193.122.6.168:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49716 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr	String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
Source: JIlApjvRxj.exe, 00000012.00000002.2650089586.0000000006607000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr	String found in binary or memory: http://ocsp.comodoca.com0
Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: EKSTRE_1022.exe, 00000000.00000002.1424563889.00000000027DD000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1459389939.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr	String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71d
Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71l
Source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr	String found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

System Summary

Malicious sample detected (through community Yara rule)

Source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA2CA8 NtQueryInformationProcess,	0_2_06BA2CA8
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA2CA0 NtQueryInformationProcess,	0_2_06BA2CA0
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA2CA8 NtQueryInformationProcess,	14_2_06EA2CA8
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA2CA0 NtQueryInformationProcess,	14_2_06EA2CA0

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_00F5D304	0_2_00F5D304
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_02653360	0_2_02653360
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_04D20040	0_2_04D20040
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_04D2003C	0_2_04D2003C
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BAF7C0	0_2_06BAF7C0
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA33FC	0_2_06BA33FC
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA5020	0_2_06BA5020
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA0040	0_2_06BA0040
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA8BB0	0_2_06BA8BB0
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BAB6F8	0_2_06BAB6F8
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BAD610	0_2_06BAD610
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BAE734	0_2_06BAE734
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA2578	0_2_06BA2578
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA52B0	0_2_06BA52B0
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA52A2	0_2_06BA52A2
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA20B8	0_2_06BA20B8
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA5012	0_2_06BA5012
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA0006	0_2_06BA0006
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA2E28	0_2_06BA2E28
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BABF68	0_2_06BABF68
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BABF58	0_2_06BABF58
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA1C80	0_2_06BA1C80
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA1C70	0_2_06BA1C70
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BADA3A	0_2_06BADA3A
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BADA48	0_2_06BADA48
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA8BA2	0_2_06BA8BA2
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BABB30	0_2_06BABB30
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010CC168	13_2_010CC168
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010C27B9	13_2_010C27B9
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010CA821	13_2_010CA821
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010CCA58	13_2_010CCA58
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010C4F08	13_2_010C4F08
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010C7E68	13_2_010C7E68
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010CB9E0	13_2_010CB9E0
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010C2DD1	13_2_010C2DD1
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010C7E59	13_2_010C7E59
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010C4EF8	13_2_010C4EF8
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_0266D304	14_2_0266D304
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_047C25C8	14_2_047C25C8
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_04D70040	14_2_04D70040
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_04D7003F	14_2_04D7003F
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EAF788	14_2_06EAF788
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA0040	14_2_06EA0040
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA5020	14_2_06EA5020
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA8BB0	14_2_06EA8BB0
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EAB6F8	14_2_06EAB6F8
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EAD610	14_2_06EAD610
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EAE734	14_2_06EAE734
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA2578	14_2_06EA2578
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA52AD	14_2_06EA52AD
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA52B0	14_2_06EA52B0
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA20B8	14_2_06EA20B8
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA0021	14_2_06EA0021
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA501D	14_2_06EA501D
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA5012	14_2_06EA5012
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA2E28	14_2_06EA2E28
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EABF67	14_2_06EABF67
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EABF58	14_2_06EABF58
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA1C70	14_2_06EA1C70
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EADA48	14_2_06EADA48
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EA8BA1	14_2_06EA8BA1
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_06EABB30	14_2_06EABB30
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_082AA158	14_2_082AA158
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_082A99E0	14_2_082A99E0
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_082AF405	14_2_082AF405
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_082A6310	14_2_082A6310
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_082A6578	14_2_082A6578
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CBC168	18_2_02CBC168
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CBCA58	18_2_02CBCA58
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CBA821	18_2_02CBA821
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CB7E68	18_2_02CB7E68
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CB4F08	18_2_02CB4F08
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CBB9E0	18_2_02CBB9E0
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CB4EF8	18_2_02CB4EF8
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CB7E59	18_2_02CB7E59
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CB2DD1	18_2_02CB2DD1

Source: EKSTRE_1022.exe

Static PE information: invalid certificate

Source: EKSTRE_1022.exe, 00000000.00000002.1424563889.0000000002844000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs EKSTRE_1022.exe
Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs EKSTRE_1022.exe
Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs EKSTRE_1022.exe
Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs EKSTRE_1022.exe
Source: EKSTRE_1022.exe, 00000000.00000002.1423762513.0000000000B8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs EKSTRE_1022.exe
Source: EKSTRE_1022.exe, 00000000.00000002.1428993470.000000000B660000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs EKSTRE_1022.exe
Source: EKSTRE_1022.exe, 0000000D.00000002.2644076876.000000000041A000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCloudServices.exe< vs EKSTRE_1022.exe
Source: EKSTRE_1022.exe, 0000000D.00000002.2644441845.00000000009A7000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs EKSTRE_1022.exe
Source: EKSTRE_1022.exe	Binary or memory string: OriginalFilenameRJtO.exe> vs EKSTRE_1022.exe

Source: EKSTRE_1022.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: EKSTRE_1022.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JIlApjvRxj.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zIWdmytET3UyVdCLNu.cs	Security API names: _0020.SetAccessControl
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zIWdmytET3UyVdCLNu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zIWdmytET3UyVdCLNu.cs	Security API names: _0020.AddAccessRule
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zIWdmytET3UyVdCLNu.cs	Security API names: _0020.SetAccessControl
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zIWdmytET3UyVdCLNu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zIWdmytET3UyVdCLNu.cs	Security API names: _0020.AddAccessRule
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, IrmqqWkUGaV7heJOLK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, IrmqqWkUGaV7heJOLK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, IrmqqWkUGaV7heJOLK.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zIWdmytET3UyVdCLNu.cs	Security API names: _0020.SetAccessControl
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zIWdmytET3UyVdCLNu.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zIWdmytET3UyVdCLNu.cs	Security API names: _0020.AddAccessRule

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@27/15@2/2

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

File created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Mutant created: \Sessions\1\BaseNamedObjects\EowxANBTvVfImCZPJSpJBNkCSSh
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

File created: C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp

Jump to behavior

Source: EKSTRE_1022.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: EKSTRE_1022.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2648113737.0000000003E5D000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002F1E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: EKSTRE_1022.exe

ReversingLabs: Detection: 36%

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

File read: C:\Users\user\Desktop\EKSTRE_1022.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: rasapi32.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: rasman.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: rtutils.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: EKSTRE_1022.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EKSTRE_1022.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: EKSTRE_1022.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RJtO.pdbSHA256 source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr
Source:	Binary string: RJtO.pdb source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: EKSTRE_1022.exe, formMain.cs	.Net Code: InitializeComponent
Source: JIlApjvRxj.exe.0.dr, formMain.cs	.Net Code: InitializeComponent
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zIWdmytET3UyVdCLNu.cs	.Net Code: o2lbUVjT1c System.Reflection.Assembly.Load(byte[])
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zIWdmytET3UyVdCLNu.cs	.Net Code: o2lbUVjT1c System.Reflection.Assembly.Load(byte[])
Source: 0.2.EKSTRE_1022.exe.37c0b90.1.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 0.2.EKSTRE_1022.exe.6b60000.4.raw.unpack, Uo.cs	.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zIWdmytET3UyVdCLNu.cs	.Net Code: o2lbUVjT1c System.Reflection.Assembly.Load(byte[])

Source: EKSTRE_1022.exe

Static PE information: 0xAAFFD7DD [Sun Nov 28 18:54:21 2060 UTC]

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_00F55720 pushfd ; retf 0004h	0_2_00F5572A
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_02652346 push esi; ret	0_2_02652347
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 0_2_06BA95D6 push es; iretd	0_2_06BA9604
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Code function: 13_2_010CF273 push ebp; retf	13_2_010CF281
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_0266E2E0 push 14418B02h; ret	14_2_0266E2F3
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_0266C3C0 push cs; iretd	14_2_0266C3CE
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_0266A0F0 push 24418B02h; ret	14_2_0266A1B3
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_0266C501 push cs; iretd	14_2_0266C50E
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_02669358 push ebx; iretd	14_2_02669377
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_02665720 pushfd ; iretd	14_2_0266572A
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_02665870 pushfd ; iretd	14_2_02665876
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_0266590C pushfd ; iretd	14_2_02665916
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_047C25BA push cs; iretd	14_2_047C25C6
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_04D726A3 pushad ; iretd	14_2_04D726A6
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_04D71D87 pushad ; iretd	14_2_04D71D88
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_04D75ED0 push 24418B02h; ret	14_2_04D75EE3
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_04D71AF7 pushad ; iretd	14_2_04D71B06
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 14_2_082A5A68 push C0335002h; mov dword ptr [esp], eax	14_2_082A5A7B
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CB27CB push ds; retf	18_2_02CB27D2
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Code function: 18_2_02CB27BF push ds; retf	18_2_02CB27C2

Source: EKSTRE_1022.exe	Static PE information: section name: .text entropy: 7.921681038853017
Source: JIlApjvRxj.exe.0.dr	Static PE information: section name: .text entropy: 7.921681038853017

Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, yxyI5BFJELURXakQYI.cs	High entropy of concatenated method names: 'XHAsV0KSCI', 'HplsiDx2WY', 'WJtsUm9BLf', 'CELsSnGAwo', 'jSpsTBmseU', 'cxFsGfS4Zp', 'F76sNrajGJ', 'brKskfEqpx', 'Es9sQB6nPw', 'NqOs9nqf7w'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, jHTh2a80odskpT8irY.cs	High entropy of concatenated method names: 'cYAuZeeFoO', 'vnvudmCDGP', 'xdYuJocTZf', 'sfZuebpL0M', 'N3euPkltiE', 'fSYuxqEIFS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, pVGfexb4PJmE9I0eMS.cs	High entropy of concatenated method names: 'koJOsrmqqW', 'zGaOtV7heJ', 'JWjOlKmr8O', 'hosOBl5DmA', 'F4gOClcVSg', 'BZrOyWj80S', 'PjeP5TDdS3YKrJnMpm', 'hG5visZ0vJsuoi84Rg', 'e3YZns5ZeHwGaZBk5m', 'QytOOLItEm'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zqBkq23pBKyjW57462.cs	High entropy of concatenated method names: 'PP7uEnCpGT', 'nHxuHxVSbT', 'sYVu7wc3IF', 'WS3ufSYOvf', 'd9duAjEhsO', 'JKtusgp7CG', 'HSlutSAkvM', 'AuBupB38as', 'a6PulPoOjS', 'n5puBEIbKk'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, RDlbE5OIhCAPUehj1Za.cs	High entropy of concatenated method names: 'AkKoVlDhHw', 'fkyoimm9ue', 'Hb4oUQ01sj', 'bJYoSRQwmo', 'fdHoTKYT0u', 'matoGQRyvs', 'Eo3oNx35AS', 'aHuokGV6SL', 'wfloQVw06J', 'ASKo9OJR9u'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, eDmAuQ9v2RM8LZ4glc.cs	High entropy of concatenated method names: 'W4cfTxwVP9', 'YLWfNIAVY0', 'be17JKD4GA', 'CAc7evslYg', 'Sco7x7cMQR', 'JiJ7WclwpN', 'T1x7YJOYbk', 'X187mSmSK0', 'uel7FHk7aH', 'yVq7D3v3gx'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, xuZKPH0bg3CNJiej0Y.cs	High entropy of concatenated method names: 'RE8UZH5r8', 'DSLSWoMqi', 'P8cGwOxwQ', 'bIDN9X3CY', 'qNEQ7QjUP', 'Gvw9kwE8H', 'qgPuBEQdGkERkmdqRE', 'PZkNYOp58ZckVpH5kT', 'TfvuRDiUt', 'buj1TnkmY'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, DSg0IsjnvDMwoDkgHJ.cs	High entropy of concatenated method names: 'yKdoO1MDMb', 'd1oorEBjqU', 'GoDobCtiaJ', 'MgyoExUB4N', 'dQCoH7vEun', 'DjJofDnCCZ', 'DxIoALNjDj', 'SH6uvnrISk', 'iMdu3Y086o', 'Arwu8RWUeE'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, XkyU3YwMsX6X7Ya2Ow.cs	High entropy of concatenated method names: 'SvLclGG4yG', 'DqOcBZh5uL', 'ToString', 'eACcEkPBg4', 'TWMcHcIUjh', 'N5Xc7hKmET', 'MUScfRV2h6', 'wVRcAEicp7', 'n6pcsCq6sL', 'lU3ctgWCc8'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zIWdmytET3UyVdCLNu.cs	High entropy of concatenated method names: 'BTxr50399h', 'c9yrEhe0r0', 'QmlrHfpo1l', 'irkr7Polew', 'UGDrf6u9xk', 'MeVrA5hqxN', 'LT5rs01Xfb', 'OYvrt3jGwC', 'n9drpCbkuD', 'BXXrl0N42Y'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, JXuK5OOrdd4A47g8hp2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'boA1PMK2Q5', 'OoP1gBGtSc', 'Urv1KSbvMf', 'ulH1wByIH2', 'VJq12MWXje', 'gA91axkuoY', 'Y5h1vb0jdE'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, xSgTZrZWj80Sr5cuuu.cs	High entropy of concatenated method names: 'O2CA5QnVBe', 'xWCAHVOiji', 'z9cAfUE9Cp', 'du4AsgtxKt', 'YAwAt7N0l6', 'BSEf2UPy4l', 'ejgfa3ulxi', 'aALfvUEf7A', 'Jtof3fOtvu', 'TcYf8li88B'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, gimaVxQWjKmr8Ofosl.cs	High entropy of concatenated method names: 'cfX7SStUG0', 'NWN7GMomUS', 'Bt57kNwhAV', 'BM17QTndam', 'Mi57C3iNm4', 'kOb7yFZvEk', 'ikr7cOSFur', 'auV7u50Os0', 'wdU7ouJrnk', 'OlK716w8jC'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, xG25IkzZH5iNF8BafO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YdFoRQW7Qf', 'U8koCU6bav', 'BeMoyTIvvc', 'FqGocfMaBv', 'DkPoub7pwX', 'jy5oofKeUM', 'k5to1Lk6EY'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, F6xH8FLHG7b0LaXqx7.cs	High entropy of concatenated method names: 'XwVRke48pR', 'WNERQJY14N', 'sKARZokvPj', 'gOARdoeDrl', 'vayReruVKT', 'dtYRxFvchI', 'Rt8RYd6YsM', 'wNRRmoKxEn', 'G3YRD1CkYj', 'XHTRqYZPNA'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, KVVciMPooTamDtE6Qi.cs	High entropy of concatenated method names: 'DSnCD8Zo2X', 'sIwC47j85a', 'O59CPyUQZS', 'rVUCgT4Yh7', 'OPxCdrqwQL', 'x6kCJakEDs', 'x6lCeB718W', 'u7JCxtiPMT', 'JQ5CW2qFEQ', 'mdDCYfaNS4'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, IrmqqWkUGaV7heJOLK.cs	High entropy of concatenated method names: 'Dr1HP1Hma3', 'WnlHgfeYnZ', 'JxMHKoV2dJ', 'DTUHw1JGkb', 'fwtH2xGT2p', 'bDvHaIx7FM', 'sg1HvdZ2gg', 'zHBH36cX8x', 'ip8H86ZNvh', 'RTgHjUFWQO'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, bnfZ4SYIIMAWSTswXq.cs	High entropy of concatenated method names: 'xZjsETYWfS', 'F0Ys7y02v2', 'YarsAbCPbw', 'pllAj9ktg1', 'RZNAzA97U9', 'zvmsILwtak', 'psCsOvhGCS', 'cNUs0eDmX5', 'M0vsr3KD77', 'CX0sblHynN'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, iWE2HKaPDHVenn26YW.cs	High entropy of concatenated method names: 'URnc3TE5Pc', 'HglcjQHgWH', 'aNcuIEB5Oo', 'YY1uOLR5Xs', 'qGLcqtTVfW', 'vdOc47miwV', 'HDccLPxQiV', 'C3dcPDqmbd', 'X7UcgkDxMe', 'NPTcKGBq4C'
Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, RiKiidHLlgPOlPUrnd.cs	High entropy of concatenated method names: 'Dispose', 'yYxO8V9vjX', 'kyh0dDbSmn', 'bCiddB9vj3', 'EUqOjBkq2p', 'mKyOzjW574', 'ProcessDialogKey', 'u2s0IHTh2a', 'cod0OskpT8', 'yrY00NSg0I'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, yxyI5BFJELURXakQYI.cs	High entropy of concatenated method names: 'XHAsV0KSCI', 'HplsiDx2WY', 'WJtsUm9BLf', 'CELsSnGAwo', 'jSpsTBmseU', 'cxFsGfS4Zp', 'F76sNrajGJ', 'brKskfEqpx', 'Es9sQB6nPw', 'NqOs9nqf7w'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, jHTh2a80odskpT8irY.cs	High entropy of concatenated method names: 'cYAuZeeFoO', 'vnvudmCDGP', 'xdYuJocTZf', 'sfZuebpL0M', 'N3euPkltiE', 'fSYuxqEIFS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, pVGfexb4PJmE9I0eMS.cs	High entropy of concatenated method names: 'koJOsrmqqW', 'zGaOtV7heJ', 'JWjOlKmr8O', 'hosOBl5DmA', 'F4gOClcVSg', 'BZrOyWj80S', 'PjeP5TDdS3YKrJnMpm', 'hG5visZ0vJsuoi84Rg', 'e3YZns5ZeHwGaZBk5m', 'QytOOLItEm'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zqBkq23pBKyjW57462.cs	High entropy of concatenated method names: 'PP7uEnCpGT', 'nHxuHxVSbT', 'sYVu7wc3IF', 'WS3ufSYOvf', 'd9duAjEhsO', 'JKtusgp7CG', 'HSlutSAkvM', 'AuBupB38as', 'a6PulPoOjS', 'n5puBEIbKk'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, RDlbE5OIhCAPUehj1Za.cs	High entropy of concatenated method names: 'AkKoVlDhHw', 'fkyoimm9ue', 'Hb4oUQ01sj', 'bJYoSRQwmo', 'fdHoTKYT0u', 'matoGQRyvs', 'Eo3oNx35AS', 'aHuokGV6SL', 'wfloQVw06J', 'ASKo9OJR9u'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, eDmAuQ9v2RM8LZ4glc.cs	High entropy of concatenated method names: 'W4cfTxwVP9', 'YLWfNIAVY0', 'be17JKD4GA', 'CAc7evslYg', 'Sco7x7cMQR', 'JiJ7WclwpN', 'T1x7YJOYbk', 'X187mSmSK0', 'uel7FHk7aH', 'yVq7D3v3gx'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, xuZKPH0bg3CNJiej0Y.cs	High entropy of concatenated method names: 'RE8UZH5r8', 'DSLSWoMqi', 'P8cGwOxwQ', 'bIDN9X3CY', 'qNEQ7QjUP', 'Gvw9kwE8H', 'qgPuBEQdGkERkmdqRE', 'PZkNYOp58ZckVpH5kT', 'TfvuRDiUt', 'buj1TnkmY'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, DSg0IsjnvDMwoDkgHJ.cs	High entropy of concatenated method names: 'yKdoO1MDMb', 'd1oorEBjqU', 'GoDobCtiaJ', 'MgyoExUB4N', 'dQCoH7vEun', 'DjJofDnCCZ', 'DxIoALNjDj', 'SH6uvnrISk', 'iMdu3Y086o', 'Arwu8RWUeE'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, XkyU3YwMsX6X7Ya2Ow.cs	High entropy of concatenated method names: 'SvLclGG4yG', 'DqOcBZh5uL', 'ToString', 'eACcEkPBg4', 'TWMcHcIUjh', 'N5Xc7hKmET', 'MUScfRV2h6', 'wVRcAEicp7', 'n6pcsCq6sL', 'lU3ctgWCc8'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zIWdmytET3UyVdCLNu.cs	High entropy of concatenated method names: 'BTxr50399h', 'c9yrEhe0r0', 'QmlrHfpo1l', 'irkr7Polew', 'UGDrf6u9xk', 'MeVrA5hqxN', 'LT5rs01Xfb', 'OYvrt3jGwC', 'n9drpCbkuD', 'BXXrl0N42Y'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, JXuK5OOrdd4A47g8hp2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'boA1PMK2Q5', 'OoP1gBGtSc', 'Urv1KSbvMf', 'ulH1wByIH2', 'VJq12MWXje', 'gA91axkuoY', 'Y5h1vb0jdE'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, xSgTZrZWj80Sr5cuuu.cs	High entropy of concatenated method names: 'O2CA5QnVBe', 'xWCAHVOiji', 'z9cAfUE9Cp', 'du4AsgtxKt', 'YAwAt7N0l6', 'BSEf2UPy4l', 'ejgfa3ulxi', 'aALfvUEf7A', 'Jtof3fOtvu', 'TcYf8li88B'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, gimaVxQWjKmr8Ofosl.cs	High entropy of concatenated method names: 'cfX7SStUG0', 'NWN7GMomUS', 'Bt57kNwhAV', 'BM17QTndam', 'Mi57C3iNm4', 'kOb7yFZvEk', 'ikr7cOSFur', 'auV7u50Os0', 'wdU7ouJrnk', 'OlK716w8jC'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, xG25IkzZH5iNF8BafO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YdFoRQW7Qf', 'U8koCU6bav', 'BeMoyTIvvc', 'FqGocfMaBv', 'DkPoub7pwX', 'jy5oofKeUM', 'k5to1Lk6EY'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, F6xH8FLHG7b0LaXqx7.cs	High entropy of concatenated method names: 'XwVRke48pR', 'WNERQJY14N', 'sKARZokvPj', 'gOARdoeDrl', 'vayReruVKT', 'dtYRxFvchI', 'Rt8RYd6YsM', 'wNRRmoKxEn', 'G3YRD1CkYj', 'XHTRqYZPNA'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, KVVciMPooTamDtE6Qi.cs	High entropy of concatenated method names: 'DSnCD8Zo2X', 'sIwC47j85a', 'O59CPyUQZS', 'rVUCgT4Yh7', 'OPxCdrqwQL', 'x6kCJakEDs', 'x6lCeB718W', 'u7JCxtiPMT', 'JQ5CW2qFEQ', 'mdDCYfaNS4'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, IrmqqWkUGaV7heJOLK.cs	High entropy of concatenated method names: 'Dr1HP1Hma3', 'WnlHgfeYnZ', 'JxMHKoV2dJ', 'DTUHw1JGkb', 'fwtH2xGT2p', 'bDvHaIx7FM', 'sg1HvdZ2gg', 'zHBH36cX8x', 'ip8H86ZNvh', 'RTgHjUFWQO'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, bnfZ4SYIIMAWSTswXq.cs	High entropy of concatenated method names: 'xZjsETYWfS', 'F0Ys7y02v2', 'YarsAbCPbw', 'pllAj9ktg1', 'RZNAzA97U9', 'zvmsILwtak', 'psCsOvhGCS', 'cNUs0eDmX5', 'M0vsr3KD77', 'CX0sblHynN'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, iWE2HKaPDHVenn26YW.cs	High entropy of concatenated method names: 'URnc3TE5Pc', 'HglcjQHgWH', 'aNcuIEB5Oo', 'YY1uOLR5Xs', 'qGLcqtTVfW', 'vdOc47miwV', 'HDccLPxQiV', 'C3dcPDqmbd', 'X7UcgkDxMe', 'NPTcKGBq4C'
Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, RiKiidHLlgPOlPUrnd.cs	High entropy of concatenated method names: 'Dispose', 'yYxO8V9vjX', 'kyh0dDbSmn', 'bCiddB9vj3', 'EUqOjBkq2p', 'mKyOzjW574', 'ProcessDialogKey', 'u2s0IHTh2a', 'cod0OskpT8', 'yrY00NSg0I'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, yxyI5BFJELURXakQYI.cs	High entropy of concatenated method names: 'XHAsV0KSCI', 'HplsiDx2WY', 'WJtsUm9BLf', 'CELsSnGAwo', 'jSpsTBmseU', 'cxFsGfS4Zp', 'F76sNrajGJ', 'brKskfEqpx', 'Es9sQB6nPw', 'NqOs9nqf7w'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, jHTh2a80odskpT8irY.cs	High entropy of concatenated method names: 'cYAuZeeFoO', 'vnvudmCDGP', 'xdYuJocTZf', 'sfZuebpL0M', 'N3euPkltiE', 'fSYuxqEIFS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, pVGfexb4PJmE9I0eMS.cs	High entropy of concatenated method names: 'koJOsrmqqW', 'zGaOtV7heJ', 'JWjOlKmr8O', 'hosOBl5DmA', 'F4gOClcVSg', 'BZrOyWj80S', 'PjeP5TDdS3YKrJnMpm', 'hG5visZ0vJsuoi84Rg', 'e3YZns5ZeHwGaZBk5m', 'QytOOLItEm'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zqBkq23pBKyjW57462.cs	High entropy of concatenated method names: 'PP7uEnCpGT', 'nHxuHxVSbT', 'sYVu7wc3IF', 'WS3ufSYOvf', 'd9duAjEhsO', 'JKtusgp7CG', 'HSlutSAkvM', 'AuBupB38as', 'a6PulPoOjS', 'n5puBEIbKk'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, RDlbE5OIhCAPUehj1Za.cs	High entropy of concatenated method names: 'AkKoVlDhHw', 'fkyoimm9ue', 'Hb4oUQ01sj', 'bJYoSRQwmo', 'fdHoTKYT0u', 'matoGQRyvs', 'Eo3oNx35AS', 'aHuokGV6SL', 'wfloQVw06J', 'ASKo9OJR9u'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, eDmAuQ9v2RM8LZ4glc.cs	High entropy of concatenated method names: 'W4cfTxwVP9', 'YLWfNIAVY0', 'be17JKD4GA', 'CAc7evslYg', 'Sco7x7cMQR', 'JiJ7WclwpN', 'T1x7YJOYbk', 'X187mSmSK0', 'uel7FHk7aH', 'yVq7D3v3gx'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, xuZKPH0bg3CNJiej0Y.cs	High entropy of concatenated method names: 'RE8UZH5r8', 'DSLSWoMqi', 'P8cGwOxwQ', 'bIDN9X3CY', 'qNEQ7QjUP', 'Gvw9kwE8H', 'qgPuBEQdGkERkmdqRE', 'PZkNYOp58ZckVpH5kT', 'TfvuRDiUt', 'buj1TnkmY'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, DSg0IsjnvDMwoDkgHJ.cs	High entropy of concatenated method names: 'yKdoO1MDMb', 'd1oorEBjqU', 'GoDobCtiaJ', 'MgyoExUB4N', 'dQCoH7vEun', 'DjJofDnCCZ', 'DxIoALNjDj', 'SH6uvnrISk', 'iMdu3Y086o', 'Arwu8RWUeE'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, XkyU3YwMsX6X7Ya2Ow.cs	High entropy of concatenated method names: 'SvLclGG4yG', 'DqOcBZh5uL', 'ToString', 'eACcEkPBg4', 'TWMcHcIUjh', 'N5Xc7hKmET', 'MUScfRV2h6', 'wVRcAEicp7', 'n6pcsCq6sL', 'lU3ctgWCc8'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zIWdmytET3UyVdCLNu.cs	High entropy of concatenated method names: 'BTxr50399h', 'c9yrEhe0r0', 'QmlrHfpo1l', 'irkr7Polew', 'UGDrf6u9xk', 'MeVrA5hqxN', 'LT5rs01Xfb', 'OYvrt3jGwC', 'n9drpCbkuD', 'BXXrl0N42Y'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, JXuK5OOrdd4A47g8hp2.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'boA1PMK2Q5', 'OoP1gBGtSc', 'Urv1KSbvMf', 'ulH1wByIH2', 'VJq12MWXje', 'gA91axkuoY', 'Y5h1vb0jdE'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, xSgTZrZWj80Sr5cuuu.cs	High entropy of concatenated method names: 'O2CA5QnVBe', 'xWCAHVOiji', 'z9cAfUE9Cp', 'du4AsgtxKt', 'YAwAt7N0l6', 'BSEf2UPy4l', 'ejgfa3ulxi', 'aALfvUEf7A', 'Jtof3fOtvu', 'TcYf8li88B'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, gimaVxQWjKmr8Ofosl.cs	High entropy of concatenated method names: 'cfX7SStUG0', 'NWN7GMomUS', 'Bt57kNwhAV', 'BM17QTndam', 'Mi57C3iNm4', 'kOb7yFZvEk', 'ikr7cOSFur', 'auV7u50Os0', 'wdU7ouJrnk', 'OlK716w8jC'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, xG25IkzZH5iNF8BafO.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YdFoRQW7Qf', 'U8koCU6bav', 'BeMoyTIvvc', 'FqGocfMaBv', 'DkPoub7pwX', 'jy5oofKeUM', 'k5to1Lk6EY'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, F6xH8FLHG7b0LaXqx7.cs	High entropy of concatenated method names: 'XwVRke48pR', 'WNERQJY14N', 'sKARZokvPj', 'gOARdoeDrl', 'vayReruVKT', 'dtYRxFvchI', 'Rt8RYd6YsM', 'wNRRmoKxEn', 'G3YRD1CkYj', 'XHTRqYZPNA'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, KVVciMPooTamDtE6Qi.cs	High entropy of concatenated method names: 'DSnCD8Zo2X', 'sIwC47j85a', 'O59CPyUQZS', 'rVUCgT4Yh7', 'OPxCdrqwQL', 'x6kCJakEDs', 'x6lCeB718W', 'u7JCxtiPMT', 'JQ5CW2qFEQ', 'mdDCYfaNS4'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, IrmqqWkUGaV7heJOLK.cs	High entropy of concatenated method names: 'Dr1HP1Hma3', 'WnlHgfeYnZ', 'JxMHKoV2dJ', 'DTUHw1JGkb', 'fwtH2xGT2p', 'bDvHaIx7FM', 'sg1HvdZ2gg', 'zHBH36cX8x', 'ip8H86ZNvh', 'RTgHjUFWQO'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, bnfZ4SYIIMAWSTswXq.cs	High entropy of concatenated method names: 'xZjsETYWfS', 'F0Ys7y02v2', 'YarsAbCPbw', 'pllAj9ktg1', 'RZNAzA97U9', 'zvmsILwtak', 'psCsOvhGCS', 'cNUs0eDmX5', 'M0vsr3KD77', 'CX0sblHynN'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, iWE2HKaPDHVenn26YW.cs	High entropy of concatenated method names: 'URnc3TE5Pc', 'HglcjQHgWH', 'aNcuIEB5Oo', 'YY1uOLR5Xs', 'qGLcqtTVfW', 'vdOc47miwV', 'HDccLPxQiV', 'C3dcPDqmbd', 'X7UcgkDxMe', 'NPTcKGBq4C'
Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, RiKiidHLlgPOlPUrnd.cs	High entropy of concatenated method names: 'Dispose', 'yYxO8V9vjX', 'kyh0dDbSmn', 'bCiddB9vj3', 'EUqOjBkq2p', 'mKyOzjW574', 'ProcessDialogKey', 'u2s0IHTh2a', 'cod0OskpT8', 'yrY00NSg0I'

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

File created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: F50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: 27A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: 25F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: 8B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: 9B90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: 9DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: ADA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: B6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: C6C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: 1080000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory allocated: 2B00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: 2600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: 27C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: 47C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: 8520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: 9520000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: 9710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: A710000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: B0D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: C0D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: 2E30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory allocated: 4E30000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6611	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 587	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6734	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 496	Jump to behavior

Source: C:\Users\user\Desktop\EKSTRE_1022.exe TID: 7848	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220	Thread sleep count: 6611 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184	Thread sleep count: 587 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe TID: 6288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: EKSTRE_1022.exe, 0000000D.00000002.2645398048.0000000000E66000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEL
Source: JIlApjvRxj.exe, 00000012.00000002.2644657130.0000000001028000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

Code function: 13_2_010CC168 LdrInitializeThunk,LdrInitializeThunk,

13_2_010CC168

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Memory written: C:\Users\user\Desktop\EKSTRE_1022.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Memory written: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Process created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Process created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Users\user\Desktop\EKSTRE_1022.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Users\user\Desktop\EKSTRE_1022.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\EKSTRE_1022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\EKSTRE_1022.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000002.2646438586.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2647148367.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JIlApjvRxj.exe PID: 7752, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	11 Disable or Modify Tools	1 OS Credential Dumping	1 File and Directory Discovery	Remote Services	11 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	111 Process Injection	1 Deobfuscate/Decode Files or Information	1 Input Capture	13 System Information Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Scheduled Task/Job	3 Obfuscated Files or Information	Security Account Manager	11 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Software Packing	NTDS	1 Process Discovery	Distributed Component Object Model	1 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	31 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Masquerading	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	31 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EKSTRE_1022.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Generic
EKSTRE_1022.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\JIlApjvRxj.exe	37%	ReversingLabs	ByteCode-MSIL.Trojan.Generic

Source	Detection	Scanner	Label
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://reallyfreegeoip.org	0%	URL Reputation	safe
https://reallyfreegeoip.org	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	0%	URL Reputation	safe
https://reallyfreegeoip.org/xml/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.96.3	true	true	unknown
checkip.dyndns.com	193.122.6.168	true	false	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.71	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.comd	EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://microsoft.co	JIlApjvRxj.exe, 00000012.00000002.2650089586.0000000006607000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/173.254.250.71d	EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org/q	EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://reallyfreegeoip.orgd	EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://tempuri.org/DataSet1.xsd	EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr	false		unknown
http://reallyfreegeoip.org	EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002ECB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.orgd	EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org	EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://reallyfreegeoip.org/xml/173.254.250.71l	EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://checkip.dyndns.org	EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.org/d	EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	EKSTRE_1022.exe, 00000000.00000002.1424563889.00000000027DD000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1459389939.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002E31000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.chiark.greenend.org.uk/~sgtatham/putty/0	EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr	false	URL Reputation: safe	unknown
https://api.telegram.org/bot-/sendDocument?chat_id=	EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://reallyfreegeoip.org/xml/	EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.122.6.168	checkip.dyndns.com	United States		31898	ORACLE-BMC-31898US	false
188.114.96.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1541206
Start date and time:	2024-10-24 15:20:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EKSTRE_1022.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@27/15@2/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 163 Number of non-executed functions: 18
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: EKSTRE_1022.exe

Simulations

Behavior and APIs

Time	Type	Description
09:21:00	API Interceptor	2x Sleep call for process: EKSTRE_1022.exe modified
09:21:01	API Interceptor	26x Sleep call for process: powershell.exe modified
09:21:04	API Interceptor	2x Sleep call for process: JIlApjvRxj.exe modified
15:21:02	Task Scheduler	Run new task: JIlApjvRxj path: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.122.6.168	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	checkip.dyndns.org/
	InvoiceXCopy.xls	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Ziraat Bankasi Swift Mesaji,pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	AmountXpayable.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	CLOSURE.doc	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	REVISED INVOICE.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	Inquiry N_ TM23-10-00.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
188.114.96.3	Orden de Compra No. 78986756565344657.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	paste.ee/d/nwtkd
	Doc 784-01965670.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	PO1268931024 - Bank Slip.exe	Get hash	malicious	PureLog Stealer	Browse	www.timizoasisey.shop/3p0l/
	BL.exe	Get hash	malicious	FormBook	Browse	www.launchdreamidea.xyz/bd77/
	w49A5FG3yg.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	733812cm.n9shteam.in/DefaultWordpress.php
	9XHFe6y4Dj.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	733812cm.n9shteam.in/DefaultWordpress.php
	SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exe	Get hash	malicious	Unknown	Browse	servicetelemetryserver.shop/api/index.php
	t1zTzS9a3r.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	abdulbek.top/externalvideoprotectdefaultsqlWindowsdlePrivate.php
	aQdB62N7SB.elf	Get hash	malicious	Shikitega, Xmrig	Browse	main.dsn.ovh/dns/lovely
	QUOTATION_OCTQTRA071244PDF.scr.exe	Get hash	malicious	Unknown	Browse	filetransfer.io/data-package/DyuQ5y15/download

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	Halkbank_Ekstre_20241022_081224_563756.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.97.3
	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.97.3
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	080210232024.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	Halkbank_Ekstre_20241022_081224_563756.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	132.226.247.73
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	132.226.8.169
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	132.226.247.73
	080210232024.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ORACLE-BMC-31898US	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	193.122.6.168
	REVISED INVOICE.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.130.0
	botnet.spc.elf	Get hash	malicious	Mirai, Moobot	Browse	140.238.98.34
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	158.101.44.242
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.6.168
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	193.122.130.0
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	193.122.130.0
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	193.122.6.168
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	193.123.253.227
	la.bot.m68k.elf	Get hash	malicious	Unknown	Browse	193.123.29.81
CLOUDFLARENETUS	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	https://app.pandadoc.com/document/v2?token=69b8ae0059c2551a9a27ed1b65653c1a0b5ee1ff	Get hash	malicious	Unknown	Browse	104.16.117.116
	https://app.writesonic.com/share/writing-assistant/d140c48b-3642-43bf-a085-e258c1fb4f03	Get hash	malicious	Unknown	Browse	172.67.71.97
	StudioDemo.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL/	Get hash	malicious	Unknown	Browse	104.18.95.41
	5Setup.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	setup.msi	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://1drv.ms/o/c/3e563d3fb2a98d1c/Emlo5KUbYYNEvKtIF-7SS0EBYSeT3hOOGuv_MbeT-n2y4g?e=HPjqUn	Get hash	malicious	HtmlDropper	Browse	104.21.45.155
	https://railrent-railrent.powerappsportals.com/	Get hash	malicious	Unknown	Browse	172.67.140.116
	https://2007.filemail.com/api/file/get?filekey=58mKUrTMdlmzqkRvo0UdVa2TMjJTCQiSNv5rUBtsDQTNU0dM4JzppUJaOrP_mWxCym0k9l5xEDeaXunPsHq6frY8XZH_gnclw86MefA3bpAlGuDkr77-xSqrMOQIlMdW5cRjwoOSCWIlTwpC48cNKMMHhMKp&track=P8fpm4ry&pk_vid=8a8b18f03738ae4f17297703684d559d	Get hash	malicious	HTMLPhisher	Browse	104.17.112.233

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Purchase Order.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	Halkbank_Ekstre_20241022_081224_563756.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	188.114.96.3
	SIPARIS-290124.PDF.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3
	Renommxterne.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	PAYMENT ADVISE MT107647545.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3
	080210232024.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.96.3
	226999705-124613-sanlccjavap0004-67.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	BT-036016002U_RFQ 014-010-02024.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	RFQ_64182MR_PDF.R00.vbs	Get hash	malicious	GuLoader, Snake Keylogger	Browse	188.114.96.3

Process:	C:\Users\user\Desktop\EKSTRE_1022.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JIlApjvRxj.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
MD5:	1330C80CAAC9A0FB172F202485E9B1E8
SHA1:	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
SHA-256:	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
SHA-512:	75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.3810236212315665
Encrypted:	false
SSDEEP:	48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:lGLHxv2IfLZ2KRH6Oug8s
MD5:	46CFAD7E103735ABA6646E3E9F6012AF
SHA1:	F864D5F42D478A79AF32EAE14B87265DE193A851
SHA-256:	55D9A9F40CF5657C548085C6C2472DF452CF3B1A75515C52F59D8853C5F39E74
SHA-512:	8AE818C136BC9AD5A375BDF9B7688C900C8CBE69A17660D428618259E680F338557E5DFF9897E1414E95E2AB1F5B9792965C20FAB7320648FB0B430C10F81A48
Malicious:	false
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aow4wjdq.4q5.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ayrkr3q3.4me.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2g1oijj.1zo.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gd2pdpaf.ovq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsogotwp.hol.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfamaill.lhy.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ov4oewa1.kij.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvgyba1q.qfq.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp

Download File

Process:	C:\Users\user\Desktop\EKSTRE_1022.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	5.115863867121155
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtoIxxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuToWv
MD5:	FA1A9352A7AC073AA7BA9FF5B6B4290F
SHA1:	A76D0A104D307F2B6D3CB88610E701099885717B
SHA-256:	519E028175C5DFFAEBDB60BDB85978406C35E5EBA60E342241F707FCC54763BB
SHA-512:	08B8DE1074F47CA4DD463E6B20373C8ADFEF19D66139531203360E120C32E74673499E7FE4F1752078FE782EC02E2D95EB3B06DEE10DBDE4AAD56580D38DACF1
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1583
Entropy (8bit):	5.115863867121155
Encrypted:	false
SSDEEP:	24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtoIxxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuToWv
MD5:	FA1A9352A7AC073AA7BA9FF5B6B4290F
SHA1:	A76D0A104D307F2B6D3CB88610E701099885717B
SHA-256:	519E028175C5DFFAEBDB60BDB85978406C35E5EBA60E342241F707FCC54763BB
SHA-512:	08B8DE1074F47CA4DD463E6B20373C8ADFEF19D66139531203360E120C32E74673499E7FE4F1752078FE782EC02E2D95EB3B06DEE10DBDE4AAD56580D38DACF1
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

C:\Users\user\AppData\Roaming\JIlApjvRxj.exe

Download File

Process:	C:\Users\user\Desktop\EKSTRE_1022.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	573960
Entropy (8bit):	7.910291827027345
Encrypted:	false
SSDEEP:	12288:SCfiaVM5GHMoVZYL0VCFQYAAA22zQ5I/slShaMZucL7kR:SYiJ5kVZglAB22zQ56LjI
MD5:	B949A48B3046B4B4E6E68564B228FBB2
SHA1:	65BD4CEEB0B371E5C578479B7C1B83AE8B9EF29F
SHA-256:	F68C0C40AA651D080967EA4EA3C389FC1E3DBAFCD097AC10F01374D0F6AE52D3
SHA-512:	2734F5ADBE5244338E919165B61E5C1C4924A30B54EBD0CEB9022CB1621B486E9E7CE5CC932D29CC64BFF89C89302BE6E410A4F2AB950DBDD63AEAAACF5D5781
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@.................................F...O.......0................6..........(}..p............................................ ............... ..H............text....~... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B................z.......H........t...i......M...................................................z..}.....(.......(......(.......0............{....o....r...p(......,...{....o....(.........0..]........( .....,R..{....o!....("...o#.....{.....{....o$....("...o%...o&.....{......X.o'......}.........0............(......,...((.........0..!.........(......,...{....o).....(......6.r...p(...&....{.....(......{....r...po+........0..U.........{....,..{.......+....,....(....}......}.....+$.{....,..{....+.

