Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EKSTRE_1022.exe

Overview

General Information

Sample name:EKSTRE_1022.exe
Analysis ID:1541206
MD5:b949a48b3046b4b4e6e68564b228fbb2
SHA1:65bd4ceeb0b371e5c578479b7c1b83ae8b9ef29f
SHA256:f68c0c40aa651d080967ea4ea3c389fc1e3dbafcd097ac10f01374d0f6ae52d3
Tags:exeMassLoggeruser-lowmal3
Infos:

Detection

MassLogger RAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected Telegram RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • EKSTRE_1022.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)
    • powershell.exe (PID: 8016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 8068 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 6884 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 8104 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 8124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • EKSTRE_1022.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)
    • EKSTRE_1022.exe (PID: 7524 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)
    • EKSTRE_1022.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)
    • EKSTRE_1022.exe (PID: 7564 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)
    • EKSTRE_1022.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\EKSTRE_1022.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)
  • JIlApjvRxj.exe (PID: 4520 cmdline: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe MD5: B949A48B3046B4B4E6E68564B228FBB2)
    • schtasks.exe (PID: 3500 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • JIlApjvRxj.exe (PID: 7752 cmdline: "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe" MD5: B949A48B3046B4B4E6E68564B228FBB2)
  • cleanup
{"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}
SourceRuleDescriptionAuthorStrings
00000012.00000002.2646438586.0000000002F84000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
      0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0xefa7:$a1: get_encryptedPassword
      • 0xf2cf:$a2: get_encryptedUsername
      • 0xed42:$a3: get_timePasswordChanged
      • 0xee63:$a4: get_passwordField
      • 0xefbd:$a5: set_encryptedPassword
      • 0x10919:$a7: get_logins
      • 0x105ca:$a8: GetOutlookPasswords
      • 0x103bc:$a9: StartKeylogger
      • 0x10869:$a10: KeyLoggerEventArgs
      • 0x10419:$a11: KeyLoggerEventArgsEventHandler
      00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
        00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 25 entries
          SourceRuleDescriptionAuthorStrings
          14.2.JIlApjvRxj.exe.40ba988.0.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            14.2.JIlApjvRxj.exe.40ba988.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              14.2.JIlApjvRxj.exe.40ba988.0.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                14.2.JIlApjvRxj.exe.40ba988.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0xd3a7:$a1: get_encryptedPassword
                • 0xd6cf:$a2: get_encryptedUsername
                • 0xd142:$a3: get_timePasswordChanged
                • 0xd263:$a4: get_passwordField
                • 0xd3bd:$a5: set_encryptedPassword
                • 0xed19:$a7: get_logins
                • 0xe9ca:$a8: GetOutlookPasswords
                • 0xe7bc:$a9: StartKeylogger
                • 0xec69:$a10: KeyLoggerEventArgs
                • 0xe819:$a11: KeyLoggerEventArgsEventHandler
                14.2.JIlApjvRxj.exe.40ba988.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x1234b:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x11849:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x11b57:$a4: \Orbitum\User Data\Default\Login Data
                • 0x1294f:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 23 entries

                System Summary

                barindex
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EKSTRE_1022.exe", ParentImage: C:\Users\user\Desktop\EKSTRE_1022.exe, ParentProcessId: 7828, ParentProcessName: EKSTRE_1022.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", ProcessId: 8016, ProcessName: powershell.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EKSTRE_1022.exe", ParentImage: C:\Users\user\Desktop\EKSTRE_1022.exe, ParentProcessId: 7828, ParentProcessName: EKSTRE_1022.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", ProcessId: 8016, ProcessName: powershell.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe, ParentImage: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe, ParentProcessId: 4520, ParentProcessName: JIlApjvRxj.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp", ProcessId: 3500, ProcessName: schtasks.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EKSTRE_1022.exe", ParentImage: C:\Users\user\Desktop\EKSTRE_1022.exe, ParentProcessId: 7828, ParentProcessName: EKSTRE_1022.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", ProcessId: 8104, ProcessName: schtasks.exe