C:\Users\user\AppData\Roaming\JIlApjvRxj.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\EKSTRE_1022.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.910291827027345
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.98% Win32 Executable (generic) a (10002005/4) 49.93% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	EKSTRE_1022.exe
File size:	573'960 bytes
MD5:	b949a48b3046b4b4e6e68564b228fbb2
SHA1:	65bd4ceeb0b371e5c578479b7c1b83ae8b9ef29f
SHA256:	f68c0c40aa651d080967ea4ea3c389fc1e3dbafcd097ac10f01374d0f6ae52d3
SHA512:	2734f5adbe5244338e919165b61e5c1c4924a30b54ebd0ceb9022cb1621b486e9e7ce5cc932d29cc64bff89c89302be6e410a4f2ab950dbdd63aeaaacf5d5781
SSDEEP:	12288:SCfiaVM5GHMoVZYL0VCFQYAAA22zQ5I/slShaMZucL7kR:SYiJ5kVZglAB22zQ56LjI
TLSH:	C3C4124136F89BE2D6FFABF41162556203B3771B2939D78D1DC400ED18E3B688A54B17
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x489e9a
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xAAFFD7DD [Sun Nov 28 18:54:21 2060 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	13/11/2018 01:00:00 09/11/2021 00:59:59
Subject Chain	CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
Version:	3
Thumbprint MD5:	DABD77E44EF6B3BB91740FA46696B779
Thumbprint SHA-1:	5B9E273CF11941FD8C6BE3F038C4797BBE884268
Thumbprint SHA-256:	4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
Serial:	7C1118CBBADC95DA3752C46E47A27438

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x89e46	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x8a000	0x630	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x88c00	0x3608
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8c000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x87d28	0x70	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x87ea0	0x88000	3ae061c57300b82df02c3e55360c39a4	False	0.9378608254825368	data	7.921681038853017	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x8a000	0x630	0x800	ea6531436aaf8e08a53451deae7a9167	False	0.33984375	data	3.4834516097693258	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8c000	0xc	0x200	99f9f90731f11386fac22638170e1630	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x8a090	0x3a0	data			0.4213362068965517
RT_MANIFEST	0x8a440	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-24T15:21:03.866696+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49710	193.122.6.168	80	TCP
2024-10-24T15:21:07.054215+0200	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.8	49714	193.122.6.168	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 15:21:02.702706099 CEST	49710	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:21:02.708190918 CEST	80	49710	193.122.6.168	192.168.2.8
Oct 24, 2024 15:21:02.708264112 CEST	49710	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:21:02.708482981 CEST	49710	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:21:02.714199066 CEST	80	49710	193.122.6.168	192.168.2.8
Oct 24, 2024 15:21:03.556114912 CEST	80	49710	193.122.6.168	192.168.2.8
Oct 24, 2024 15:21:03.561868906 CEST	49710	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:21:03.567780972 CEST	80	49710	193.122.6.168	192.168.2.8
Oct 24, 2024 15:21:03.809865952 CEST	80	49710	193.122.6.168	192.168.2.8
Oct 24, 2024 15:21:03.866695881 CEST	49710	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:21:04.205415964 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:04.205449104 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:04.205552101 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:04.212364912 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:04.212378979 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:04.833420992 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:04.833501101 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:04.837733030 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:04.837738037 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:04.838001013 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:04.882370949 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:04.892824888 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:04.939327002 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:05.042577982 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:05.042673111 CEST	443	49712	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:05.042753935 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:05.062947035 CEST	49712	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:05.891138077 CEST	49714	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:21:05.897150993 CEST	80	49714	193.122.6.168	192.168.2.8
Oct 24, 2024 15:21:05.897245884 CEST	49714	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:21:05.897456884 CEST	49714	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:21:05.906819105 CEST	80	49714	193.122.6.168	192.168.2.8
Oct 24, 2024 15:21:06.749663115 CEST	80	49714	193.122.6.168	192.168.2.8
Oct 24, 2024 15:21:06.755157948 CEST	49714	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:21:06.760937929 CEST	80	49714	193.122.6.168	192.168.2.8
Oct 24, 2024 15:21:07.002935886 CEST	80	49714	193.122.6.168	192.168.2.8
Oct 24, 2024 15:21:07.005367041 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:07.005410910 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:07.005510092 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:07.011703968 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:07.011727095 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:07.054214954 CEST	49714	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:21:07.629874945 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:07.630022049 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:07.632005930 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:07.632016897 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:07.632488012 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:07.679183960 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:07.696736097 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:07.739330053 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:07.840065956 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:07.840308905 CEST	443	49716	188.114.96.3	192.168.2.8
Oct 24, 2024 15:21:07.840368032 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:21:07.843463898 CEST	49716	443	192.168.2.8	188.114.96.3
Oct 24, 2024 15:22:08.931389093 CEST	80	49710	193.122.6.168	192.168.2.8
Oct 24, 2024 15:22:08.931570053 CEST	49710	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:22:12.123620033 CEST	80	49714	193.122.6.168	192.168.2.8
Oct 24, 2024 15:22:12.123732090 CEST	49714	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:22:43.851861000 CEST	49710	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:22:44.163899899 CEST	49710	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:22:44.479981899 CEST	80	49710	193.122.6.168	192.168.2.8
Oct 24, 2024 15:22:44.481862068 CEST	80	49710	193.122.6.168	192.168.2.8
Oct 24, 2024 15:22:44.482017994 CEST	49710	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:22:47.008397102 CEST	49714	80	192.168.2.8	193.122.6.168
Oct 24, 2024 15:22:47.282497883 CEST	80	49714	193.122.6.168	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 24, 2024 15:21:02.677881956 CEST	63959	53	192.168.2.8	1.1.1.1
Oct 24, 2024 15:21:02.686837912 CEST	53	63959	1.1.1.1	192.168.2.8
Oct 24, 2024 15:21:04.195843935 CEST	51683	53	192.168.2.8	1.1.1.1
Oct 24, 2024 15:21:04.204798937 CEST	53	51683	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 24, 2024 15:21:02.677881956 CEST	192.168.2.8	1.1.1.1	0x7f3a	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:21:04.195843935 CEST	192.168.2.8	1.1.1.1	0x5f53	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 24, 2024 15:21:02.686837912 CEST	1.1.1.1	192.168.2.8	0x7f3a	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 24, 2024 15:21:02.686837912 CEST	1.1.1.1	192.168.2.8	0x7f3a	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:21:02.686837912 CEST	1.1.1.1	192.168.2.8	0x7f3a	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:21:02.686837912 CEST	1.1.1.1	192.168.2.8	0x7f3a	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:21:02.686837912 CEST	1.1.1.1	192.168.2.8	0x7f3a	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:21:02.686837912 CEST	1.1.1.1	192.168.2.8	0x7f3a	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:21:04.204798937 CEST	1.1.1.1	192.168.2.8	0x5f53	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false
Oct 24, 2024 15:21:04.204798937 CEST	1.1.1.1	192.168.2.8	0x5f53	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49710	193.122.6.168	80	7584	C:\Users\user\Desktop\EKSTRE_1022.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 15:21:02.708482981 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 24, 2024 15:21:03.556114912 CEST	323	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 13:21:03 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 93d0a86f68e2f33d9c5a4b475f7a788f Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
Oct 24, 2024 15:21:03.561868906 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 24, 2024 15:21:03.809865952 CEST	323	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 13:21:03 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 7c44dd2aa08ec54496d332489e378486 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49714	193.122.6.168	80	7752	C:\Users\user\AppData\Roaming\JIlApjvRxj.exe

Timestamp	Bytes transferred	Direction	Data
Oct 24, 2024 15:21:05.897456884 CEST	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Oct 24, 2024 15:21:06.749663115 CEST	323	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 13:21:06 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: f232ed3047f213ff7cf6dd8bd4e30ca6 Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
Oct 24, 2024 15:21:06.755157948 CEST	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Oct 24, 2024 15:21:07.002935886 CEST	323	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 13:21:06 GMT Content-Type: text/html Content-Length: 106 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache X-Request-ID: 1a20f07f564d68acea74b1a32bacb75e Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49712	188.114.96.3	443	7584	C:\Users\user\Desktop\EKSTRE_1022.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 13:21:04 UTC	87	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-24 13:21:05 UTC	895	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 13:21:04 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 42012 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6oZQcbwDU7Msg9q6FPYc9pgCrWzATzexf42b8YwJgd3oU%2FDzY4Ly2TRkWMSJMhePBIiKxgligBpiy6bM5PcCHNRJ%2BHG6bguS5UopLGISZOjgMQ%2BNbZkqC%2FJ3DeE0I24N6FHKdPCe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7a4495fff93ab8-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1726&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=913852&cwnd=250&unsent_bytes=0&cid=d542ad25d8993bc5&ts=223&x=0"
2024-10-24 13:21:05 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 13:21:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49716	188.114.96.3	443	7752	C:\Users\user\AppData\Roaming\JIlApjvRxj.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-24 13:21:07 UTC	87	OUT	GET /xml/173.254.250.71 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2024-10-24 13:21:07 UTC	898	IN	HTTP/1.1 200 OK Date: Thu, 24 Oct 2024 13:21:07 GMT Content-Type: application/xml Transfer-Encoding: chunked Connection: close access-control-allow-origin: * vary: Accept-Encoding Cache-Control: max-age=86400 CF-Cache-Status: HIT Age: 42015 Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O5EwvdU3acGtINbrcFCFEaLG%2BpHrXAN%2FIFhWqOx54XXh4yowDitCehxhmDsM70SYWt866QONh5%2BxT2ObitCzVqGxuKnVt79TAgqVlGlACaSmwP%2FMnaOzz21%2FwOlcSrA2Kyx6A4qt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8d7a44a778a2e72a-DFW alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1532&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1827129&cwnd=222&unsent_bytes=0&cid=2da696f862cdbaef&ts=222&x=0"
2024-10-24 13:21:07 UTC	366	IN	Data Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
2024-10-24 13:21:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	09:20:59
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\EKSTRE_1022.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EKSTRE_1022.exe"
Imagebase:	0x410000
File size:	573'960 bytes
MD5 hash:	B949A48B3046B4B4E6E68564B228FBB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:21:00
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"
Imagebase:	0xb50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	09:21:00
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:21:01
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"
Imagebase:	0xb50000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:21:01
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:21:01
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp"
Imagebase:	0x9c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:21:01
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:21:01
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\EKSTRE_1022.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EKSTRE_1022.exe"
Imagebase:	0x160000
File size:	573'960 bytes
MD5 hash:	B949A48B3046B4B4E6E68564B228FBB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:21:01
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\EKSTRE_1022.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EKSTRE_1022.exe"
Imagebase:	0x220000
File size:	573'960 bytes
MD5 hash:	B949A48B3046B4B4E6E68564B228FBB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	09:21:01
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\EKSTRE_1022.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EKSTRE_1022.exe"
Imagebase:	0x350000
File size:	573'960 bytes
MD5 hash:	B949A48B3046B4B4E6E68564B228FBB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	09:21:01
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\EKSTRE_1022.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EKSTRE_1022.exe"
Imagebase:	0x230000
File size:	573'960 bytes
MD5 hash:	B949A48B3046B4B4E6E68564B228FBB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	09:21:01
Start date:	24/10/2024
Path:	C:\Users\user\Desktop\EKSTRE_1022.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EKSTRE_1022.exe"
Imagebase:	0x790000
File size:	573'960 bytes
MD5 hash:	B949A48B3046B4B4E6E68564B228FBB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2647148367.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	09:21:02
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
Imagebase:	0x460000
File size:	573'960 bytes
MD5 hash:	B949A48B3046B4B4E6E68564B228FBB2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 37%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:21:02
Start date:	24/10/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff605670000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	09:21:04
Start date:	24/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp"
Imagebase:	0x9c0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:21:04
Start date:	24/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:21:05
Start date:	24/10/2024
Path:	C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"
Imagebase:	0xb50000
File size:	573'960 bytes
MD5 hash:	B949A48B3046B4B4E6E68564B228FBB2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2646438586.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	11.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	3.3%
Total number of Nodes:	300
Total number of Limit Nodes:	10

Executed Functions

Function 06BAE734 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BAE976

Strings

J+Au, xrefs: 06BAE77B
J+Au, xrefs: 06BAE7AA

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: CreateProcess
String ID: J+Au$J+Au
API String ID: 963392458-2378654435
Opcode ID: 80176fbedd23788e0e8bf91e581e586a6b39cd7e60e10d771ab388d186d602ad
Instruction ID: 681934293b6f6b8e23a725827ae843f31d5801a09badf5996d4821b5fce47580
Opcode Fuzzy Hash: 80176fbedd23788e0e8bf91e581e586a6b39cd7e60e10d771ab388d186d602ad
Instruction Fuzzy Hash: 0CA148B1D04319DFEB60DF68C84179EBBB2FF44310F1485A9E809A7240DB759986DF91

Function 06BA2CA0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06BA2D27

Strings

J+Au, xrefs: 06BA2CCA

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: InformationProcessQuery
String ID: J+Au
API String ID: 1778838933-687355315
Opcode ID: 0f1f7fe77a95f61554ad2a531a6eb993b55a65a4d3ef2bfc11f19e10f7b1329b
Instruction ID: 228c3727b57b84cb3cdd0ce26eb14494ebda87cb3d2a9149ec297288e31f997c
Opcode Fuzzy Hash: 0f1f7fe77a95f61554ad2a531a6eb993b55a65a4d3ef2bfc11f19e10f7b1329b
Instruction Fuzzy Hash: 0621DBB6900349DFCB10CF9AD984ADEBBF4FB48310F10842AE918A7650C375A944CFA1

Function 06BA2CA8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06BA2D27

Strings

J+Au, xrefs: 06BA2CCA

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: InformationProcessQuery
String ID: J+Au
API String ID: 1778838933-687355315
Opcode ID: a5ab1d9d3cc1979af0365a9a7b12614815c541ba0cf3804fbb0dbdd3e48a8b4d
Instruction ID: 86e3a1715cf52544d6284eebe656dbd2c311bb944b866989ad308afcce9fbdf2
Opcode Fuzzy Hash: a5ab1d9d3cc1979af0365a9a7b12614815c541ba0cf3804fbb0dbdd3e48a8b4d
Instruction Fuzzy Hash: 0621BDB5900349DFCB10DF9AD884ADEFBF4FB48310F10842AE918A7250C375A944CFA5

Function 06BA0040 Relevance: .5, Instructions: 506COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fb87610aa39cf4e8f4cc45a89764f82ef7ec05d6a3e8d832892bb9a79fd225f
Instruction ID: 6609f17cfe7d249aaef34b59e3060e3965ba67062dac92f947b727d0619fc20b
Opcode Fuzzy Hash: 0fb87610aa39cf4e8f4cc45a89764f82ef7ec05d6a3e8d832892bb9a79fd225f
Instruction Fuzzy Hash: 6842A274E01218CFDB64DFA9C984B9DBBB2FF48305F1481A9E809AB355D734A981CF51

Function 02653360 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 128c259982e72ffa9425ce7a5ad883629d22576660c2fb5829d5749e33210257
Instruction ID: ecc1f75e43ab44a41e4d2883a23e2bd0cc13929a4ac2a2b33e809bd45ecd6b4a
Opcode Fuzzy Hash: 128c259982e72ffa9425ce7a5ad883629d22576660c2fb5829d5749e33210257
Instruction Fuzzy Hash: 4CC1BA31B007148FEB19DB75C860BAFB7E6AF89B44F1444ADE9468B390CB39E805CB51

Function 06BA33FC Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e94a40f7abc368c3af2ad9dbf563e89786c288642d8e4e0386681b8e1eac027
Instruction ID: d17254e9a820440e8333219af069f974f18767c333ab712ae0be8afde8282995
Opcode Fuzzy Hash: 8e94a40f7abc368c3af2ad9dbf563e89786c288642d8e4e0386681b8e1eac027
Instruction Fuzzy Hash: 56615A75E002099FDF04DFA9D8849EEBBF6FF89310F14842AE815A7254DB749906CB90

Function 06BA0006 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec3ac41f364ea2db078edf8ba555e229abaa33327d7c445e835612fe88f5856d
Instruction ID: 6b224d0ad44a98212057d422dfa131b937a8d1bd95b1560e40f10bc81992f0fe
Opcode Fuzzy Hash: ec3ac41f364ea2db078edf8ba555e229abaa33327d7c445e835612fe88f5856d
Instruction Fuzzy Hash: 9F71F774E05318CFEB55CF69C994B9DBBB2BF88300F1481AAE808AB365D7359941CF51

Function 06BAF7C0 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e4cc4b5541983f9b9febf8ae0682217fd150906273137b25da5ee6cce514f9d
Instruction ID: 341a110e6c45f21577d26765bddc147b83193b83a757e0f1e3bd708cb46334a0
Opcode Fuzzy Hash: 7e4cc4b5541983f9b9febf8ae0682217fd150906273137b25da5ee6cce514f9d
Instruction Fuzzy Hash: 355106B4D1E308DFEB84CFAAD5442FDBBFEAB4A300F00A165D419A6246D7348546CB84

Function 06BA5020 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63fe72b010bed318f0aaca2f7575477c258702dee590f59a1a4f717386e40fd9
Instruction ID: 2df7b4a6cfe571ba6727ce5357aa91e3a618c141d25fe04df33465b8255816b2
Opcode Fuzzy Hash: 63fe72b010bed318f0aaca2f7575477c258702dee590f59a1a4f717386e40fd9
Instruction Fuzzy Hash: 8B5190B1D002189FDB18CFEAD8846EEBBF2FF89300F10816AD419AB254DB745A46CF50

Function 06BA5012 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f495e26a67bdac81da12eadec61e8dbc91e98220b695a295fc67e0122764156
Instruction ID: 0b7bfbc5509581f35f3e9943c44892f9f816ebadf3153301e64f50ad53e9d530
Opcode Fuzzy Hash: 8f495e26a67bdac81da12eadec61e8dbc91e98220b695a295fc67e0122764156
Instruction Fuzzy Hash: 9541A7B1E046199FDB18DFEAD88469EFBF2EF89300F14C16AD418AB254DB345A46CF40

Function 06BA8BA2 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c28d2c7e6641df11dfc70008411d4f1eeb6ba6408b1a391fa47f54a9340789c6
Instruction ID: 3940fadcbeafc8404b326d2311f91c251e3a584a427dfe4eb5c9c92c24f4048d
Opcode Fuzzy Hash: c28d2c7e6641df11dfc70008411d4f1eeb6ba6408b1a391fa47f54a9340789c6
Instruction Fuzzy Hash: 7E11E9B1D056188BEB18CFA7CD453DEFAF3AFC8300F14C56A940976254DB7509468A44

Function 06BA8BB0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9af9d7f15a3375ddbda5bcac2441cb4dc8cc0ed7a1616b9faf7a90d66aa30b7e
Instruction ID: 93ec5b55d1249d2e3e3119c069b399aefa655d6852f7311fd2931843d55249e7
Opcode Fuzzy Hash: 9af9d7f15a3375ddbda5bcac2441cb4dc8cc0ed7a1616b9faf7a90d66aa30b7e
Instruction Fuzzy Hash: 5811E3B1D046588BEB18CFABC80439EFEF7AFC8300F14C16A940966258DB7509468A84

Function 02651BB5 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588bcb9ec37de99f4a7e11a5865cd1b090ab3df3ee76fd12dd5c96a51b9210b5
Instruction ID: df437f92f81693351740ed3c8c13012eeac82d7e9fb9a9ab1452e46869df802a
Opcode Fuzzy Hash: 588bcb9ec37de99f4a7e11a5865cd1b090ab3df3ee76fd12dd5c96a51b9210b5
Instruction Fuzzy Hash: C1E0E53898E228CBCB18CE94E9542F8B7FCEB4E315F0124A5DC0EA7221C7305A96CE04

Function 02651E65 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 509b2131afcde7804afb239db3a994bbc4896d56478a59dc70f6435e4e87035b
Instruction ID: a9e5d372944af098c6a0b4f00862bd635a4af8eb101e0fa03d7b88f4e8c2cec0
Opcode Fuzzy Hash: 509b2131afcde7804afb239db3a994bbc4896d56478a59dc70f6435e4e87035b
Instruction Fuzzy Hash: 38E04F78D4E114CBCB049A68A9541F8B7FCDB4A215F0524F6DC4E97212D2304552CA19

Function 06BAE740 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BAE976

Strings

J+Au, xrefs: 06BAE77B
J+Au, xrefs: 06BAE7AA

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: CreateProcess
String ID: J+Au$J+Au
API String ID: 963392458-2378654435
Opcode ID: 4ca116e9b4e8da707775fdd8980c7ac303035749a93afdf5a7dcf0dc0c536f63
Instruction ID: f602f25ea9124f7134f3f9554f8898d50ea231e8f4fe0b4eac81d04b557b34f3
Opcode Fuzzy Hash: 4ca116e9b4e8da707775fdd8980c7ac303035749a93afdf5a7dcf0dc0c536f63
Instruction Fuzzy Hash: 11916AB1D04319CFEB60DF68C84179EBBB2FF48310F1485A9E808A7280DB759986DF91

Function 00F5AD48 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F5AF9E

Strings

J+Au, xrefs: 00F5AF57

Memory Dump Source

Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd

Similarity

API ID: HandleModule
String ID: J+Au
API String ID: 4139908857-687355315
Opcode ID: 1d129f3a1d065754fad5956d647ca3dac7d8effd7b375b2258c5a55170cda9ff
Instruction ID: 30f6ceb2ca1596a8217dbcee5e96ed991d2a115688034e0bfe34ba8d772b6470
Opcode Fuzzy Hash: 1d129f3a1d065754fad5956d647ca3dac7d8effd7b375b2258c5a55170cda9ff
Instruction Fuzzy Hash: 99716570A00B058FD724DF2AD44575ABBF1FF88315F008A2DD98AD7A40DB79E859CB92

Function 00F544F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F559C9

Strings

J+Au, xrefs: 00F5594C

Memory Dump Source

Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd

Similarity

API ID: Create
String ID: J+Au
API String ID: 2289755597-687355315
Opcode ID: 2d245d1d13d9b69e7fa7b1adf163b91dad842f86388d0dd8c6f8c3ef6c624db7
Instruction ID: 6d13346bba83ecee2553a47968557d3040095720d56f7909fcf20cd0e075dcf3
Opcode Fuzzy Hash: 2d245d1d13d9b69e7fa7b1adf163b91dad842f86388d0dd8c6f8c3ef6c624db7
Instruction Fuzzy Hash: 8541F2B1D0071DCFDB24DFA9C88478EBBB5BF48714F20816AD508AB251DB756949CF90

Function 04D24050 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04D24111

Strings

J+Au, xrefs: 04D24067

Memory Dump Source

Source File: 00000000.00000002.1426175203.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_EKSTRE_1022.jbxd

Similarity

API ID: CallProcWindow
String ID: J+Au
API String ID: 2714655100-687355315
Opcode ID: 06ee4b96ffc5b42132cfe27e9de022bbd6070f3a74d89dd4fba5f6259b00de79
Instruction ID: 1432bb950109ca0c1815f8dea6af22ee0908bd5ad27558e551833637b41c7315
Opcode Fuzzy Hash: 06ee4b96ffc5b42132cfe27e9de022bbd6070f3a74d89dd4fba5f6259b00de79
Instruction Fuzzy Hash: F5414BB8A00319DFDB14CF99C548A9ABBF5FF98318F24C458D519A7321D375A841CFA0

Function 00F55917 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 00F559C9

Strings

J+Au, xrefs: 00F5594C

Memory Dump Source

Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd

Similarity

API ID: Create
String ID: J+Au
API String ID: 2289755597-687355315
Opcode ID: a4beadfdf32b4057f69c29ce15c0c90feca6870c78b8b521a261b90545b7d393
Instruction ID: f306b703e30de2bec20462e3caae24162c860b74ef21929d2539ef6d116e8905
Opcode Fuzzy Hash: a4beadfdf32b4057f69c29ce15c0c90feca6870c78b8b521a261b90545b7d393
Instruction Fuzzy Hash: 3641F1B1D0071DCFDB24DFA9C88478EBBB1BF88714F20816AD508AB251DB756949CF50

Function 06BAE4B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BAE548

Strings

J+Au, xrefs: 06BAE4D7

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: J+Au
API String ID: 3559483778-687355315
Opcode ID: a488dc054332e7fba3a491b28d082e532357ded0d5ce81e3ea07111213c63ba2
Instruction ID: 9bd2378998388209cbac29ae4f387e42ed2c8e439b715d58414a4e61170d25e5
Opcode Fuzzy Hash: a488dc054332e7fba3a491b28d082e532357ded0d5ce81e3ea07111213c63ba2
Instruction Fuzzy Hash: 3E2146B1D003499FDB10CFAAC881BEEBBF1FF88310F10842AE919A7240D7799945DB60

Function 06BAE4B8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BAE548

Strings

J+Au, xrefs: 06BAE4D7

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: MemoryProcessWrite
String ID: J+Au
API String ID: 3559483778-687355315
Opcode ID: 2007f41cc132228dab4a35514bda946331588731da2eaeea993d05d3a3f07065
Instruction ID: cddf751ca4a492267cf64bee4eb47cc26de5867d3d24152be92fcc65f3f0a914
Opcode Fuzzy Hash: 2007f41cc132228dab4a35514bda946331588731da2eaeea993d05d3a3f07065
Instruction Fuzzy Hash: DE2136B19003499FDF10DFAAC885BDEBBF5FF48310F10842AEA19A7240D7799945DBA4

Function 06BAE5A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BAE628

Strings

J+Au, xrefs: 06BAE5C7

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: MemoryProcessRead
String ID: J+Au
API String ID: 1726664587-687355315
Opcode ID: ac96554584251868d39bc780f907502d46c1e0a92f68370d413fc4dfe6ec3382
Instruction ID: 16fd38685c4532d0c530c1ab78707e6b0625ab954cff56cc7fdfe6ba15334569
Opcode Fuzzy Hash: ac96554584251868d39bc780f907502d46c1e0a92f68370d413fc4dfe6ec3382
Instruction Fuzzy Hash: 0821F4B18003499FDB10DFAAC881BEEBBB5FF88310F108429E959A7241D779A945DB64

Function 06BAE318 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BAE39E

Strings

J+Au, xrefs: 06BAE33C

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: ContextThreadWow64
String ID: J+Au
API String ID: 983334009-687355315
Opcode ID: 16b50f7bef592a9f0eb942e526dc7707039955c773f0804f3cd67b4c65e28a7e
Instruction ID: b293fa6ec1cdeec8c3117668e6bb948a80485efa875634a0c704cefaee363938
Opcode Fuzzy Hash: 16b50f7bef592a9f0eb942e526dc7707039955c773f0804f3cd67b4c65e28a7e
Instruction Fuzzy Hash: FA2145B1D003098FDB60CFAAC4857EEBBF5EF88310F148429D959A7240CB789946CFA5

Function 00F5B730 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F5D5E6,?,?,?,?,?), ref: 00F5D6A7

Strings

J+Au, xrefs: 00F5D63F

Memory Dump Source

Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd

Similarity

API ID: DuplicateHandle
String ID: J+Au
API String ID: 3793708945-687355315
Opcode ID: d5bc8a4ab920ea988a0667c3a5d5f46df10529c21883cfc0fb1e9d42309fde39
Instruction ID: d022f4b9f1749004f0e823b981b457443641fc72743c03bdc0a6985157130a96
Opcode Fuzzy Hash: d5bc8a4ab920ea988a0667c3a5d5f46df10529c21883cfc0fb1e9d42309fde39
Instruction Fuzzy Hash: 532105B5901249DFDB10CF9AD484ADEBBF4FB48310F14801AE918A7310C378A954CFA4

Function 06BAE5A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BAE628

Strings

J+Au, xrefs: 06BAE5C7

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: MemoryProcessRead
String ID: J+Au
API String ID: 1726664587-687355315
Opcode ID: 09395e359b9d259f056403412ea0c616f0f9f50a18af316f590c5e6033b1dced
Instruction ID: 60191ca5be61cbcae9cb41915db06cf188a858cbb78799ee0d7089cf865a8f67
Opcode Fuzzy Hash: 09395e359b9d259f056403412ea0c616f0f9f50a18af316f590c5e6033b1dced
Instruction Fuzzy Hash: C12116B1C003499FDB10DFAAC880BDEBBF5FF48310F508429E919A7240D7799501DBA4

Function 06BAE320 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BAE39E

Strings

J+Au, xrefs: 06BAE33C

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: ContextThreadWow64
String ID: J+Au
API String ID: 983334009-687355315
Opcode ID: 240c8f9326eacf6734f220f4fb492c01c13ab03ac03907ef34ddf40155658efd
Instruction ID: 99c71e256308d53e6b83440a27d742d2a48a0638f45b7409408354821454a4ed
Opcode Fuzzy Hash: 240c8f9326eacf6734f220f4fb492c01c13ab03ac03907ef34ddf40155658efd
Instruction Fuzzy Hash: 4C213871D003098FDB10DFAAC4857AEBBF4EF88310F148429D559A7240CB789945CFA4

Function 06BAE3F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BAE466

Strings

J+Au, xrefs: 06BAE40F

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: AllocVirtual
String ID: J+Au
API String ID: 4275171209-687355315
Opcode ID: 4ba29523caf80718b56c3e9ebe5126ede1be6330de727e547ce79dfca021169a
Instruction ID: 133012060b8401f11bb9613ee526996c727c934fe14ec823223a61eec062bdb7
Opcode Fuzzy Hash: 4ba29523caf80718b56c3e9ebe5126ede1be6330de727e547ce79dfca021169a
Instruction Fuzzy Hash: 7B1156728003498FDF20DFAAC844BEEBBF5EF88320F248419E555A7250CB759905CFA0

Function 06BA3384 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06BA40F0

Strings

J+Au, xrefs: 06BA409F

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: DebugOutputString
String ID: J+Au
API String ID: 1166629820-687355315
Opcode ID: ef5a5abe7d196764d38ce5dd57aaebef5a4b7ce08a7143203b370a610d40a859
Instruction ID: 01edd76b5e2992d350c8756ca8a287f4b84d9292d356760cef3f3665620a020f
Opcode Fuzzy Hash: ef5a5abe7d196764d38ce5dd57aaebef5a4b7ce08a7143203b370a610d40a859
Instruction Fuzzy Hash: 8A1126B1C0475A9FCB14DF9AD444B9EFBF4FB48710F10816AD919A3240C7B5A914CFA5

Function 06BAE3F8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BAE466

Strings

J+Au, xrefs: 06BAE40F

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: AllocVirtual
String ID: J+Au
API String ID: 4275171209-687355315
Opcode ID: 6772a057910d133af7a3defb24d43055f3eec1826c71d5620dcd5d44c3b2f1c5
Instruction ID: fea82f86bc75c7799f790d5a12db2a6871e0e7953cb5e6754759635499608005
Opcode Fuzzy Hash: 6772a057910d133af7a3defb24d43055f3eec1826c71d5620dcd5d44c3b2f1c5
Instruction Fuzzy Hash: CD1137718003499FDB10DFAAC844BDEBBF9EF88720F148419E515A7250CB75A544DFA0

Function 06BAE268 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 06BAE2D2

Strings

J+Au, xrefs: 06BAE287

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: ResumeThread
String ID: J+Au
API String ID: 947044025-687355315
Opcode ID: 5a85c5595350617e8d9a50a448d97b84b7179ea95744dbd4e0826d965a9a09bb
Instruction ID: b2a7fc2c8287c439c1d69deca6706a0c963852d3ae2e6007d2ecc6c82935c526
Opcode Fuzzy Hash: 5a85c5595350617e8d9a50a448d97b84b7179ea95744dbd4e0826d965a9a09bb
Instruction Fuzzy Hash: D61176B1C003498FDB20DFAAC4847EEFBF5AB88320F248429D419A7240CB799805CF94

Function 06BAE270 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 06BAE2D2

Strings

J+Au, xrefs: 06BAE287

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: ResumeThread
String ID: J+Au
API String ID: 947044025-687355315
Opcode ID: e3395a854279bc26004553dc7509c0d5fb2d741001a41025c4f5680206df36e0
Instruction ID: 1eab36faa9e9263bd00c73e54c4600ae204febcbd2bc091e92404e6c7da93a71
Opcode Fuzzy Hash: e3395a854279bc26004553dc7509c0d5fb2d741001a41025c4f5680206df36e0
Instruction Fuzzy Hash: 991158B18003498FDB10DFAAC44479EFBF4EB88320F248419D519A7240CB79A504CB94

Function 06BA4079 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06BA40F0

Strings

J+Au, xrefs: 06BA409F

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: DebugOutputString
String ID: J+Au
API String ID: 1166629820-687355315
Opcode ID: fa6d5e4e87daa1ca7f2405ff727cbfeecc56de470e3e079ce48591544627e80f
Instruction ID: 8008446e4443c637adddbb0801052e1927a88888bb108b8080fbc93d53d1025f
Opcode Fuzzy Hash: fa6d5e4e87daa1ca7f2405ff727cbfeecc56de470e3e079ce48591544627e80f
Instruction Fuzzy Hash: 9C111FB5C0465A9FCB14CF9AD944B9EFBF4FB88320F10816AD818A7250C778A614CFA1

Function 00F5AF38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 00F5AF9E

Strings

J+Au, xrefs: 00F5AF57

Memory Dump Source

Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd

Similarity

API ID: HandleModule
String ID: J+Au
API String ID: 4139908857-687355315
Opcode ID: 1d1f378373679477ab52e4c9829d7a99b404d1d924bc9f7aa368dcd112670762
Instruction ID: 5493bd1e053a3e4529090a5f7c176f78972336a360dd59aba4c73bb0da08c09e
Opcode Fuzzy Hash: 1d1f378373679477ab52e4c9829d7a99b404d1d924bc9f7aa368dcd112670762
Instruction Fuzzy Hash: F21110B5C003498FCB10CF9AC444BDEFBF4EB88324F10851AD919A7210C379A545CFA1

Function 026529D9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02652A3D

Strings

J+Au, xrefs: 026529FA

Memory Dump Source

Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd

Similarity

API ID: MessagePost
String ID: J+Au
API String ID: 410705778-687355315
Opcode ID: 0ba00a357e933821b515992335c06927d10ff629c3b16ab8473427e385e27df8
Instruction ID: 81a5cd78b76ae4f7eb33216822b003eb2b37844e2620b768196c52315b44eff5
Opcode Fuzzy Hash: 0ba00a357e933821b515992335c06927d10ff629c3b16ab8473427e385e27df8
Instruction Fuzzy Hash: 8311F2B58002499FDB20DF9AD985BEEFBF4FB48320F208419E959A7240C375A945CFA1

Function 026529E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 02652A3D

Strings

J+Au, xrefs: 026529FA

Memory Dump Source

Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd

Similarity

API ID: MessagePost
String ID: J+Au
API String ID: 410705778-687355315
Opcode ID: 8a0c6767f30f7b493e369dff3853468a9b023b64d1dacaa910a28ab3c6fb6f77
Instruction ID: 899164d6c5779f3aae2d1d550cb2c779ae3f0dbcbdb676ca67560a78a6536c89
Opcode Fuzzy Hash: 8a0c6767f30f7b493e369dff3853468a9b023b64d1dacaa910a28ab3c6fb6f77
Instruction Fuzzy Hash: D211D3B58003499FDB20DF9AD985BDEFBF8FB48324F108419E918A7250C375A944CFA5

Function 06BA3390 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 06BA418F

Strings

J+Au, xrefs: 06BA414A

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: CloseHandle
String ID: J+Au
API String ID: 2962429428-687355315
Opcode ID: 4e60f0f0ea9584cdb4f8a9c0582f145f6b37695a4165a6d6e55be5d10afb8d76
Instruction ID: 9078c45ab2d30dea023a0556cd2ad789d8aafeaa888ff489ff8ad67f87784c36
Opcode Fuzzy Hash: 4e60f0f0ea9584cdb4f8a9c0582f145f6b37695a4165a6d6e55be5d10afb8d76
Instruction Fuzzy Hash: 031128B18043598FDB10DF9AC8457EEFBF4EB48320F108469D518A3251D778A944CFA5

Function 06BA4128 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 06BA418F

Strings

J+Au, xrefs: 06BA414A

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: CloseHandle
String ID: J+Au
API String ID: 2962429428-687355315
Opcode ID: 4addc385b5ef615bcae64dee0577b5dd8fe08ae4564d0dcfc6955a4f05774513
Instruction ID: 48a9f043ef51007331c4eaaecbc4acc1acc1152bcbfe675c6b1128727c5f3aef
Opcode Fuzzy Hash: 4addc385b5ef615bcae64dee0577b5dd8fe08ae4564d0dcfc6955a4f05774513
Instruction Fuzzy Hash: 851125B1900349CFDB10CF9AC9857EEBBF4EF48324F20845AD518A3651D378A544CFA5