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EKSTRE_1022.exe", ParentImage: C:\Users\user\Desktop\EKSTRE_1022.exe, ParentProcessId: 7828, ParentProcessName: EKSTRE_1022.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe", ProcessId: 8016, ProcessName: powershell.exe

                Persistence and Installation Behavior

                barindex
                Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\EKSTRE_1022.exe", ParentImage: C:\Users\user\Desktop\EKSTRE_1022.exe, ParentProcessId: 7828, ParentProcessName: EKSTRE_1022.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp", ProcessId: 8104, ProcessName: schtasks.exe
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-24T15:21:03.866696+020028032742Potentially Bad Traffic192.168.2.849710193.122.6.16880TCP
                2024-10-24T15:21:07.054215+020028032742Potentially Bad Traffic192.168.2.849714193.122.6.16880TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpackMalware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "kingnovasend@zqamcx.com", "Password": "Anambraeast", "Server": "zqamcx.com", "To": "kingnovaresult@zqamcx.com", "Port": 587}
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeReversingLabs: Detection: 36%
                Source: EKSTRE_1022.exeReversingLabs: Detection: 36%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeJoe Sandbox ML: detected
                Source: EKSTRE_1022.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: EKSTRE_1022.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49716 version: TLS 1.0
                Source: EKSTRE_1022.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: RJtO.pdbSHA256 source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr
                Source: Binary string: RJtO.pdb source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 4x nop then jmp 02652404h0_2_02651BB5
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 4x nop then jmp 02652404h0_2_02651E65
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 4x nop then jmp 02652404h0_2_02651F7D
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 4x nop then jmp 010C5782h13_2_010C5358
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 4x nop then jmp 010C51B9h13_2_010C4F08
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 4x nop then jmp 010C5782h13_2_010C56AF
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 4x nop then jmp 047C172Ch14_2_047C0EDD
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 4x nop then jmp 047C172Ch14_2_047C118D
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 4x nop then jmp 02CB5782h18_2_02CB5358
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 4x nop then jmp 02CB51B9h18_2_02CB4F08
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 4x nop then jmp 02CB5782h18_2_02CB56AF
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49714 -> 193.122.6.168:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.8:49710 -> 193.122.6.168:80
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49716 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/173.254.250.71 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.comd
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/d
                Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.orgd
                Source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
                Source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
                Source: JIlApjvRxj.exe, 00000012.00000002.2650089586.0000000006607000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.co
                Source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.orgd
                Source: EKSTRE_1022.exe, 00000000.00000002.1424563889.00000000027DD000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1459389939.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002E31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.drString found in binary or memory: http://tempuri.org/DataSet1.xsd
                Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71d
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/173.254.250.71l
                Source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
                Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode
                Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, UltraSpeed.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA2CA8 NtQueryInformationProcess,0_2_06BA2CA8
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA2CA0 NtQueryInformationProcess,0_2_06BA2CA0