Function 06BA4038 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06BA40F0

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: f8c9c544eeef010c379389d88a99fba33d9959c47eedceaf0d38d3a8d35f12b9
Instruction ID: 93dc419623c09b0bcaef0329d2edee06bb7c1f4a0e00a207c0263a07567c0bfb
Opcode Fuzzy Hash: f8c9c544eeef010c379389d88a99fba33d9959c47eedceaf0d38d3a8d35f12b9
Instruction Fuzzy Hash: A2110EF2C09309CFDB20CFA8D8007ADBBB0FF81310F21819AC418A7281C7769958CBA1

Function 00B6D110 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423633028.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b6d000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3268641a0709fe5c5754aaae393e012bbe405b16e104757f9a3efec03d5b08e
Instruction ID: 75bd23e978787adb8abe167876317081b7d337f6e63cf8542f02b7158898b175
Opcode Fuzzy Hash: c3268641a0709fe5c5754aaae393e012bbe405b16e104757f9a3efec03d5b08e
Instruction Fuzzy Hash: 37210371A04304DFDB14DF10D9C0B16BFA6FB95320F2481A9E9091B256C3BAD856CBA2

Function 00B6D3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423633028.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b6d000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547d133e34eedb4666fca2bf6ed0358598a95181c15dcf544b3bb41d05183a27
Instruction ID: dbb55ba19e4fd092c05be770f473457fec642c429c7297e40306e7bfe3235a01
Opcode Fuzzy Hash: 547d133e34eedb4666fca2bf6ed0358598a95181c15dcf544b3bb41d05183a27
Instruction Fuzzy Hash: A6210675A04344DFDB04DF10D9C4B16BBA5FB98324F24C5A9D9090B356C73AEC56CBA2

Function 00B7D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423721002.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 932a8822362863c4199d45027da9aadfaf853ed738d0f3827e9fd7638400c031
Instruction ID: abd12bb8c68486b1f04b31cd15852a3819cdd9598bfa51b4faac0da86c5b464b
Opcode Fuzzy Hash: 932a8822362863c4199d45027da9aadfaf853ed738d0f3827e9fd7638400c031
Instruction Fuzzy Hash: 7421CF75604204AFDB05DF10D9C4B26BBB5FF84314F24C6ADE85E4B292C336D846CA61

Function 00B7D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423721002.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4d4e7447f7566114342b8c45e06687edb36826c863e51c7f0ed65d1549a7dd9
Instruction ID: f9f1b796dfe8e516c7deba2a0695e1f7961a5e9125703d8931365ede5bd5adf6
Opcode Fuzzy Hash: b4d4e7447f7566114342b8c45e06687edb36826c863e51c7f0ed65d1549a7dd9
Instruction Fuzzy Hash: 8E21FF756043009FDB14DF10D9D4B16BBB1EB84314F20C5ADD80E4B286C33AD806CA62

Function 00B7D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423721002.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9218c75d3a08485e9d5ca0d39730197fa9318e0baa695561a8b4d6fc87a8e1b8
Instruction ID: 42ae3b9ec359606808896abffba34e08c827bb1882517aa427b73b9051613ffb
Opcode Fuzzy Hash: 9218c75d3a08485e9d5ca0d39730197fa9318e0baa695561a8b4d6fc87a8e1b8
Instruction Fuzzy Hash: 302162755083849FCB02CF14D994B15BFB1EF46314F28C5DAD8498F2A7C33A9856CB62

Function 00B6D3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423633028.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b6d000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 57a28c92c7971f489d001fc73ef4dbce12f8dd5b206b2ef4499729f256b9c5b7
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 01110376A04240CFCB01CF00D5C0B16BFB2FB94324F24C2A9D8090B356C33AE856CBA1

Function 00B6D10B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423633028.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b6d000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 1c704b39ad19f50c28a9bd5f59bc357d9fae01fa963380fe79b1dd1e7ff70455
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: CF11D376A04244CFCB15CF10D9C4B16BFB2FB95324F24C6ADD8094B256C37AD856CBA1

Function 00B7D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1423721002.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b7d000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: f3f97dd7d46c6846952a03233f8a7a2c9243ccb1b303b0804ce1176929f3e80b
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 9D117975604284DFCB15DF14D5C4B15BBB2FB84324F28C6A9D8494B696C33AD84ACB61

Non-executed Functions

Function 04D20040 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1426175203.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6900b3ca9db34c718b166843b5f9c701bb468389ce99bf46527322bbe1ad7844
Instruction ID: abf6c939065f406296d0359d89785462c20cac832060d43a5f76c99360aafb95
Opcode Fuzzy Hash: 6900b3ca9db34c718b166843b5f9c701bb468389ce99bf46527322bbe1ad7844
Instruction Fuzzy Hash: 1A1284B9901746ABE310CF65EA4C3893FB1F7A5318F908209D2612EAE1D7BD194ACF44

Function 06BAB6F8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac94f117aef9edf7d15727cd6c4ddcbf9553cfe9b406d76474c48032896b5c74
Instruction ID: a7796cb733201358f1563fece8e1aba3a1db85a58df4a30b331ceba042d1d24d
Opcode Fuzzy Hash: ac94f117aef9edf7d15727cd6c4ddcbf9553cfe9b406d76474c48032896b5c74
Instruction Fuzzy Hash: 1AE11BB4E042598FDB14DFA8C580AAEFBF2FF89300F2481A9D458A7355D735A941CFA0

Function 06BAD610 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afbf914af1551729b5a25e91a900dd823070e8f558b9a5b9d37d2081d04d15f2
Instruction ID: 751a23be99126376e713e4d7334fe33a640aac10702092cddd1a18ae5dd816a7
Opcode Fuzzy Hash: afbf914af1551729b5a25e91a900dd823070e8f558b9a5b9d37d2081d04d15f2
Instruction Fuzzy Hash: 58E11BB4E042198FDB14DFA9C580AAEFBF2FF89305F2481A9D458A7355D734A942CF60

Function 06BA2578 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0009d3157319f885d0952388cf71b391e5cc814c72fa76643c5777fa3bf93b89
Instruction ID: 5b4e814ffef9c1ef1ede71a511001cf46bf81ab72816909f910a3697e8e1f691
Opcode Fuzzy Hash: 0009d3157319f885d0952388cf71b391e5cc814c72fa76643c5777fa3bf93b89
Instruction Fuzzy Hash: D5E1FCB4E042598FDB14DFA9C580AAEFBB2FF89305F2481A9D414AB355D7349D41CFA0

Function 06BA20B8 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67373262dee7dbb5a53323cff40df777afbe4e64f10324ee6e9147e945219939
Instruction ID: 953b1e73ebf9d542c317a065a8945bc7d43c08ca17d5c3ed2f4156248b1781b4
Opcode Fuzzy Hash: 67373262dee7dbb5a53323cff40df777afbe4e64f10324ee6e9147e945219939
Instruction Fuzzy Hash: B9E11DB4E042598FDB14DFA9C580AAEFBF2FF89305F2481A9D414AB355D734A942CF60

Function 06BA2E28 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea7248a338984bb8743d76a8b4aa535eeee440080fbff55df9ba3a968c83372
Instruction ID: aac32076b0aaadf75906ee8799c9e0c408116ec108b9191d9fd2a7ce9cb2c897
Opcode Fuzzy Hash: 7ea7248a338984bb8743d76a8b4aa535eeee440080fbff55df9ba3a968c83372
Instruction Fuzzy Hash: 53E11CB4E042598FDB54DFA8C580AAEFBF2FF89305F2481A9D414AB355D731A941CFA0

Function 06BABF68 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37d19873126de0d4d26243cd68cef09d21d7bc68fdd828e82cf0637cfbcb0b9f
Instruction ID: 24324a1be32c2856bf6a849bd6a3f41a516b806a66d68289c995210b75595227
Opcode Fuzzy Hash: 37d19873126de0d4d26243cd68cef09d21d7bc68fdd828e82cf0637cfbcb0b9f
Instruction Fuzzy Hash: 00E11CB4E042598FDB14DFA8C5809AEFBF2FF89305F2481A9D458A7355C735A941CFA0

Function 06BA1C80 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78b6deec345f3185a74a461fdde4dc3b572bb7506dce3a9415fb5c6eb90b3bd0
Instruction ID: b6da36d405baf136620f40b18c00511b6cd8186bb085819f8c15f1fa6671b18c
Opcode Fuzzy Hash: 78b6deec345f3185a74a461fdde4dc3b572bb7506dce3a9415fb5c6eb90b3bd0
Instruction Fuzzy Hash: 94E12AB4E042598FDB54DFA8C580AAEFBF2FF89305F2481A9D414AB355D731A942CF60

Function 06BADA48 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a19b0240daa7cacf0754157e80375e7a716245f603185cd53be95c9f0c0458f
Instruction ID: ed6b4d7125c4d63ae12c1c1cb50b3b16b9551e3e53e76f646dd208e40787c58a
Opcode Fuzzy Hash: 4a19b0240daa7cacf0754157e80375e7a716245f603185cd53be95c9f0c0458f
Instruction Fuzzy Hash: 4EE11CB4E042598FDB14DFA8C580AAEFBF2FF89304F2481A9D458AB355D735A941CF60

Function 06BABB30 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 603d0426755f297004eb29f4835a23af18ebc14ba3a4f89861cb10c126f57ea9
Instruction ID: 907a8904717c849647d8259de74994f463763b27f8db820b1251c168bb736e4f
Opcode Fuzzy Hash: 603d0426755f297004eb29f4835a23af18ebc14ba3a4f89861cb10c126f57ea9
Instruction Fuzzy Hash: 20E11CB4E042598FDB14DF98C5809AEFBF2FF89304F2481A9D458AB355D735A942CFA0

Function 00F5D304 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75471c81ae2f9308f6d97ceec317e055247021bb0856f1b3ed085d35d7386493
Instruction ID: ca1274f63a99a817d3f37e22ad35f119ddf059248159f18ddd06a90c0a7ab2ed
Opcode Fuzzy Hash: 75471c81ae2f9308f6d97ceec317e055247021bb0856f1b3ed085d35d7386493
Instruction Fuzzy Hash: 1CA16036E002058FCF05DFB4D84459EB7B2FF85311B1945BAE901AB266EB35ED0ADB80

Function 04D2003C Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1426175203.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4d20000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d7c9327a60eaf57c3ff9cd21e0f2b65b1847dd0f1af0f520196697597ca366
Instruction ID: 139d7dbbf3f8b0a07481f10a9d5a59fe16c8ed5c651a6682f16357a37d5fc3be
Opcode Fuzzy Hash: 03d7c9327a60eaf57c3ff9cd21e0f2b65b1847dd0f1af0f520196697597ca366
Instruction Fuzzy Hash: 5FC1F8B9801746EBE710CF65EA4C3897BB1FB99324F508309D2616BAD0DBBD184ACF44

Function 06BA52B0 Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8547c9448b21a232261f64cf1c77e28358104c3857793fb866f464143317da6
Instruction ID: ce82dde26db6e09d36303bbb586269aeab845f010551a8c0fbe3c2a949d0a2f7
Opcode Fuzzy Hash: f8547c9448b21a232261f64cf1c77e28358104c3857793fb866f464143317da6
Instruction Fuzzy Hash: 19718FB5E042188FDB54CFAAC984A9EFBF2FF88301F14C16AD419AB215DB349942CF50

Function 06BA1C70 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec6ded7dcb2b70b3752f3ffbeb7d77ee187bf5da298cf691af87eba9146956ce
Instruction ID: eb3383c54f90febbd6adc1b4608c2cd05f0db63150d43650a008ed44ae665961
Opcode Fuzzy Hash: ec6ded7dcb2b70b3752f3ffbeb7d77ee187bf5da298cf691af87eba9146956ce
Instruction Fuzzy Hash: 56512AB4E042198FDB54CFA9C5805AEFBF2FF89301F2481AAD418AB315D7319942CF60

Function 06BABF58 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5e46a5e334284b24c84f6cebd42a434842aa3f6ad17eb447fcba0cfbbfa943
Instruction ID: 90030ff107695b96e2a5c0727708231feae69bc49835048b07c4bb8434e0e7d8
Opcode Fuzzy Hash: fb5e46a5e334284b24c84f6cebd42a434842aa3f6ad17eb447fcba0cfbbfa943
Instruction Fuzzy Hash: F25127B4E042198FDB14CFA9C5805AEBBF2FF89204F24C1A9D458AB355D7359942CFA1

Function 06BADA3A Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc7728c3da14150f607c0d3b18ba5094da9d20e136130246bfbd520da2192bb0
Instruction ID: c0250e72837739c336e73b292652242b76601885dbf53654d7447037efcc1e72
Opcode Fuzzy Hash: bc7728c3da14150f607c0d3b18ba5094da9d20e136130246bfbd520da2192bb0
Instruction Fuzzy Hash: 585119B4E042198FDB14CFA9C5805AEFBF2FF89301F2481A9D458A7356D7359942CF61

Function 06BA52A2 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88df3681ec1f04a169e6efaaabc743d508eb5e974fdf7d4cb73718434d9f255b
Instruction ID: fad3ccf2fe053faba18b68323c07187f1f5506a5a097655c7c53828cdfc4a58a
Opcode Fuzzy Hash: 88df3681ec1f04a169e6efaaabc743d508eb5e974fdf7d4cb73718434d9f255b
Instruction Fuzzy Hash: 39518EB5E046188FDB48CFAAD98469EFBF2FF88300F14C06AD419AB315DB749946CB50

Function 02651F7D Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46f3008b3cd511a2b22562807bbe59442d5ac982256255be78aea0b5b49b9a0a
Instruction ID: 923bedbcbd80012c0aaf50a03c9965090d9a7ce78b40c955545df6698cfe038e
Opcode Fuzzy Hash: 46f3008b3cd511a2b22562807bbe59442d5ac982256255be78aea0b5b49b9a0a
Instruction Fuzzy Hash: FAC09B15D8D03CD689184885AC250F9FB7CD397075F003073DD1FA34124110525BD559

Analysis Process: EKSTRE_1022.exePID: 7584, Parent PID: 7828COMMON

Execution Graph

Execution Coverage:	15.7%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	14.3%
Total number of Nodes:	28
Total number of Limit Nodes:	3

Executed Functions

Function 010CC168 Relevance: 2.0, APIs: 1, Instructions: 529
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000D.00000002.2646206568.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10c0000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca70cf1d281ccf2251c3b71ebad181cdd4a66ef2e59652b44f2b81355bdc2cbf
Instruction ID: e4813eb5e4f8cf8a202cba083fb508bd20d96ee19871b78dbe2b7b92e088646d
Opcode Fuzzy Hash: ca70cf1d281ccf2251c3b71ebad181cdd4a66ef2e59652b44f2b81355bdc2cbf
Instruction Fuzzy Hash: 04221974E002198FEB14DFA8C984B9EBBB2BF88700F1485A9D449AB351DB319D85CF50

Function 010CC76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 010CC8AE

Memory Dump Source

Source File: 0000000D.00000002.2646206568.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_10c0000_EKSTRE_1022.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a6877d0bf9146fb088720485d1fd250c16d3ac6f1402aea10fa08a8eebb4cd7b
Instruction ID: 00a63fffb3078e78cc70a79b46994109dd8dfbff46559bbc0ccf570469d315ee
Opcode Fuzzy Hash: a6877d0bf9146fb088720485d1fd250c16d3ac6f1402aea10fa08a8eebb4cd7b
Instruction Fuzzy Hash: 48116074E002099FEB14DBA8D584AEEBBF5FB88714F148159E888E7342D7309C45CF60

Function 00DED030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2645113224.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_ded000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d4e601a4da20b18d63b9e2bd644320317ff829a9f9f3f844ede37a8d539f1cd
Instruction ID: 8d1d5e2c7389ed2041c708a1cd4a1b485db227c08b2e3ec59ea8c731385e90fa
Opcode Fuzzy Hash: 7d4e601a4da20b18d63b9e2bd644320317ff829a9f9f3f844ede37a8d539f1cd
Instruction Fuzzy Hash: F5212275604384DFDB10EF10D980B26BBA2FB84314F28C56DE8490B282CB3AD847CA72

Function 00DED005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2645113224.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_ded000_EKSTRE_1022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0c67b27e7db1012611b9190b012f3c1dbe9a726457710eacb7bdd87195ab82f
Instruction ID: 61cf8c8eb7e208197d84f8cf83f0993bf161b5afc0b5d5e72f4ba0ee8b7ceb7c
Opcode Fuzzy Hash: f0c67b27e7db1012611b9190b012f3c1dbe9a726457710eacb7bdd87195ab82f
Instruction Fuzzy Hash: B3214B7550D3C09FCB03DB24D990711BF71AB46214F2985EBD8898F2A7C63A980ACB62

Analysis Process: JIlApjvRxj.exePID: 4520, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	11.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	229
Total number of Limit Nodes:	12

Executed Functions

Function 06EAE734 Relevance: 1.8, APIs: 1, Instructions: 251
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06EAE976

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 8543bd2045b0a45b94e8efac432e3e2024f718d1fc173265c091f49471111fcd
Instruction ID: 8e110143fb2a375137e46f207c131326d3aac7b81372d0fc9fddd4a668cd2694
Opcode Fuzzy Hash: 8543bd2045b0a45b94e8efac432e3e2024f718d1fc173265c091f49471111fcd
Instruction Fuzzy Hash: 1EA16B71D00319CFEB60DF68C841BEEBBB2BF44314F0495A9E818AB240DB75A985DF91

Function 06EA2CA0 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06EA2D27

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 11ea9fb5f7cdbd02be633c79e8fb642e1f3bc3b5dc2efc4874a9a48551c2c26a
Instruction ID: 8aeb8cd41b3e5c4d74836b153274fe4cb36fd99fb0176efa56d9561c1d1da19a
Opcode Fuzzy Hash: 11ea9fb5f7cdbd02be633c79e8fb642e1f3bc3b5dc2efc4874a9a48551c2c26a
Instruction Fuzzy Hash: D221DEB5901349EFCB10DF9AD885ADEBBF4BB48320F10852AE928A7250C375A544CFA5

Function 06EA2CA8 Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06EA2D27

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: a8c4c88f0abf21f940077794ed98bab139b40be9ec830f481f40808be79243eb
Instruction ID: 0ae839283b247d0c85c1d4b5a4cc55cf7c76bf879c50d0b2d9c279efbdcaa3a8
Opcode Fuzzy Hash: a8c4c88f0abf21f940077794ed98bab139b40be9ec830f481f40808be79243eb
Instruction Fuzzy Hash: D521BAB59003499FCB10DF9AD884ADEBBF4FB48320F10842AE918A7250C375AA44CFA5

Function 082A99E0 Relevance: .5, Instructions: 510COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c74e5dec2810135c8d2c9a4952cf2318cc0a58a68479b642e56a9b327c27cd85
Instruction ID: 5d3e0b4c727d317c70e2fbe0a3f2802b69a85c6a6979baa2632be2013b1fcb40
Opcode Fuzzy Hash: c74e5dec2810135c8d2c9a4952cf2318cc0a58a68479b642e56a9b327c27cd85
Instruction Fuzzy Hash: 11128F70A102199FDB18DF6AC854BAEBBF6FF88301F148519E916DB391DB349D81CB90

Function 082AF405 Relevance: .5, Instructions: 484COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d9dc59e37b8c5da714817563de944c4fdffd4faf3d030c04d5c078fe8c3f209
Instruction ID: e060a199be14de33ff5186ce231aa10b38d8b23be99f6ef01a4b62b5acc234ed
Opcode Fuzzy Hash: 8d9dc59e37b8c5da714817563de944c4fdffd4faf3d030c04d5c078fe8c3f209
Instruction Fuzzy Hash: B532BF70D112198FEB64DF69C680A8EFBB6FF48312F55C199D448AB211DB309986CFA0

Function 082AA158 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2f4483e96cc868237a055117d625a3fbafd88c39a75d4ebb7b5e2a7cb83c652
Instruction ID: cd6beab7583da1d6114d0a8f3295bf5277616c9598decd50d405e336dfdb839d
Opcode Fuzzy Hash: d2f4483e96cc868237a055117d625a3fbafd88c39a75d4ebb7b5e2a7cb83c652
Instruction Fuzzy Hash: FFD13E74A10229DFCB14CFA9C988AADBBF2FF88701F15815AE816AB265D731DC41CF50

Function 06EAE740 Relevance: 1.7, APIs: 1, Instructions: 243
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06EAE976

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: a588dd0a5478bdb73b8f581c5a50d6514ef836c97a4ba41467c75472cd4e4fee
Instruction ID: a05643b058d8d7fb849baaf31908ce34d40d4ab6c5eb39f260b71f6a4e8a5b9d
Opcode Fuzzy Hash: a588dd0a5478bdb73b8f581c5a50d6514ef836c97a4ba41467c75472cd4e4fee
Instruction Fuzzy Hash: CD915C71D00319CFEB64DF69C8417EDBBB2BF44314F1485A9E808AB240DB75A985DF91

Function 0266AD48 Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0266AF9E

Memory Dump Source

Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ce3fef29b7fe9ab10bc8e2683715ddda5291f32277ab351c11eb7af5739324ee
Instruction ID: b613592f3da57301976c42964c50c7920efab553b657b08df8a6c47440fa1ee8
Opcode Fuzzy Hash: ce3fef29b7fe9ab10bc8e2683715ddda5291f32277ab351c11eb7af5739324ee
Instruction Fuzzy Hash: 5E713670A00B059FD724DFAAD45876ABBF1FF88304F008A2DD48AA7B40DB75E945CB91

Function 026644F0 Relevance: 1.6, APIs: 1, Instructions: 96
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026659C9

Memory Dump Source

Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 0eb4bec4302e50c2403de69678798d733fb5e0519e4b11ab4068e574012ad829
Instruction ID: 5e675beb407a3ee50c17a235c3a17d9c1ab5fe01ce36401605c47b8e9773d701
Opcode Fuzzy Hash: 0eb4bec4302e50c2403de69678798d733fb5e0519e4b11ab4068e574012ad829
Instruction Fuzzy Hash: 274124B0D0031DCFDB24DFAAC84479EBBB5BF44704F608169D409AB250DB756946CF50

Function 04D74050 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 04D74111

Memory Dump Source

Source File: 0000000E.00000002.1464388850.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4d70000_JIlApjvRxj.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ec32527337cbe4fd98d7037b651e604995fcb27088b975a3ba3eafdf68c75714
Instruction ID: 8e4381b543e287aad478945488473f26b45df80ddd6d7ea5097d87f4906af9bf
Opcode Fuzzy Hash: ec32527337cbe4fd98d7037b651e604995fcb27088b975a3ba3eafdf68c75714
Instruction Fuzzy Hash: 63414CB9A00309DFDB15DF89C448AAABBF5FB88314F258459D519AB321D375A841CFA0

Function 02665917 Relevance: 1.6, APIs: 1, Instructions: 93
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 026659C9

Memory Dump Source

Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 50d49b304885fb1c1c4c74305c1eb259115b0fd7e7b086696968ebe26324c7a7
Instruction ID: f26675072044200399663d50fd4149762a03a0a2e48f4eb24f355e2daf44a5a0
Opcode Fuzzy Hash: 50d49b304885fb1c1c4c74305c1eb259115b0fd7e7b086696968ebe26324c7a7
Instruction Fuzzy Hash: FF4102B1D0071DCFDB24DFAAC885B9EBBB1BF88704F60816AD409AB250DB756946CF50

Function 06EAE4B8 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06EAE548

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 45931122f095d9c0acab4eaa4607fa7376a794b35762e95d388aaff5e63bc0bd
Instruction ID: e97fbf68e47d7a62b942d00216a4367a645ceed2a60598295f026bc419ed4df3
Opcode Fuzzy Hash: 45931122f095d9c0acab4eaa4607fa7376a794b35762e95d388aaff5e63bc0bd
Instruction Fuzzy Hash: BD2136759003499FDF10DFAAC881BDEBBF5FF48310F50842AE919A7240D779A944DBA0

Function 06EAE4B7 Relevance: 1.6, APIs: 1, Instructions: 69
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06EAE548

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 879c2d7c87aeebb305717494d4fe62bd0dc57b49c8ead06483e3ea04d174653d
Instruction ID: 4d39f4b3626c8e5e85e8cebdd10211c93ca8f645c7018edbdd39b9274b086053
Opcode Fuzzy Hash: 879c2d7c87aeebb305717494d4fe62bd0dc57b49c8ead06483e3ea04d174653d
Instruction Fuzzy Hash: CF2136759003499FDF10DFAAC881BDEBBF5FF48310F50842AE919A7240D7799945DBA0

Function 06EAE5A0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06EAE628

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: ed36fa90a471956fdf61184e459bb2f35b9e84e90e4a4580970cd287de5d6b27
Instruction ID: 27af044b4e165bf62d1e2834c6834dab0f18bbe7adb92a3ae5258c1088f22e01
Opcode Fuzzy Hash: ed36fa90a471956fdf61184e459bb2f35b9e84e90e4a4580970cd287de5d6b27
Instruction Fuzzy Hash: A92125758003499FDB10DFAAC885BEEBBF5FF88310F508429E518A7240D778A901DBA0

Function 0266B730 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0266D5E6,?,?,?,?,?), ref: 0266D6A7

Memory Dump Source

Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: ab4af093abc14d4bea4a75acf40bb5105e3dbefecae288ab259cbff8174d3f40
Instruction ID: 21e77111818a376ee1e16cfa8061486e3c2343ce4cd7f95d467b5355f95ab7eb
Opcode Fuzzy Hash: ab4af093abc14d4bea4a75acf40bb5105e3dbefecae288ab259cbff8174d3f40
Instruction Fuzzy Hash: DC2116B59003089FDB10CF9AD984AEEBFF4FB48310F14801AE918A7350C378A950CFA4

Function 06EAE5A8 Relevance: 1.6, APIs: 1, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06EAE628

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 152dc0be9e5e7f254938cabc31e2593a1dff496264ee5a32cbca5529ab8ecb74
Instruction ID: 582c600850422aa7580b5b80032e37687a233484c64018f6eac6908cd3214a6c
Opcode Fuzzy Hash: 152dc0be9e5e7f254938cabc31e2593a1dff496264ee5a32cbca5529ab8ecb74
Instruction Fuzzy Hash: 9421F871C003499FDB10DFAAC881BDEBBF5FF88310F508429E519A7240D779A944DBA4

Function 06EAE320 Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06EAE39E

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a7315007c50fcd2b7884087f859107023778f2f125f27e9b7b383c606340b257
Instruction ID: 049cd77e09faee0e8af4abd79c309634f95e1e04e18c6e0922f6e4bef1828e1f
Opcode Fuzzy Hash: a7315007c50fcd2b7884087f859107023778f2f125f27e9b7b383c606340b257
Instruction Fuzzy Hash: 6B213571D003098FDB10DFAAC485BAEBBF4AF88324F54842AD459A7240CB78A944CFA4

Function 06EAE31F Relevance: 1.6, APIs: 1, Instructions: 63
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06EAE39E

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 4457e2a1b75b611d208e5cb95fdced6fb8f9a86cb0eca4ed4b23f610b277bb93
Instruction ID: ae8539cbd85653dc87cb7ea59af83940f794d2add9dceef73d33862ca0094695
Opcode Fuzzy Hash: 4457e2a1b75b611d208e5cb95fdced6fb8f9a86cb0eca4ed4b23f610b277bb93
Instruction Fuzzy Hash: AD213571D003098FDB10DFAAC4857EEBBF4EF88324F54842AD459A7240CB78A945CFA0

Function 0266D619 Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0266D5E6,?,?,?,?,?), ref: 0266D6A7

Memory Dump Source

Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 830ccadf4a6216d9649be94ed37b997c52e32ff98a3ccc6f50f0336370117ef2
Instruction ID: 8b79e2eb5dba5b2b254bff4b15171c8150244eedbd4a247c8e882fa2a22974f9
Opcode Fuzzy Hash: 830ccadf4a6216d9649be94ed37b997c52e32ff98a3ccc6f50f0336370117ef2
Instruction Fuzzy Hash: 4A21F0B5900309DFDB10CFAAD584AEEBBF5FB48324F64801AE958A3350C378A954CF64

Function 06EA4038 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06EA40F0

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: f979691d4afdca8f523c5221a9949d757e7fc9a4a9bdd9e26cbe1cd8fa6a2494
Instruction ID: 66c2306d86ca303c81e1fad1775ad28906a6c4bf2ea57e192eb173023e8c020a
Opcode Fuzzy Hash: f979691d4afdca8f523c5221a9949d757e7fc9a4a9bdd9e26cbe1cd8fa6a2494
Instruction Fuzzy Hash: 401134B1C05349CFCB10DFA8D84079EBBF0EF41314F204199D418A72C1DB756958CBA2

Function 06EAE3F8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06EAE466

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 87ca06cecd7404298b458b323d709e20cd57cb5b8a31c894f07bbd3f3667379a
Instruction ID: 88f7c8f1a31b72be1cbdedbd2094505dc0e489e26b7a29adf4cfdb5ba3f209a5
Opcode Fuzzy Hash: 87ca06cecd7404298b458b323d709e20cd57cb5b8a31c894f07bbd3f3667379a
Instruction Fuzzy Hash: 6B1134768003499FDF10DFAAC845BDEBBF9EF88720F148819E519A7250CB75A944DFA0

Function 06EAE3F7 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06EAE466

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f5313d66686f7659a49dc04ec63ea1756ab0f909cea7f8ac498cf35cb576dcc8
Instruction ID: c0c45d12dab2c9508a14aa8e65d60bc95ed00eec307f7cef12b1fb0454432037
Opcode Fuzzy Hash: f5313d66686f7659a49dc04ec63ea1756ab0f909cea7f8ac498cf35cb576dcc8
Instruction Fuzzy Hash: AC1153728003498FDB10DFAAC844BDEBBF5EF88320F108819E529A7250CB75A944CFA0

Function 06EA3384 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06EA40F0

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 205f2d85afea8f45c6dc2aed492e4664e3c98e8a610a6558ba0682fbbf9a9825
Instruction ID: a2c7bd81779995e49ad0d528144103b473dca7435a38012eb79cf37f4f0853c6
Opcode Fuzzy Hash: 205f2d85afea8f45c6dc2aed492e4664e3c98e8a610a6558ba0682fbbf9a9825
Instruction Fuzzy Hash: CC1133B1C0071ADFCB14DF9AD444B9EFBF4FB48210F10812AD819A7280D3B4A914CFA5

Function 06EA4079 Relevance: 1.6, APIs: 1, Instructions: 52COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 06EA40F0

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: be0a7c08f3680394bd2cfe30b4fb5cedb800f4555221432632eb78414f9501be
Instruction ID: ba91c622b5e1ab7d44946b8e4b290e040283a02aa998cb32055be45c2049d685
Opcode Fuzzy Hash: be0a7c08f3680394bd2cfe30b4fb5cedb800f4555221432632eb78414f9501be
Instruction Fuzzy Hash: F31142B1C0035A9FCB14DF9AD841B9EFBF4FB48320F10812AD818A7240D7B4A554CFA1

Function 06EAE26F Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06EAE2D2

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f94a6bf2308438de42dc6678f4831c27424ed2143fdabf37392193e0d0ab0b7c
Instruction ID: eb7b8b215dfbd84cd1c9592c26dddfe87935acf7ac26de8be656b9387b3fc4e9
Opcode Fuzzy Hash: f94a6bf2308438de42dc6678f4831c27424ed2143fdabf37392193e0d0ab0b7c
Instruction Fuzzy Hash: 3A1125719003498FDB24DFAAC4457DEFBF5AF88724F24841AD519A7240CB79A944CBA4

Function 06EAE270 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 06EAE2D2

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e7d1443c5de2f4b87455b2b047d07b8174b49a8747670e3c09114663779d8466
Instruction ID: 9c1dc61142a29ced053ac5f753350de036df51e8b6136fd2d43db52c664215c7
Opcode Fuzzy Hash: e7d1443c5de2f4b87455b2b047d07b8174b49a8747670e3c09114663779d8466
Instruction Fuzzy Hash: 48113671D003498FDB24DFAAC8457DEFBF9AF88724F24841AD519A7240CB79A944CFA4

Function 0266AF38 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 0266AF9E

Memory Dump Source

Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: aa40d7d8236d412b3c5ceb5e5fc79afbb55f72d1c39dc9bead968e5a506f7872
Instruction ID: 32fa9d14d86c581bed42a8c247a7193fb5d8ac45b3f217e3236def028ed7ce34
Opcode Fuzzy Hash: aa40d7d8236d412b3c5ceb5e5fc79afbb55f72d1c39dc9bead968e5a506f7872
Instruction Fuzzy Hash: D411E0B6C003498FDB14DF9AD544BDEFBF5AB88224F10845AD829B7610C3B9A545CFA1

Function 047C1C48 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 047C1CA5

Memory Dump Source

Source File: 0000000E.00000002.1463731450.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47c0000_JIlApjvRxj.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: a0daa79f98c70b5138d9b347d53cb419634b0daa5e942a9a420bb834481734e2
Instruction ID: 14a5ace2a161a8be806a6542ff8d2f9ab076e347bdd2e56c7b836a81a8facdae
Opcode Fuzzy Hash: a0daa79f98c70b5138d9b347d53cb419634b0daa5e942a9a420bb834481734e2
Instruction Fuzzy Hash: 7311D0B58003499FDB20DF9AC985BDEBBF8FB48320F10841AE918A7641C375A944CFA5

Function 047C1C47 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,?,?,?), ref: 047C1CA5

Memory Dump Source

Source File: 0000000E.00000002.1463731450.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_47c0000_JIlApjvRxj.jbxd

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 08d101ee71b4d8f76390edd08fe678dba5248ef09e1059aa931e7e11eef0b145
Instruction ID: 525879f0a34499ba1a95ba0a23607dc1d7569d4ad962dbd59e8142ea551848bd
Opcode Fuzzy Hash: 08d101ee71b4d8f76390edd08fe678dba5248ef09e1059aa931e7e11eef0b145
Instruction Fuzzy Hash: 7B11D0B58003499FDB20DF9AD985BDEBFF8FB48320F10841AE918A7641C375A944CFA1

Function 06EA3390 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 06EA418F

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 430d0ead21e5a8cdcc212468981ce25ab8f279da422bcf7d2cfae0264b4a5e79
Instruction ID: 82c32c521d6a599e6396a515cb04ae23fc3e7a760dda4859eba5d95f59f30d05
Opcode Fuzzy Hash: 430d0ead21e5a8cdcc212468981ce25ab8f279da422bcf7d2cfae0264b4a5e79
Instruction Fuzzy Hash: 011128B1800349CFEB10DF9AC845BEEFBF4EB58324F108469E518A7281D778A944CFA5

Function 06EA4128 Relevance: 1.3, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000), ref: 06EA418F

Memory Dump Source

Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: c9705bbcee8d12a4db060aa86d629bd4b3959e2774b6ba5725b8d1a7fd336dff
Instruction ID: 1a3d047cce2ea34cd54e0a1a0d91f203785d97842956cf00de72cbfa669d4242
Opcode Fuzzy Hash: c9705bbcee8d12a4db060aa86d629bd4b3959e2774b6ba5725b8d1a7fd336dff
Instruction Fuzzy Hash: 231158B1800309CFDB10DF9AC845BDEBBF4AB48324F108419D428A3281D778A544CFA1

Function 082A0040 Relevance: .8, Instructions: 760COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 929f49a3878f61f93889ea6c694cfbd97bd3f506e66bf58cea239c69be5cd2a8
Instruction ID: f0de6df033a2efc0a6c1f8afe709111a5c5eb19d45e4ac7dac238134fde47674
Opcode Fuzzy Hash: 929f49a3878f61f93889ea6c694cfbd97bd3f506e66bf58cea239c69be5cd2a8
Instruction Fuzzy Hash: C86201B0D21F02CBD7745F7486887AEBAA1AF55315F204D2ED0FECA280EB3595818F52

Function 082AD0BD Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a733ca36dba576c43776a5540f38e47f42d382ea34a57096555ff7b1340e30c
Instruction ID: 4d46a00d2bfec359ade1e38ce053ab8a326356e5a920ba425dbcdd7854e32c9d
Opcode Fuzzy Hash: 8a733ca36dba576c43776a5540f38e47f42d382ea34a57096555ff7b1340e30c
Instruction Fuzzy Hash: 52328E74A10206DFCB14CF68D984AAEBBF6FF88702F158559E509DB6A5C730EC81CB61

Function 082A6F00 Relevance: .6, Instructions: 552COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d7f721bf868c48a97ebeaf33774e9163306db43c3bafea934378e3abf39a6c9
Instruction ID: 73dcf26013120b3ed8acf853391fe24eb18f6f20b9edcdb5eb63800404275533
Opcode Fuzzy Hash: 8d7f721bf868c48a97ebeaf33774e9163306db43c3bafea934378e3abf39a6c9
Instruction Fuzzy Hash: 22225A34B20205DFD708DF64E498A6DBBB2FF88701F60801DE94A9B395DB79AC46CB54

Function 082A0006 Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213a1885e9979cf368d7d4c7fb7155f19a4075a0ec4748f519e62f92b556cfdd
Instruction ID: b9d4f806c8338c1a0120d7b0d166c3875d267a60e2748a0ed5e7758b8a9a9907
Opcode Fuzzy Hash: 213a1885e9979cf368d7d4c7fb7155f19a4075a0ec4748f519e62f92b556cfdd
Instruction Fuzzy Hash: 542267F0915F438BD7705F6486C82AFBAA0AF16309F204D5FC0FE8A255E73691869F46

Function 082AA730 Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf6c492b48c326df5e6faa0b9d2c8f3f37eedeb110d039c3d54ad779de69286a
Instruction ID: f9f57fa780cf83a564ca62955c636eafc7a88bad51cac177a344386fa5695801
Opcode Fuzzy Hash: cf6c492b48c326df5e6faa0b9d2c8f3f37eedeb110d039c3d54ad779de69286a
Instruction Fuzzy Hash: 71125930A10219DFDB15DF69D984AAEBBF2FF88312F148559E84ADB261DB30ED41CB50

Function 082ACC68 Relevance: .4, Instructions: 419COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0e2f53919d6963aa11c8404bc3b5b7812250ee16c810416ce2488829c27be3e
Instruction ID: 61bf74fb0e9df0b615de893aebe0d130eb948a94741f86710a67561313ad4060
Opcode Fuzzy Hash: e0e2f53919d6963aa11c8404bc3b5b7812250ee16c810416ce2488829c27be3e
Instruction Fuzzy Hash: F802BF34A10309DFCB15CF68C884AAEBBF6FF89311F14856AE8159B361D731E956CB90

Function 082ADF58 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e88ec3309b30160ee2ff911a49e3f36b28a02c50ef7c5191a77d18f0b4fab6
Instruction ID: c5bc387b7e30ee2f8af097f2dda9935933d0afc7e22aabe5a45fc5fad04026e2
Opcode Fuzzy Hash: e4e88ec3309b30160ee2ff911a49e3f36b28a02c50ef7c5191a77d18f0b4fab6
Instruction Fuzzy Hash: 6BF14B78A1021ADFCB15CF59C484DAEBBFAFF88301B16C569E95597291C734EC42CB90

Function 082ABCD0 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 235edbcf300ae04470c4da72e7e6f2d8946f43e3f81952e45482a28a15466efe
Instruction ID: a1f3ea0eff63057edf2f347301603a511af6ae0633e7ad1f317e80a571cc9128
Opcode Fuzzy Hash: 235edbcf300ae04470c4da72e7e6f2d8946f43e3f81952e45482a28a15466efe
Instruction Fuzzy Hash: E5B15E30331602CFDB2D9A69C99473936E6EF85752F1840BAE512CF3B5DAA5CC42DB41