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA2CA8 NtQueryInformationProcess,14_2_06EA2CA8
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA2CA0 NtQueryInformationProcess,14_2_06EA2CA0
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00F5D3040_2_00F5D304
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_026533600_2_02653360
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_04D200400_2_04D20040
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_04D2003C0_2_04D2003C
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BAF7C00_2_06BAF7C0
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA33FC0_2_06BA33FC
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA50200_2_06BA5020
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA00400_2_06BA0040
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA8BB00_2_06BA8BB0
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BAB6F80_2_06BAB6F8
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BAD6100_2_06BAD610
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BAE7340_2_06BAE734
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA25780_2_06BA2578
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA52B00_2_06BA52B0
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA52A20_2_06BA52A2
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA20B80_2_06BA20B8
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA50120_2_06BA5012
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA00060_2_06BA0006
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA2E280_2_06BA2E28
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BABF680_2_06BABF68
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BABF580_2_06BABF58
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA1C800_2_06BA1C80
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA1C700_2_06BA1C70
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BADA3A0_2_06BADA3A
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BADA480_2_06BADA48
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA8BA20_2_06BA8BA2
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BABB300_2_06BABB30
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010CC16813_2_010CC168
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010C27B913_2_010C27B9
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010CA82113_2_010CA821
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010CCA5813_2_010CCA58
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010C4F0813_2_010C4F08
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010C7E6813_2_010C7E68
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010CB9E013_2_010CB9E0
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010C2DD113_2_010C2DD1
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010C7E5913_2_010C7E59
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010C4EF813_2_010C4EF8
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_0266D30414_2_0266D304
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_047C25C814_2_047C25C8
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_04D7004014_2_04D70040
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_04D7003F14_2_04D7003F
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EAF78814_2_06EAF788
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA004014_2_06EA0040
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA502014_2_06EA5020
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA8BB014_2_06EA8BB0
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EAB6F814_2_06EAB6F8
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EAD61014_2_06EAD610
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EAE73414_2_06EAE734
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA257814_2_06EA2578
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA52AD14_2_06EA52AD
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA52B014_2_06EA52B0
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA20B814_2_06EA20B8
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA002114_2_06EA0021
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA501D14_2_06EA501D
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA501214_2_06EA5012
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA2E2814_2_06EA2E28
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EABF6714_2_06EABF67
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EABF5814_2_06EABF58
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA1C7014_2_06EA1C70
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EADA4814_2_06EADA48
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EA8BA114_2_06EA8BA1
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_06EABB3014_2_06EABB30
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_082AA15814_2_082AA158
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_082A99E014_2_082A99E0
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_082AF40514_2_082AF405
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_082A631014_2_082A6310
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_082A657814_2_082A6578
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CBC16818_2_02CBC168
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CBCA5818_2_02CBCA58
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CBA82118_2_02CBA821
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CB7E6818_2_02CB7E68
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CB4F0818_2_02CB4F08
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CBB9E018_2_02CBB9E0
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CB4EF818_2_02CB4EF8
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CB7E5918_2_02CB7E59
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CB2DD118_2_02CB2DD1
                Source: EKSTRE_1022.exeStatic PE information: invalid certificate
                Source: EKSTRE_1022.exe, 00000000.00000002.1424563889.0000000002844000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs EKSTRE_1022.exe
                Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs EKSTRE_1022.exe
                Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs EKSTRE_1022.exe
                Source: EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs EKSTRE_1022.exe
                Source: EKSTRE_1022.exe, 00000000.00000002.1423762513.0000000000B8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs EKSTRE_1022.exe
                Source: EKSTRE_1022.exe, 00000000.00000002.1428993470.000000000B660000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs EKSTRE_1022.exe
                Source: EKSTRE_1022.exe, 0000000D.00000002.2644076876.000000000041A000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs EKSTRE_1022.exe
                Source: EKSTRE_1022.exe, 0000000D.00000002.2644441845.00000000009A7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs EKSTRE_1022.exe
                Source: EKSTRE_1022.exeBinary or memory string: OriginalFilenameRJtO.exe> vs EKSTRE_1022.exe
                Source: EKSTRE_1022.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: EKSTRE_1022.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: JIlApjvRxj.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, UltraSpeed.csCryptographic APIs: 'TransformFinalBlock'
                Source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, COVIDPickers.csCryptographic APIs: 'TransformFinalBlock'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zIWdmytET3UyVdCLNu.csSecurity API names: _0020.SetAccessControl
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zIWdmytET3UyVdCLNu.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zIWdmytET3UyVdCLNu.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zIWdmytET3UyVdCLNu.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zIWdmytET3UyVdCLNu.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zIWdmytET3UyVdCLNu.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, IrmqqWkUGaV7heJOLK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, IrmqqWkUGaV7heJOLK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, IrmqqWkUGaV7heJOLK.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zIWdmytET3UyVdCLNu.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zIWdmytET3UyVdCLNu.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zIWdmytET3UyVdCLNu.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@27/15@2/2
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeFile created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8024:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6720:120:WilError_03
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMutant created: \Sessions\1\BaseNamedObjects\EowxANBTvVfImCZPJSpJBNkCSSh
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8124:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeFile created: C:\Users\user\AppData\Local\Temp\tmp4FA4.tmpJump to behavior
                Source: EKSTRE_1022.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: EKSTRE_1022.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002CBC000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002CDD000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002CAE000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C9E000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2648113737.0000000003E5D000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002F0E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002F2C000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002F1E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: EKSTRE_1022.exeReversingLabs: Detection: 36%
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeFile read: C:\Users\user\Desktop\EKSTRE_1022.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp"
                Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: schannel.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: mskeyprotect.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: ntasn1.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: ncrypt.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: ncryptsslp.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeSection loaded: dpapi.dll
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: EKSTRE_1022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: EKSTRE_1022.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: EKSTRE_1022.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: RJtO.pdbSHA256 source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr
                Source: Binary string: RJtO.pdb source: EKSTRE_1022.exe, JIlApjvRxj.exe.0.dr

                Data Obfuscation

                barindex
                Source: EKSTRE_1022.exe, formMain.cs.Net Code: InitializeComponent
                Source: JIlApjvRxj.exe.0.dr, formMain.cs.Net Code: InitializeComponent
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zIWdmytET3UyVdCLNu.cs.Net Code: o2lbUVjT1c System.Reflection.Assembly.Load(byte[])
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zIWdmytET3UyVdCLNu.cs.Net Code: o2lbUVjT1c System.Reflection.Assembly.Load(byte[])
                Source: 0.2.EKSTRE_1022.exe.37c0b90.1.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.EKSTRE_1022.exe.6b60000.4.raw.unpack, Uo.cs.Net Code: _202A_202E_206E_206A_202B_206A_200E_200D_206F_200D_200C_200B_206E_202C_202B_200E_206A_202D_202A_202C_202E_206B_202C_202E_202D_206F_206C_200E_202D_206B_202D_206D_202A_200C_200C_200B_200C_202B_200D_202E_202E System.Reflection.Assembly.Load(byte[])
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zIWdmytET3UyVdCLNu.cs.Net Code: o2lbUVjT1c System.Reflection.Assembly.Load(byte[])
                Source: EKSTRE_1022.exeStatic PE information: 0xAAFFD7DD [Sun Nov 28 18:54:21 2060 UTC]
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_00F55720 pushfd ; retf 0004h0_2_00F5572A
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_02652346 push esi; ret 0_2_02652347
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 0_2_06BA95D6 push es; iretd 0_2_06BA9604
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010CF273 push ebp; retf 13_2_010CF281
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_0266E2E0 push 14418B02h; ret 14_2_0266E2F3
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_0266C3C0 push cs; iretd 14_2_0266C3CE
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_0266A0F0 push 24418B02h; ret 14_2_0266A1B3
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_0266C501 push cs; iretd 14_2_0266C50E
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_02669358 push ebx; iretd 14_2_02669377
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_02665720 pushfd ; iretd 14_2_0266572A
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_02665870 pushfd ; iretd 14_2_02665876
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_0266590C pushfd ; iretd 14_2_02665916
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_047C25BA push cs; iretd 14_2_047C25C6
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_04D726A3 pushad ; iretd 14_2_04D726A6
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_04D71D87 pushad ; iretd 14_2_04D71D88
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_04D75ED0 push 24418B02h; ret 14_2_04D75EE3
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_04D71AF7 pushad ; iretd 14_2_04D71B06
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 14_2_082A5A68 push C0335002h; mov dword ptr [esp], eax14_2_082A5A7B
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CB27CB push ds; retf 18_2_02CB27D2
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeCode function: 18_2_02CB27BF push ds; retf 18_2_02CB27C2
                Source: EKSTRE_1022.exeStatic PE information: section name: .text entropy: 7.921681038853017
                Source: JIlApjvRxj.exe.0.drStatic PE information: section name: .text entropy: 7.921681038853017
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, yxyI5BFJELURXakQYI.csHigh entropy of concatenated method names: 'XHAsV0KSCI', 'HplsiDx2WY', 'WJtsUm9BLf', 'CELsSnGAwo', 'jSpsTBmseU', 'cxFsGfS4Zp', 'F76sNrajGJ', 'brKskfEqpx', 'Es9sQB6nPw', 'NqOs9nqf7w'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, jHTh2a80odskpT8irY.csHigh entropy of concatenated method names: 'cYAuZeeFoO', 'vnvudmCDGP', 'xdYuJocTZf', 'sfZuebpL0M', 'N3euPkltiE', 'fSYuxqEIFS', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, pVGfexb4PJmE9I0eMS.csHigh entropy of concatenated method names: 'koJOsrmqqW', 'zGaOtV7heJ', 'JWjOlKmr8O', 'hosOBl5DmA', 'F4gOClcVSg', 'BZrOyWj80S', 'PjeP5TDdS3YKrJnMpm', 'hG5visZ0vJsuoi84Rg', 'e3YZns5ZeHwGaZBk5m', 'QytOOLItEm'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zqBkq23pBKyjW57462.csHigh entropy of concatenated method names: 'PP7uEnCpGT', 'nHxuHxVSbT', 'sYVu7wc3IF', 'WS3ufSYOvf', 'd9duAjEhsO', 'JKtusgp7CG', 'HSlutSAkvM', 'AuBupB38as', 'a6PulPoOjS', 'n5puBEIbKk'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, RDlbE5OIhCAPUehj1Za.csHigh entropy of concatenated method names: 'AkKoVlDhHw', 'fkyoimm9ue', 'Hb4oUQ01sj', 'bJYoSRQwmo', 'fdHoTKYT0u', 'matoGQRyvs', 'Eo3oNx35AS', 'aHuokGV6SL', 'wfloQVw06J', 'ASKo9OJR9u'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, eDmAuQ9v2RM8LZ4glc.csHigh entropy of concatenated method names: 'W4cfTxwVP9', 'YLWfNIAVY0', 'be17JKD4GA', 'CAc7evslYg', 'Sco7x7cMQR', 'JiJ7WclwpN', 'T1x7YJOYbk', 'X187mSmSK0', 'uel7FHk7aH', 'yVq7D3v3gx'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, xuZKPH0bg3CNJiej0Y.csHigh entropy of concatenated method names: 'RE8UZH5r8', 'DSLSWoMqi', 'P8cGwOxwQ', 'bIDN9X3CY', 'qNEQ7QjUP', 'Gvw9kwE8H', 'qgPuBEQdGkERkmdqRE', 'PZkNYOp58ZckVpH5kT', 'TfvuRDiUt', 'buj1TnkmY'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, DSg0IsjnvDMwoDkgHJ.csHigh entropy of concatenated method names: 'yKdoO1MDMb', 'd1oorEBjqU', 'GoDobCtiaJ', 'MgyoExUB4N', 'dQCoH7vEun', 'DjJofDnCCZ', 'DxIoALNjDj', 'SH6uvnrISk', 'iMdu3Y086o', 'Arwu8RWUeE'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, XkyU3YwMsX6X7Ya2Ow.csHigh entropy of concatenated method names: 'SvLclGG4yG', 'DqOcBZh5uL', 'ToString', 'eACcEkPBg4', 'TWMcHcIUjh', 'N5Xc7hKmET', 'MUScfRV2h6', 'wVRcAEicp7', 'n6pcsCq6sL', 'lU3ctgWCc8'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, zIWdmytET3UyVdCLNu.csHigh entropy of concatenated method names: 'BTxr50399h', 'c9yrEhe0r0', 'QmlrHfpo1l', 'irkr7Polew', 'UGDrf6u9xk', 'MeVrA5hqxN', 'LT5rs01Xfb', 'OYvrt3jGwC', 'n9drpCbkuD', 'BXXrl0N42Y'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, JXuK5OOrdd4A47g8hp2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'boA1PMK2Q5', 'OoP1gBGtSc', 'Urv1KSbvMf', 'ulH1wByIH2', 'VJq12MWXje', 'gA91axkuoY', 'Y5h1vb0jdE'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, xSgTZrZWj80Sr5cuuu.csHigh entropy of concatenated method names: 'O2CA5QnVBe', 'xWCAHVOiji', 'z9cAfUE9Cp', 'du4AsgtxKt', 'YAwAt7N0l6', 'BSEf2UPy4l', 'ejgfa3ulxi', 'aALfvUEf7A', 'Jtof3fOtvu', 'TcYf8li88B'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, gimaVxQWjKmr8Ofosl.csHigh entropy of concatenated method names: 'cfX7SStUG0', 'NWN7GMomUS', 'Bt57kNwhAV', 'BM17QTndam', 'Mi57C3iNm4', 'kOb7yFZvEk', 'ikr7cOSFur', 'auV7u50Os0', 'wdU7ouJrnk', 'OlK716w8jC'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, xG25IkzZH5iNF8BafO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YdFoRQW7Qf', 'U8koCU6bav', 'BeMoyTIvvc', 'FqGocfMaBv', 'DkPoub7pwX', 'jy5oofKeUM', 'k5to1Lk6EY'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, F6xH8FLHG7b0LaXqx7.csHigh entropy of concatenated method names: 'XwVRke48pR', 'WNERQJY14N', 'sKARZokvPj', 'gOARdoeDrl', 'vayReruVKT', 'dtYRxFvchI', 'Rt8RYd6YsM', 'wNRRmoKxEn', 'G3YRD1CkYj', 'XHTRqYZPNA'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, KVVciMPooTamDtE6Qi.csHigh entropy of concatenated method names: 'DSnCD8Zo2X', 'sIwC47j85a', 'O59CPyUQZS', 'rVUCgT4Yh7', 'OPxCdrqwQL', 'x6kCJakEDs', 'x6lCeB718W', 'u7JCxtiPMT', 'JQ5CW2qFEQ', 'mdDCYfaNS4'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, IrmqqWkUGaV7heJOLK.csHigh entropy of concatenated method names: 'Dr1HP1Hma3', 'WnlHgfeYnZ', 'JxMHKoV2dJ', 'DTUHw1JGkb', 'fwtH2xGT2p', 'bDvHaIx7FM', 'sg1HvdZ2gg', 'zHBH36cX8x', 'ip8H86ZNvh', 'RTgHjUFWQO'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, bnfZ4SYIIMAWSTswXq.csHigh entropy of concatenated method names: 'xZjsETYWfS', 'F0Ys7y02v2', 'YarsAbCPbw', 'pllAj9ktg1', 'RZNAzA97U9', 'zvmsILwtak', 'psCsOvhGCS', 'cNUs0eDmX5', 'M0vsr3KD77', 'CX0sblHynN'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, iWE2HKaPDHVenn26YW.csHigh entropy of concatenated method names: 'URnc3TE5Pc', 'HglcjQHgWH', 'aNcuIEB5Oo', 'YY1uOLR5Xs', 'qGLcqtTVfW', 'vdOc47miwV', 'HDccLPxQiV', 'C3dcPDqmbd', 'X7UcgkDxMe', 'NPTcKGBq4C'
                Source: 0.2.EKSTRE_1022.exe.b660000.5.raw.unpack, RiKiidHLlgPOlPUrnd.csHigh entropy of concatenated method names: 'Dispose', 'yYxO8V9vjX', 'kyh0dDbSmn', 'bCiddB9vj3', 'EUqOjBkq2p', 'mKyOzjW574', 'ProcessDialogKey', 'u2s0IHTh2a', 'cod0OskpT8', 'yrY00NSg0I'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, yxyI5BFJELURXakQYI.csHigh entropy of concatenated method names: 'XHAsV0KSCI', 'HplsiDx2WY', 'WJtsUm9BLf', 'CELsSnGAwo', 'jSpsTBmseU', 'cxFsGfS4Zp', 'F76sNrajGJ', 'brKskfEqpx', 'Es9sQB6nPw', 'NqOs9nqf7w'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, jHTh2a80odskpT8irY.csHigh entropy of concatenated method names: 'cYAuZeeFoO', 'vnvudmCDGP', 'xdYuJocTZf', 'sfZuebpL0M', 'N3euPkltiE', 'fSYuxqEIFS', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, pVGfexb4PJmE9I0eMS.csHigh entropy of concatenated method names: 'koJOsrmqqW', 'zGaOtV7heJ', 'JWjOlKmr8O', 'hosOBl5DmA', 'F4gOClcVSg', 'BZrOyWj80S', 'PjeP5TDdS3YKrJnMpm', 'hG5visZ0vJsuoi84Rg', 'e3YZns5ZeHwGaZBk5m', 'QytOOLItEm'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zqBkq23pBKyjW57462.csHigh entropy of concatenated method names: 'PP7uEnCpGT', 'nHxuHxVSbT', 'sYVu7wc3IF', 'WS3ufSYOvf', 'd9duAjEhsO', 'JKtusgp7CG', 'HSlutSAkvM', 'AuBupB38as', 'a6PulPoOjS', 'n5puBEIbKk'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, RDlbE5OIhCAPUehj1Za.csHigh entropy of concatenated method names: 'AkKoVlDhHw', 'fkyoimm9ue', 'Hb4oUQ01sj', 'bJYoSRQwmo', 'fdHoTKYT0u', 'matoGQRyvs', 'Eo3oNx35AS', 'aHuokGV6SL', 'wfloQVw06J', 'ASKo9OJR9u'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, eDmAuQ9v2RM8LZ4glc.csHigh entropy of concatenated method names: 'W4cfTxwVP9', 'YLWfNIAVY0', 'be17JKD4GA', 'CAc7evslYg', 'Sco7x7cMQR', 'JiJ7WclwpN', 'T1x7YJOYbk', 'X187mSmSK0', 'uel7FHk7aH', 'yVq7D3v3gx'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, xuZKPH0bg3CNJiej0Y.csHigh entropy of concatenated method names: 'RE8UZH5r8', 'DSLSWoMqi', 'P8cGwOxwQ', 'bIDN9X3CY', 'qNEQ7QjUP', 'Gvw9kwE8H', 'qgPuBEQdGkERkmdqRE', 'PZkNYOp58ZckVpH5kT', 'TfvuRDiUt', 'buj1TnkmY'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, DSg0IsjnvDMwoDkgHJ.csHigh entropy of concatenated method names: 'yKdoO1MDMb', 'd1oorEBjqU', 'GoDobCtiaJ', 'MgyoExUB4N', 'dQCoH7vEun', 'DjJofDnCCZ', 'DxIoALNjDj', 'SH6uvnrISk', 'iMdu3Y086o', 'Arwu8RWUeE'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, XkyU3YwMsX6X7Ya2Ow.csHigh entropy of concatenated method names: 'SvLclGG4yG', 'DqOcBZh5uL', 'ToString', 'eACcEkPBg4', 'TWMcHcIUjh', 'N5Xc7hKmET', 'MUScfRV2h6', 'wVRcAEicp7', 'n6pcsCq6sL', 'lU3ctgWCc8'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, zIWdmytET3UyVdCLNu.csHigh entropy of concatenated method names: 'BTxr50399h', 'c9yrEhe0r0', 'QmlrHfpo1l', 'irkr7Polew', 'UGDrf6u9xk', 'MeVrA5hqxN', 'LT5rs01Xfb', 'OYvrt3jGwC', 'n9drpCbkuD', 'BXXrl0N42Y'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, JXuK5OOrdd4A47g8hp2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'boA1PMK2Q5', 'OoP1gBGtSc', 'Urv1KSbvMf', 'ulH1wByIH2', 'VJq12MWXje', 'gA91axkuoY', 'Y5h1vb0jdE'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, xSgTZrZWj80Sr5cuuu.csHigh entropy of concatenated method names: 'O2CA5QnVBe', 'xWCAHVOiji', 'z9cAfUE9Cp', 'du4AsgtxKt', 'YAwAt7N0l6', 'BSEf2UPy4l', 'ejgfa3ulxi', 'aALfvUEf7A', 'Jtof3fOtvu', 'TcYf8li88B'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, gimaVxQWjKmr8Ofosl.csHigh entropy of concatenated method names: 'cfX7SStUG0', 'NWN7GMomUS', 'Bt57kNwhAV', 'BM17QTndam', 'Mi57C3iNm4', 'kOb7yFZvEk', 'ikr7cOSFur', 'auV7u50Os0', 'wdU7ouJrnk', 'OlK716w8jC'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, xG25IkzZH5iNF8BafO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YdFoRQW7Qf', 'U8koCU6bav', 'BeMoyTIvvc', 'FqGocfMaBv', 'DkPoub7pwX', 'jy5oofKeUM', 'k5to1Lk6EY'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, F6xH8FLHG7b0LaXqx7.csHigh entropy of concatenated method names: 'XwVRke48pR', 'WNERQJY14N', 'sKARZokvPj', 'gOARdoeDrl', 'vayReruVKT', 'dtYRxFvchI', 'Rt8RYd6YsM', 'wNRRmoKxEn', 'G3YRD1CkYj', 'XHTRqYZPNA'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, KVVciMPooTamDtE6Qi.csHigh entropy of concatenated method names: 'DSnCD8Zo2X', 'sIwC47j85a', 'O59CPyUQZS', 'rVUCgT4Yh7', 'OPxCdrqwQL', 'x6kCJakEDs', 'x6lCeB718W', 'u7JCxtiPMT', 'JQ5CW2qFEQ', 'mdDCYfaNS4'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, IrmqqWkUGaV7heJOLK.csHigh entropy of concatenated method names: 'Dr1HP1Hma3', 'WnlHgfeYnZ', 'JxMHKoV2dJ', 'DTUHw1JGkb', 'fwtH2xGT2p', 'bDvHaIx7FM', 'sg1HvdZ2gg', 'zHBH36cX8x', 'ip8H86ZNvh', 'RTgHjUFWQO'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, bnfZ4SYIIMAWSTswXq.csHigh entropy of concatenated method names: 'xZjsETYWfS', 'F0Ys7y02v2', 'YarsAbCPbw', 'pllAj9ktg1', 'RZNAzA97U9', 'zvmsILwtak', 'psCsOvhGCS', 'cNUs0eDmX5', 'M0vsr3KD77', 'CX0sblHynN'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, iWE2HKaPDHVenn26YW.csHigh entropy of concatenated method names: 'URnc3TE5Pc', 'HglcjQHgWH', 'aNcuIEB5Oo', 'YY1uOLR5Xs', 'qGLcqtTVfW', 'vdOc47miwV', 'HDccLPxQiV', 'C3dcPDqmbd', 'X7UcgkDxMe', 'NPTcKGBq4C'
                Source: 0.2.EKSTRE_1022.exe.41ae108.2.raw.unpack, RiKiidHLlgPOlPUrnd.csHigh entropy of concatenated method names: 'Dispose', 'yYxO8V9vjX', 'kyh0dDbSmn', 'bCiddB9vj3', 'EUqOjBkq2p', 'mKyOzjW574', 'ProcessDialogKey', 'u2s0IHTh2a', 'cod0OskpT8', 'yrY00NSg0I'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, yxyI5BFJELURXakQYI.csHigh entropy of concatenated method names: 'XHAsV0KSCI', 'HplsiDx2WY', 'WJtsUm9BLf', 'CELsSnGAwo', 'jSpsTBmseU', 'cxFsGfS4Zp', 'F76sNrajGJ', 'brKskfEqpx', 'Es9sQB6nPw', 'NqOs9nqf7w'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, jHTh2a80odskpT8irY.csHigh entropy of concatenated method names: 'cYAuZeeFoO', 'vnvudmCDGP', 'xdYuJocTZf', 'sfZuebpL0M', 'N3euPkltiE', 'fSYuxqEIFS', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, pVGfexb4PJmE9I0eMS.csHigh entropy of concatenated method names: 'koJOsrmqqW', 'zGaOtV7heJ', 'JWjOlKmr8O', 'hosOBl5DmA', 'F4gOClcVSg', 'BZrOyWj80S', 'PjeP5TDdS3YKrJnMpm', 'hG5visZ0vJsuoi84Rg', 'e3YZns5ZeHwGaZBk5m', 'QytOOLItEm'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zqBkq23pBKyjW57462.csHigh entropy of concatenated method names: 'PP7uEnCpGT', 'nHxuHxVSbT', 'sYVu7wc3IF', 'WS3ufSYOvf', 'd9duAjEhsO', 'JKtusgp7CG', 'HSlutSAkvM', 'AuBupB38as', 'a6PulPoOjS', 'n5puBEIbKk'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, RDlbE5OIhCAPUehj1Za.csHigh entropy of concatenated method names: 'AkKoVlDhHw', 'fkyoimm9ue', 'Hb4oUQ01sj', 'bJYoSRQwmo', 'fdHoTKYT0u', 'matoGQRyvs', 'Eo3oNx35AS', 'aHuokGV6SL', 'wfloQVw06J', 'ASKo9OJR9u'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, eDmAuQ9v2RM8LZ4glc.csHigh entropy of concatenated method names: 'W4cfTxwVP9', 'YLWfNIAVY0', 'be17JKD4GA', 'CAc7evslYg', 'Sco7x7cMQR', 'JiJ7WclwpN', 'T1x7YJOYbk', 'X187mSmSK0', 'uel7FHk7aH', 'yVq7D3v3gx'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, xuZKPH0bg3CNJiej0Y.csHigh entropy of concatenated method names: 'RE8UZH5r8', 'DSLSWoMqi', 'P8cGwOxwQ', 'bIDN9X3CY', 'qNEQ7QjUP', 'Gvw9kwE8H', 'qgPuBEQdGkERkmdqRE', 'PZkNYOp58ZckVpH5kT', 'TfvuRDiUt', 'buj1TnkmY'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, DSg0IsjnvDMwoDkgHJ.csHigh entropy of concatenated method names: 'yKdoO1MDMb', 'd1oorEBjqU', 'GoDobCtiaJ', 'MgyoExUB4N', 'dQCoH7vEun', 'DjJofDnCCZ', 'DxIoALNjDj', 'SH6uvnrISk', 'iMdu3Y086o', 'Arwu8RWUeE'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, XkyU3YwMsX6X7Ya2Ow.csHigh entropy of concatenated method names: 'SvLclGG4yG', 'DqOcBZh5uL', 'ToString', 'eACcEkPBg4', 'TWMcHcIUjh', 'N5Xc7hKmET', 'MUScfRV2h6', 'wVRcAEicp7', 'n6pcsCq6sL', 'lU3ctgWCc8'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, zIWdmytET3UyVdCLNu.csHigh entropy of concatenated method names: 'BTxr50399h', 'c9yrEhe0r0', 'QmlrHfpo1l', 'irkr7Polew', 'UGDrf6u9xk', 'MeVrA5hqxN', 'LT5rs01Xfb', 'OYvrt3jGwC', 'n9drpCbkuD', 'BXXrl0N42Y'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, JXuK5OOrdd4A47g8hp2.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'boA1PMK2Q5', 'OoP1gBGtSc', 'Urv1KSbvMf', 'ulH1wByIH2', 'VJq12MWXje', 'gA91axkuoY', 'Y5h1vb0jdE'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, xSgTZrZWj80Sr5cuuu.csHigh entropy of concatenated method names: 'O2CA5QnVBe', 'xWCAHVOiji', 'z9cAfUE9Cp', 'du4AsgtxKt', 'YAwAt7N0l6', 'BSEf2UPy4l', 'ejgfa3ulxi', 'aALfvUEf7A', 'Jtof3fOtvu', 'TcYf8li88B'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, gimaVxQWjKmr8Ofosl.csHigh entropy of concatenated method names: 'cfX7SStUG0', 'NWN7GMomUS', 'Bt57kNwhAV', 'BM17QTndam', 'Mi57C3iNm4', 'kOb7yFZvEk', 'ikr7cOSFur', 'auV7u50Os0', 'wdU7ouJrnk', 'OlK716w8jC'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, xG25IkzZH5iNF8BafO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'YdFoRQW7Qf', 'U8koCU6bav', 'BeMoyTIvvc', 'FqGocfMaBv', 'DkPoub7pwX', 'jy5oofKeUM', 'k5to1Lk6EY'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, F6xH8FLHG7b0LaXqx7.csHigh entropy of concatenated method names: 'XwVRke48pR', 'WNERQJY14N', 'sKARZokvPj', 'gOARdoeDrl', 'vayReruVKT', 'dtYRxFvchI', 'Rt8RYd6YsM', 'wNRRmoKxEn', 'G3YRD1CkYj', 'XHTRqYZPNA'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, KVVciMPooTamDtE6Qi.csHigh entropy of concatenated method names: 'DSnCD8Zo2X', 'sIwC47j85a', 'O59CPyUQZS', 'rVUCgT4Yh7', 'OPxCdrqwQL', 'x6kCJakEDs', 'x6lCeB718W', 'u7JCxtiPMT', 'JQ5CW2qFEQ', 'mdDCYfaNS4'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, IrmqqWkUGaV7heJOLK.csHigh entropy of concatenated method names: 'Dr1HP1Hma3', 'WnlHgfeYnZ', 'JxMHKoV2dJ', 'DTUHw1JGkb', 'fwtH2xGT2p', 'bDvHaIx7FM', 'sg1HvdZ2