Function 082A8F70 Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47df66b5a8bf177aacec3048bc808eb49326f413816e158310703a03b118de6e
Instruction ID: 867f6ad198df8406c94d4c485e6a2d84c650b9c06afb6b9209d89f63f269c97c
Opcode Fuzzy Hash: 47df66b5a8bf177aacec3048bc808eb49326f413816e158310703a03b118de6e
Instruction Fuzzy Hash: 8DB1C130714201DFDB199F7AD884B6A7BE6AF88346F148429E916CB394DF75C882C7A0

Function 082A94D0 Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9195bff109493a90f621c08c03d34f96e47490ceacc1a4aa6a5d881894d7c9
Instruction ID: 4d2d7feb7873c354a80899fc8861c67c2b83c9b8c1dff07414ab3426d37dcef8
Opcode Fuzzy Hash: ce9195bff109493a90f621c08c03d34f96e47490ceacc1a4aa6a5d881894d7c9
Instruction Fuzzy Hash: 8781A574B20205DFCB18DF6EC884AA9BBB6FF88716F158169D426D7361D731D881CB60

Function 082A6BA0 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ebcff325bf93420a269008dfa075647dd53a97e65fbfe60ba79c46f223202d
Instruction ID: 2aaca7c0d98df100d0ef3a8cc7f0299c01bde1b9d82b06af080129e36befa2a6
Opcode Fuzzy Hash: 67ebcff325bf93420a269008dfa075647dd53a97e65fbfe60ba79c46f223202d
Instruction Fuzzy Hash: 4771EE707146029FDB29AB78D858A3E77A6EF99301F58406ED906DB7A0DF34EC0187A1

Function 082A4770 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe22223b7c1ce8a309a401257272f2dab3e94cf024600fd55a1a2e79eddadf15
Instruction ID: e0d88af1627a9f6f0051821fcb0856bebcd54c91f19448e883798afe01a9674e
Opcode Fuzzy Hash: fe22223b7c1ce8a309a401257272f2dab3e94cf024600fd55a1a2e79eddadf15
Instruction Fuzzy Hash: 8981D238720611CFCB14EF68D4989697BF6BF89B05B1581A9E902DB375DBB1EC01CB90

Function 082AAD10 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc0bacdc552b578a0b18db63316b046061057175517db9a3baf365879becc900
Instruction ID: 596f30c6bec0b9627a94267226d2bd0756db500fc56230e32477d04cb6a61750
Opcode Fuzzy Hash: fc0bacdc552b578a0b18db63316b046061057175517db9a3baf365879becc900
Instruction Fuzzy Hash: CC711934720226CFCB19DF29C594A7E7BE6AF49702B5940A9E906CB3B1DB71DC41CB90

Function 082A2168 Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71d990f06eccc18863987102ad1683397e70edb9c4e3e88d665caf814c839058
Instruction ID: a50c4a7407fc4cc48b88ae6eccc3039102cf19cc9ba849f529146d913fb3c232
Opcode Fuzzy Hash: 71d990f06eccc18863987102ad1683397e70edb9c4e3e88d665caf814c839058
Instruction Fuzzy Hash: BB91FB3190061ACFDB10EF68C884A9DF7B1FF89304F11C69AD5497B225EB30AA85CF91

Function 082A4288 Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0be706a3f7de7da11a9d84ce9918a07a9916567f5848b018090d85c8e40dee5
Instruction ID: 844db3cbc645e00b729e2a044259427500f324567ea37f83a983ecc5b01c61f8
Opcode Fuzzy Hash: f0be706a3f7de7da11a9d84ce9918a07a9916567f5848b018090d85c8e40dee5
Instruction Fuzzy Hash: C0712B35B10218CFCB18EFA4C5549AD77F2FF89711B2444A9D405AB3A1CB76EC41CBA5

Function 082A6EF3 Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2669e34c9e79aea004aec56390bff0dcf2fc7be01fa67df0499d8090bd6bef89
Instruction ID: ea52a4306d3534d2a89262238b61bec84803e82235111d2754ba0faf809534e0
Opcode Fuzzy Hash: 2669e34c9e79aea004aec56390bff0dcf2fc7be01fa67df0499d8090bd6bef89
Instruction Fuzzy Hash: 23714D34A10606DFDB28DFA5D48466DBBF2BF88302F24802AE846EB395DB34D845CB54

Function 082A1258 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d1894653f8fc95e69ff564121192c29279caf24f02d372c5b4800c23aece6fc
Instruction ID: 55f546eb832bf16151525712543a156a616b746376a2a50c409eabd513dd6479
Opcode Fuzzy Hash: 6d1894653f8fc95e69ff564121192c29279caf24f02d372c5b4800c23aece6fc
Instruction Fuzzy Hash: 2A71C275A10209AFCF05DFA9D880ADEBBF6FF48310F14852AF915A3250D731A951DFA0

Function 082A73D0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5689d27fe79fb9c2abbd6508a9da0f1f12af9acb7b6541dce20fceb83fbf944b
Instruction ID: c3df11120b497c8ce33387f2a58cfa9b20fe78e19f58b4b6e4a3dd83b3cb77b0
Opcode Fuzzy Hash: 5689d27fe79fb9c2abbd6508a9da0f1f12af9acb7b6541dce20fceb83fbf944b
Instruction Fuzzy Hash: 7961F5343216109FD645AB70E45AA7D3BA3E789B01F60800CFA4A4B3C9DFBE5D479B85

Function 082A463B Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3364034986253a5e3090aeaf0e3ac0fac4920f1fe5500ace706a5a005d1a21bc
Instruction ID: d7281595e1194e12e60669629a377658a602427d3232ee22ffb92645f042f605
Opcode Fuzzy Hash: 3364034986253a5e3090aeaf0e3ac0fac4920f1fe5500ace706a5a005d1a21bc
Instruction Fuzzy Hash: 5F5189347106118FCB18AB79C854A6EB7E6FF89B01B15456DE906CB361EFB5DC018B90

Function 082ADD10 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2ed6493ab1d150b78e75e37255ad064ff8abe6971d5590aad32b9aba0ac6dd
Instruction ID: 3a35cee64e6f61ba01142ef4a29064730642cad3a12307ce3ba10c5330aa0336
Opcode Fuzzy Hash: 8e2ed6493ab1d150b78e75e37255ad064ff8abe6971d5590aad32b9aba0ac6dd
Instruction Fuzzy Hash: C9618975E1074ACFDB15CFA5C6406EEBBF2AF8A301F64821AE845AB641D770A981CB50

Function 082ADD00 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0442378ab553bcf7a212490e8806cdd17f979fc520f933b48479d9af455b4371
Instruction ID: e59980e74fe209b7ab6fe33d0a7e8b445da74e2c0d5c578c1c982705df6aa3db
Opcode Fuzzy Hash: 0442378ab553bcf7a212490e8806cdd17f979fc520f933b48479d9af455b4371
Instruction Fuzzy Hash: 0851AB74E1074ACFCF21CFA5C5406EEBBF2AF89311F64821AE855AB681D770A981CB50

Function 082AFB38 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53fe0db90522b5d45ef412aa891597c1b7a5e5c713e1253e7cda4e8ef8efdf0f
Instruction ID: 8c0b7828fb02f42c651bf6bbc396d79619c1b27d114a4e8c1c15a96446efd0d4
Opcode Fuzzy Hash: 53fe0db90522b5d45ef412aa891597c1b7a5e5c713e1253e7cda4e8ef8efdf0f
Instruction Fuzzy Hash: C051A474E012199FDB08DFA9D994AAEFBB2FF88300F10812AE915AB354DB755906CF50

Function 082ACEE3 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3139f3f1ff227af36ed22337eae7bcf83bc95bc325a58eb0fda6693b0cdc7920
Instruction ID: 0a2058866ba801cd58816344c3ea4a97d9be78fc56902eb600be54c23398685b
Opcode Fuzzy Hash: 3139f3f1ff227af36ed22337eae7bcf83bc95bc325a58eb0fda6693b0cdc7920
Instruction Fuzzy Hash: 4441E130A14249DFCF15CFA4C884ADEBFB2BF89311F048056E815AB2A5D371E856CBA0

Function 082AFB29 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbbd996dfc302ae95d31626562457513a9a54ad76b8ed5361aa80d36f7be41de
Instruction ID: ad5b90f2d34030adf68244e5c22663d958ee1ca8e07963ce3ec4da8537bcc7d2
Opcode Fuzzy Hash: fbbd996dfc302ae95d31626562457513a9a54ad76b8ed5361aa80d36f7be41de
Instruction Fuzzy Hash: 9D51D574E012199FDB08DFE9D884A9EFBB2FF88300F10812AE915AB354DB715906CF50

Function 082AC641 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bce1a1a4caa6047c99fc2a9f5f4735529560b3f6d6b971442c7921c0f26cf6a
Instruction ID: dce9551927e28e35e0486f276b0696ae03970f7032b13852b5fba21baddad72b
Opcode Fuzzy Hash: 3bce1a1a4caa6047c99fc2a9f5f4735529560b3f6d6b971442c7921c0f26cf6a
Instruction Fuzzy Hash: 97410270910601AFC714CB69CC84966B7AEEFC03767198729D929973A5E731ED12CBE0

Function 082AFB35 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ca94d49c208d105a4b5cd8e2e813f9d0d024344619e2707de104293357f7354
Instruction ID: db12925270a77a3b20cd18dcb3cf631491590c672a310b8c1224714b1e04fc37
Opcode Fuzzy Hash: 6ca94d49c208d105a4b5cd8e2e813f9d0d024344619e2707de104293357f7354
Instruction Fuzzy Hash: 8551B674E002199FDB08DFE9D944AAEFBB2FF88300F108129E915AB354DB715906CF50

Function 082A4AD0 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7797c07c20e8aef9614696dbb788784e75a85dc90fe95007e0a4b2c454700421
Instruction ID: d1513f0d59e7dbcbea1bcd76f6ef47b9a99f31ae873c805a561b1b0eb3695af8
Opcode Fuzzy Hash: 7797c07c20e8aef9614696dbb788784e75a85dc90fe95007e0a4b2c454700421
Instruction Fuzzy Hash: 84417175E10219CBEB14FFB4D0547ADBAB2EF88316F14482ED801B7350CBB59881CBA9

Function 082A1DF0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a06c2a458c23b848be301bc3dca8cd8c8a1ae0d0bd466385c31d5957a1013580
Instruction ID: 4904e08918985eeda799e08d4a577291b7b437903a271b81f069e92dac85fe32
Opcode Fuzzy Hash: a06c2a458c23b848be301bc3dca8cd8c8a1ae0d0bd466385c31d5957a1013580
Instruction Fuzzy Hash: A941D230B146058FDB01EB68C814AADBBF6EFC5311F15816AE40ADB3A1DB74DD81CB91

Function 082AA008 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31f6620eb1013b4dea56c6e33bed5a2c78a12efd0a5864f0f0055601cfc7fe69
Instruction ID: f086d47f4cde749c86ded387290d7c283c0be72156ed3a728e5681c26a246604
Opcode Fuzzy Hash: 31f6620eb1013b4dea56c6e33bed5a2c78a12efd0a5864f0f0055601cfc7fe69
Instruction Fuzzy Hash: B941CB30A00319DFDB15DF64C884BAABBF6FF88315F04802EE9169B251DB759946DBA0

Function 082A8008 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3aa4b2bdbc711f1e6f44cdb70a4020b0655e4260986d21b57b265f0d31f6a46
Instruction ID: e88b767c87e022f2067f046dedcd03a506611abbaa9347d0c9bbf9792d42b397
Opcode Fuzzy Hash: d3aa4b2bdbc711f1e6f44cdb70a4020b0655e4260986d21b57b265f0d31f6a46
Instruction Fuzzy Hash: 3531723161420ADFDB05AFA5D894AAF3FB2EF48341F048029FA069B345CB35D961DFA1

Function 082ABB30 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49d754765d46a05bc75cf4c86a721fb36c4e6029e6beac470898f7b88d8481f3
Instruction ID: 755bcf94a239ccab688ec22bb8eb032f5f9144cfbdcb2490d1616048f3e3874d
Opcode Fuzzy Hash: 49d754765d46a05bc75cf4c86a721fb36c4e6029e6beac470898f7b88d8481f3
Instruction Fuzzy Hash: 0431C6707242068FDB29EB35D854A3DB76AFF85722B144C9ED852CB245DF64CC41C791

Function 082AAFB8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd77a3aa2727a54be09d98e603bb9e878e350470c0ec6f344d9250ef4c24d156
Instruction ID: 38bdcb9bf975308a545910ca7a262677613cdfd46a4abc53bf2df6fb0456566c
Opcode Fuzzy Hash: dd77a3aa2727a54be09d98e603bb9e878e350470c0ec6f344d9250ef4c24d156
Instruction Fuzzy Hash: FD21C531325212CBDB186A36849433E75DBAFC5766F14843DD912DB399DE66CC82D780

Function 082A124B Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e16ada2fa3cab9f1215fcbf643a3b9f3a79f34ed7f410111514e7762f245937
Instruction ID: b8f815319b7bf2231140201f39b866da3aa877438f88615ee32194d9e712d2ee
Opcode Fuzzy Hash: 6e16ada2fa3cab9f1215fcbf643a3b9f3a79f34ed7f410111514e7762f245937
Instruction Fuzzy Hash: 7B31A276E1021AAFCF01DFA8D8809EEBBF6FF8C310F15412AF915A3210D73199659B90

Function 082A4AC0 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48d1992fb57ada5e2bd20804a1ce6c90ce6191e0ba9ac901e53db386f53ed05d
Instruction ID: 99b392c4b4183ec7cbd53962feaf8494ea38745fe483477e4daaab0f6d772335
Opcode Fuzzy Hash: 48d1992fb57ada5e2bd20804a1ce6c90ce6191e0ba9ac901e53db386f53ed05d
Instruction Fuzzy Hash: 59318074E51615CFEB18EF7590543AD7AB2EF88312F10883EC802B7391CBB989858B95

Function 082A67B3 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ef55e2ae2ad067c5f59f20cf94119c7664a11ff570758fe80145864291ba27e
Instruction ID: c94fbece8feaa26248009e573cf857f635e9a2c037edf91ceb6791a8eb7db541
Opcode Fuzzy Hash: 8ef55e2ae2ad067c5f59f20cf94119c7664a11ff570758fe80145864291ba27e
Instruction Fuzzy Hash: 9331B435610205DFDB14DF65C844BAEBBB6EF84305F00456DD6029B6B1EB35ED4ACB90

Function 00DBD3D8 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1458383982.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dbd000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e1d8eb6bee010b9032f3edaf1174915a30c8ac576b216eaec714a1daaff0ae
Instruction ID: 90d23a6fb1bf275f4600468804a9ec2fa071099c939e5cea6a34b2a55662bff2
Opcode Fuzzy Hash: e2e1d8eb6bee010b9032f3edaf1174915a30c8ac576b216eaec714a1daaff0ae
Instruction Fuzzy Hash: 132125B5604304DFDB04DF10D9C4B56BB66FB98324F24C66DE84A0B256D33AE856CBB2

Function 00DBD4C4 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1458383982.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dbd000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 811ca8d51993f41632ae229adaa0afbe0cbf74a874fd6bad0d29bbdc0264939f
Instruction ID: 27f45b829585ae90008d7e3e25f89919ed8e1aa951bcd6c27e58a41801c6762d
Opcode Fuzzy Hash: 811ca8d51993f41632ae229adaa0afbe0cbf74a874fd6bad0d29bbdc0264939f
Instruction Fuzzy Hash: 45213371504200DFDB10DF10D9C0B66BFA6FB88328F24C169E84A0B246D336D806CBB2

Function 082A1DE0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ff8946af780e6d68279700b6c5b9011578623da43474ddb97536c5d293781e1
Instruction ID: 80b139fe34b8a6a8e95c9df4ff1cec93cedd8fa405eb815eb54ba341b9fd4a2b
Opcode Fuzzy Hash: 2ff8946af780e6d68279700b6c5b9011578623da43474ddb97536c5d293781e1
Instruction Fuzzy Hash: 92216D70B006058FCB04EB68C549AADBBF6EF88311F14415AE81ADB3B1EB70DD41CB91

Function 082A9338 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42e50f949075422ce25b355910fa82d16685aafe02fecc8af223da2dd5967eb0
Instruction ID: ba8ab3ad06995fdb371bd81998cda20c5d3e8511b409d668e70dd1cdd6a4f028
Opcode Fuzzy Hash: 42e50f949075422ce25b355910fa82d16685aafe02fecc8af223da2dd5967eb0
Instruction Fuzzy Hash: 2221DE38721612CFC719AA3AD454A2EBBA2EFC8792714806DE916CB394CE31DC418BD0

Function 082A67C0 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b200a4f77e1ee1ea1f63b98662015e82772ffb2c6799409a4d37e7ee73439f7
Instruction ID: 94683cf5e73b719349aa7f962ed4e0ad036fd4be16e6236f40fbac5c5a2072ce
Opcode Fuzzy Hash: 2b200a4f77e1ee1ea1f63b98662015e82772ffb2c6799409a4d37e7ee73439f7
Instruction Fuzzy Hash: 1021D331610205DFDB20DF65C844AAEB7B6EF84301F00456DD6029B6B1EB35E94ACB90

Function 00DCD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1458462205.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dcd000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df53596bb05ec1a14c8dc48881d327b8cf8c3efb0fe4a3735c610cf1734262fe
Instruction ID: d54f27d0cbdea380915ac44acaae6f868c8c2d7f7280a6f789f9808ed7c4646e
Opcode Fuzzy Hash: df53596bb05ec1a14c8dc48881d327b8cf8c3efb0fe4a3735c610cf1734262fe
Instruction Fuzzy Hash: D121CF756043059FDB14DF18D984F16BBA6FB84324F24C56DE84A4B286C33AD847DA72

Function 00DCD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1458462205.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dcd000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ed9ed2068bad4f034b55f0f22fc7f25bb0be3c172f17f2050d2ed7c8c045c4
Instruction ID: 621e4ee3ba0609e92aa043f45ea7523f9a6adb94d002d6d9fb77cc0eff7b29e6
Opcode Fuzzy Hash: 16ed9ed2068bad4f034b55f0f22fc7f25bb0be3c172f17f2050d2ed7c8c045c4
Instruction Fuzzy Hash: AA21CFB5604305AFDB05DF10D984F26FBA6FB84314F24C67DE8494B296C336D846CA61

Function 082AC2A0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df551559bfca8b4685c8e14811163e8fcba89dad1a563152e2e7556e9412fb8a
Instruction ID: f003515b2a532b05334978021899f409f8bd54343adc3d20245ba93a9b8d2112
Opcode Fuzzy Hash: df551559bfca8b4685c8e14811163e8fcba89dad1a563152e2e7556e9412fb8a
Instruction Fuzzy Hash: 7A216674A2021AEFEB18DFA5D944BAEBBB6BF44301F10442DE501A7380DB759901EBA4

Function 082A4D88 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd3799ef378aaeea8559fa872b87c6cf1c7eda5fd6bea692d6204735a169433
Instruction ID: 342056a59f3046c829aef75bce6c086cd43c15de941a5e6da8b3e5a7eb4998d3
Opcode Fuzzy Hash: 4bd3799ef378aaeea8559fa872b87c6cf1c7eda5fd6bea692d6204735a169433
Instruction Fuzzy Hash: 4F21B275E1021AEFDF059FB0D85499DBBB2FF89304B448519E002BB264DB75A855CF90

Function 082A4D98 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94267de3ff9d529d25095fd337208c37c514bece05b53245ee4d13b883a5e39d
Instruction ID: 1df74548c5047459ae904957a11f2c40beaf7fe8278f65ac02eca22610ac34b7
Opcode Fuzzy Hash: 94267de3ff9d529d25095fd337208c37c514bece05b53245ee4d13b883a5e39d
Instruction Fuzzy Hash: 2021FF31E10219EFDB05AFA0D8949DEBBB6FFC9304B488519E002BB260DB75A855CB90

Function 082A7FFB Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efcdd57d290b15486df012f6f3343f4b8b693b9a6fa31b964c6ee1b3fbc4558
Instruction ID: 20aa498de60a05906823488b2ac0bae413c280a188b523ae69d64bd2f7b73ed9
Opcode Fuzzy Hash: 2efcdd57d290b15486df012f6f3343f4b8b693b9a6fa31b964c6ee1b3fbc4558
Instruction Fuzzy Hash: 26219A31A15209DFDB05AE68D484BAA3BA2EF44311F008038F9068B344CA79D961CBE0

Function 00DCD005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1458462205.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dcd000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2df9647d1cba0ca24f1038a08564ea32f562fad188efade10bbdb12c60953cb
Instruction ID: 45ec2eba67ef89c2feecbd3a4e8f919a1edc70796ff63bebd21242caa8ed72dd
Opcode Fuzzy Hash: c2df9647d1cba0ca24f1038a08564ea32f562fad188efade10bbdb12c60953cb
Instruction Fuzzy Hash: 342186755093808FC702CF24D990B15BF71EB46314F28C5EED8498B697C33A980ACB62

Function 082AC290 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 694125f87ad5a83c44de5173e44d69b725ed666d9b121867d914e7a477444e3f
Instruction ID: ad0e60a912dafe5e8eb33a8135ff6f71aac6fc1897b19bde0764d76c743a063a
Opcode Fuzzy Hash: 694125f87ad5a83c44de5173e44d69b725ed666d9b121867d914e7a477444e3f
Instruction Fuzzy Hash: 7511DD74A20259EFEB18DFA5D944BAE7BB2BF80300F00462DE411A7380DB308801DBA4

Function 00DBD3D3 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1458383982.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dbd000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 3e84e4eaaef49ce0c99aaac9876476761bdc4697047cd26e20bf34332d72f3a0
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 2811E676504240DFCB15CF14D5C4B56BF72FB94324F28C6A9D84A0B657C33AE85ACBA2

Function 00DBD4BF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1458383982.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dbd000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction ID: 327bc1099d18b3c81fc0001fb2dec71c49bd68bbc2f3c4e061dcdc2b79acabc2
Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
Instruction Fuzzy Hash: 7211E676504284CFCB15CF14D5C4B56BFB2FB94324F28C6A9D84A0B656C33AD856CBA1

Function 082AC725 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f91e05bbb0914bf62a6c006361fff0eb5fef9e7f012a60ca5933345efc9c5c
Instruction ID: 7fbc70dfed29f146f7763fcfe974b0679bfd5f15026e2fec2fffb4ce08314486
Opcode Fuzzy Hash: 48f91e05bbb0914bf62a6c006361fff0eb5fef9e7f012a60ca5933345efc9c5c
Instruction Fuzzy Hash: 96110634A14205EFCB10CFA8CC848AEBBF9EF44321B148065D414E7362E730E904CB72

Function 00DCD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1458462205.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_dcd000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction ID: f587632a631109559f0ca652a61cdef803b69cd6ec1f5b8b7f4f8598b3158bf8
Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
Instruction Fuzzy Hash: 66118B76504284DFCB15DF14D9C4B15FBA2FB84324F28C6AED8494B696C33AD84ACB61

Function 082A8AD0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ef25716bd57660e96c73d0550652f85df36a1c247cd0a54784b765c12084e5e
Instruction ID: bd973ae85b6e002f729099d8f8a257e178f4b263707d40c4eeddc6968934a890
Opcode Fuzzy Hash: 0ef25716bd57660e96c73d0550652f85df36a1c247cd0a54784b765c12084e5e
Instruction Fuzzy Hash: 3701D4B2B001186BDB059E59D810BAF3BAADFC8791F148029FA05D7380DE72DD119BA5

Function 082A40C0 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3f8911348ce3e81f6a23a25c5a8ef34bd3521e8f1aadbf38ae361040aad5d10
Instruction ID: 0e08433f94b586a57ec44075b45c8f9040b2e45658777892ce9d932955b30c2a
Opcode Fuzzy Hash: e3f8911348ce3e81f6a23a25c5a8ef34bd3521e8f1aadbf38ae361040aad5d10
Instruction Fuzzy Hash: 06018F353205018FDB18EA2DD850E6AB3A6FFD4306B14406DE946CB320EA71FC01CB90

Function 082A4B5A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d855e881de211100a578ff677e0554dafa87beb966842daad5d1fdfbdb4be918
Instruction ID: 78e5d975dee169bfe691e76c6f18260901af5c35a67a455bec8273f9c09853e7
Opcode Fuzzy Hash: d855e881de211100a578ff677e0554dafa87beb966842daad5d1fdfbdb4be918
Instruction Fuzzy Hash: F2014475D10609CFEB14EFA594547AD7AB1EF88313F14442DC401B6381CBB98985CFA9

Function 082A4E7F Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acbebc3f7e83f40577198809438d9e547d0564075ae71141cde9db3a21ef7997
Instruction ID: ddc9585f9f0e7405dd1658643284b2c4f5f1c87483cd473ddb35842962eea2fe
Opcode Fuzzy Hash: acbebc3f7e83f40577198809438d9e547d0564075ae71141cde9db3a21ef7997
Instruction Fuzzy Hash: 40F04F2560E3C44FDB079B78582459A3FB09F5720070A45EBD089CF2B7D619881A8792

Function 082A40D0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c209b1d0d546bdc82b62252fc9d76877b80280623f40a0a7c423ba28afa55951
Instruction ID: 625d5f0dc1b4be81e7137a4b22049b4a1f0a9365c4f5ef168f83c0be6aa98309
Opcode Fuzzy Hash: c209b1d0d546bdc82b62252fc9d76877b80280623f40a0a7c423ba28afa55951
Instruction Fuzzy Hash: D5F031343205018FDB18AA6DD450D6EB7E7BFD4712715907EE946CB324DA71EC028B94

Function 082A562F Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2162ac56cb7906cdb2ef454e01497ec51f8c2d04632f6ddfa11934a2e6d024ec
Instruction ID: 4b54f62390d15e56b24df74c939aa8d1cb674f00c38bfc3ca6963646a179d942
Opcode Fuzzy Hash: 2162ac56cb7906cdb2ef454e01497ec51f8c2d04632f6ddfa11934a2e6d024ec
Instruction Fuzzy Hash: 22F06235B10314DFCB18AB65E405A7E7BABEBC1711F40882DE44687350DF359803CBA4

Function 082A5640 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 851d0623d75cece7bc6f15aa747ab765e03a755cabc4d449ed945601ae50eea4
Instruction ID: c7bed4c94b0646a43e56afce7e79159614929e9d23d6d43f3cad1d2be9fd26bf
Opcode Fuzzy Hash: 851d0623d75cece7bc6f15aa747ab765e03a755cabc4d449ed945601ae50eea4
Instruction Fuzzy Hash: 99F08235B04314DFCB18AB65E40497F7BABEFC5761F50882DE44687340CE35A806CBA5

Function 082A4491 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1198c61e6b2869c6ec7311027394f8d0ff044e1c99b70fef2d08fd650a539b0
Instruction ID: d845f82828ee7017e0214a564852207da6430fe58e3693d073f8aff862e5fa08
Opcode Fuzzy Hash: f1198c61e6b2869c6ec7311027394f8d0ff044e1c99b70fef2d08fd650a539b0
Instruction Fuzzy Hash: 8AF0F935B102198FCB00EB98D4489DDB7F6FF88725F194199E946B7360CB71AD05CBA4

Function 082A69A8 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b9cb23ebca14255d3e5899b27cb6b1d706e469616ece49e3768c5051abd0d46
Instruction ID: 873c9867b3bb22d73abc8d06f2ff35f3ceb208ffd0840c1190cc964d82f361e9
Opcode Fuzzy Hash: 5b9cb23ebca14255d3e5899b27cb6b1d706e469616ece49e3768c5051abd0d46
Instruction Fuzzy Hash: 9AF08230910609CFCB04EF78C5056AABBB4FF45301F61869ED809AB221EB71ED85CBD1

Function 082A6970 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7347153fb4ccda03fd43eaa2dc0693c1b362d70ed66eae223c5f7f19552f31c
Instruction ID: 11dd1d359018e2755e813c5451053245db70b4c14a723ade93c96c71714fafe2
Opcode Fuzzy Hash: f7347153fb4ccda03fd43eaa2dc0693c1b362d70ed66eae223c5f7f19552f31c
Instruction Fuzzy Hash: 2DE02B363401484FCB00A75AE800C9DBFFECFC5A2A71440ABE50CC7221D634AD028790

Function 082A162B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5adec061b594b16540d74c98600682b0e9c083267b9d38dc060cf1d4a047a9fe
Instruction ID: cc88aed03a931d7aeed6e2d655016820fc9dfcbcfe01f844fef7738a656984d2
Opcode Fuzzy Hash: 5adec061b594b16540d74c98600682b0e9c083267b9d38dc060cf1d4a047a9fe
Instruction Fuzzy Hash: 42F06DB1D1020A9FDB04DFA9C8017AEBFF4EF48300F14849AD505E7341E770A6108F91

Function 082A1638 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 207dee520534ee02a47ff09721ab87c74af3dbb102ba80709d649b605cbe7e0d
Instruction ID: 3236bbe024b84fd679a5d4edc281b5d3121db98a76f65cb1c4ec329bd92994d1
Opcode Fuzzy Hash: 207dee520534ee02a47ff09721ab87c74af3dbb102ba80709d649b605cbe7e0d
Instruction Fuzzy Hash: 60F03AB0D1420A9FDB44DFA9C801AAEBBF8EF48310F0045A9D909E7340D77096508F91

Function 082A4BB5 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c2be77f470b2dfb078c268ddc32207722447359cf4c64697a47f40a15e01b7d
Instruction ID: 6b6e0807262f37625aa767b7383543bd1ea24f65b87499b24a2778f01d3a8c05
Opcode Fuzzy Hash: 4c2be77f470b2dfb078c268ddc32207722447359cf4c64697a47f40a15e01b7d
Instruction Fuzzy Hash: 39F08230E1060ACFEB14FF75945876D7AA2AF84302F04843CC405A6280DBB884818FA5

Function 082A69B8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf206bdde630e77c6c85e6af6bd82ba197bd9ad8dc8aaaa26fa5d683687f078
Instruction ID: f45dd2226014dd6a4c10d987da2e9e41b521eccd1d48090018c92fe6a506e451
Opcode Fuzzy Hash: 9cf206bdde630e77c6c85e6af6bd82ba197bd9ad8dc8aaaa26fa5d683687f078
Instruction Fuzzy Hash: 37F03031911619CFCB00EB78C504499B7B4EF45704F55869ED8486B325E771E985CBC1

Function 082A5F71 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3f455cb32557401a2ab5f8f2f6c7eeabfd42fce382d4066db3495548019b38
Instruction ID: 519fb540afb7f2f2d4159fde6b57e74c6c4cbbdded3c1ff465c479676aceefa0
Opcode Fuzzy Hash: 6c3f455cb32557401a2ab5f8f2f6c7eeabfd42fce382d4066db3495548019b38
Instruction Fuzzy Hash: 31F0303534A7808FE315E7B89560BDB7BA79FC5366F0404BED48587292DA759801C760

Function 082A5F80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f177f1929a4bcdb931214f4433e9c47ede05fb55a6dc10eed2549f1f10f060f5
Instruction ID: 8c6b7ce6d47e537250fd765ddb248544530ebeabe075cc2efaf891f1bf6e3d73
Opcode Fuzzy Hash: f177f1929a4bcdb931214f4433e9c47ede05fb55a6dc10eed2549f1f10f060f5
Instruction Fuzzy Hash: A3E01A353467148BE724AAB9D550FDBB6ABAFC5766F0004BDD94A87380DB72A801C7A0

Function 082A6B9F Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19099e2edbb14d02863f87f0b531ab8a632179bd406964214dc99bb8e65ceede
Instruction ID: b1b1db7b1cad984b37c68c108bb8603486235d3e00089c5e0235a0ec647ec739
Opcode Fuzzy Hash: 19099e2edbb14d02863f87f0b531ab8a632179bd406964214dc99bb8e65ceede
Instruction Fuzzy Hash: B1E0C272304620578634661A64019ABB7E9DFC4721B08052FD60987240EF62E8438394

Function 082A16CB Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b547c01bf8f968041a5420a2803437999d96ff5470b80da22342ddee09e230
Instruction ID: 39e9f31b38f49089afdd8495d3d2791896d42e1ddf4ac923bf51cf420449a496
Opcode Fuzzy Hash: a9b547c01bf8f968041a5420a2803437999d96ff5470b80da22342ddee09e230
Instruction Fuzzy Hash: 09E02B371501086BE742EA80EC05F5237FCAB24771F084822F805C9111E711F075E750

Function 082AF3C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db2a5ebd1944e95dfbbebf8ef97612c038ffb2a1237406938db174108db6512
Instruction ID: b96141e8868a234ae4c08706839c352048a1576944b60752b665323bc342d719
Opcode Fuzzy Hash: 2db2a5ebd1944e95dfbbebf8ef97612c038ffb2a1237406938db174108db6512
Instruction Fuzzy Hash: 01D05E7015A7899FD3025AB6AC09BB53FE8DB03206F0904A6B149C6492DA6448498BF2

Function 082A76A8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a058876a5675dadf97bffcaf7b23320f4f10e1d936c4c1a6d0bedc9b6e3605fa
Instruction ID: ba3df829fbebc6dd9c31d34df8ea5b7283b368d1e1dd59e041fa0b113751b609
Opcode Fuzzy Hash: a058876a5675dadf97bffcaf7b23320f4f10e1d936c4c1a6d0bedc9b6e3605fa
Instruction Fuzzy Hash: 02D05E323501248FD3009BB9F848F9277ECEF49B65B0180A6E20CCB221DBA2DC008790

Function 082A6980 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 681c3a2486f7c7af6899090ebb90022704ec01a298c1ec89c28fc2b93d468b50
Instruction ID: 9e38576d5aa936d37943b0100028485a938929e60ea03146aa0477cc3d4adff4
Opcode Fuzzy Hash: 681c3a2486f7c7af6899090ebb90022704ec01a298c1ec89c28fc2b93d468b50
Instruction Fuzzy Hash: D4C01223340424131609714F6810C5FB6DD89C6969250402BE508873104D986D0341E5

Function 082A976F Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 441dc1b07cca3b9bcec01df16d00b7bc1f59c4bf0672a6ecdb83f8b775559768
Instruction ID: 20772d696b07dc44d96b10342a31938f66db5681da0c1d9c3eb7e228fa5eeb0a
Opcode Fuzzy Hash: 441dc1b07cca3b9bcec01df16d00b7bc1f59c4bf0672a6ecdb83f8b775559768
Instruction Fuzzy Hash: FCD0127001538C8FD606FB65AC555553B6BFB81541B108559A9154E01FEF7459048BB1

Function 082A57F3 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca7a0ae7efb6dbdfe5aa7fdb64c93c4d7df8288ae379aa300e090b42f7c5f0f
Instruction ID: 352e99271971c012f57dc8f49730a5851781fbe0924f0129a42da96e146a7781
Opcode Fuzzy Hash: fca7a0ae7efb6dbdfe5aa7fdb64c93c4d7df8288ae379aa300e090b42f7c5f0f
Instruction Fuzzy Hash: 73D0A7E250428017E759DA2D94883957FC29F6A318F0CC4F4CE418924BE9294527C281

Function 082A4A8F Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16fd69308eb0750fd98dcd2b4a9e400e648cbb1a3ffb92ed4002904121514dce
Instruction ID: b026d0bb007e225e0f332751be0b2cfff524fe0bfd0c3845a22dff967578acd3
Opcode Fuzzy Hash: 16fd69308eb0750fd98dcd2b4a9e400e648cbb1a3ffb92ed4002904121514dce
Instruction Fuzzy Hash: 5ED0A734951603DFDF12DF68E868604B7A0FB40305B00C295D0018B009E778E482CB84

Function 082A9780 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e3e2acbf44e9c5f71bc68e9728a18aa7622ca392ab8d969bd4b9ac71f3cf682
Instruction ID: 720b8a49aa5d25cd62fe8f89c0530210c321dca216770b79426bec82019b44e2
Opcode Fuzzy Hash: 6e3e2acbf44e9c5f71bc68e9728a18aa7622ca392ab8d969bd4b9ac71f3cf682
Instruction Fuzzy Hash: EFC0123101030CCFD905FB65E845555376FF6C4541B40C518A5150A51EDF785D044BB1

Function 082AF3D8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e232bf56176022f27eda1c44fb13a3521f6b8f75fbb124f4fadc627ff1ec3964
Instruction ID: 730caa9bbe4e79ed18e084f0691f441a89c9b4103ce5fd64c37cb65735c0d2af
Opcode Fuzzy Hash: e232bf56176022f27eda1c44fb13a3521f6b8f75fbb124f4fadc627ff1ec3964
Instruction Fuzzy Hash: 0DC08C30052349CBD310ABAAF54CB2836E9AF01303F580020B20A804909EB40040CB65

Analysis Process: JIlApjvRxj.exePID: 7752, Parent PID: 4520COMMON

Execution Graph

Execution Coverage:	13.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	3

Executed Functions

Function 02CBC168 Relevance: 2.0, APIs: 1, Instructions: 529
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000012.00000002.2646113626.0000000002CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2cb0000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 940f004f01426f915bf61ff81f6b5f23993f11a6089f067a3857ee09328f4534
Instruction ID: 2f7c2d47903556995977ad3208670bc64d219ed12b92e5e0f838cc61890cf213
Opcode Fuzzy Hash: 940f004f01426f915bf61ff81f6b5f23993f11a6089f067a3857ee09328f4534
Instruction Fuzzy Hash: 72222874E002198FDB15DFA9C884BDDBBB2BF88304F5081AAD409AB355DB359E86CF51

Function 02CBC76C Relevance: 1.6, APIs: 1, Instructions: 62
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL(00000000), ref: 02CBC8AE

Memory Dump Source

Source File: 00000012.00000002.2646113626.0000000002CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2cb0000_JIlApjvRxj.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 67f8c6de416590941afb9c52b9f9477985b08d54d39356a7f94ef97e42fdc765
Instruction ID: 25bc0f854edc190dc664c7f62113f61fb6a0f508ced3681d079ae39205bd19ce
Opcode Fuzzy Hash: 67f8c6de416590941afb9c52b9f9477985b08d54d39356a7f94ef97e42fdc765
Instruction Fuzzy Hash: 73113A74E002099FEB15DBA9D484BEDBBB5FF88304F54816AE848E7345D7319E42CB60

Function 02C6D030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2645768281.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2c6d000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88a4ade53c43c3e994a3f5cdca25073cd5113b40ca11a0c2f990bb5361563ad7
Instruction ID: a864b4e1d8c2d11f0c64b91a282258b0c34d2fa3dd2316484c87f0106c60d322
Opcode Fuzzy Hash: 88a4ade53c43c3e994a3f5cdca25073cd5113b40ca11a0c2f990bb5361563ad7
Instruction Fuzzy Hash: 97212271608304DFDB10DF10D9C8B26BBA5FBC8314F20C56DD80A4B282C37AD447CAA2

Function 02C6D005 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000012.00000002.2645768281.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_2c6d000_JIlApjvRxj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae201bac61633d30dcbba5edab514b47e9121d97a1e5e621180d55dc1528518
Instruction ID: 196b418ca96c354e30edc62fea951a090c86a645c50201e426d1650b5ede82e3
Opcode Fuzzy Hash: dae201bac61633d30dcbba5edab514b47e9121d97a1e5e621180d55dc1528518
Instruction Fuzzy Hash: 95214B7550D3C49FC703CB24D994711BF71AB86214F2985EBD8898F2A7C33A980ACB62

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EKSTRE_1022.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EKSTRE_1022.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JIlApjvRxj.exe.log

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aow4wjdq.4q5.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ayrkr3q3.4me.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g2g1oijj.1zo.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gd2pdpaf.ovq.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gsogotwp.hol.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfamaill.lhy.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ov4oewa1.kij.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qvgyba1q.qfq.psm1

C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp

Windows Analysis Report
EKSTRE_1022.exe

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre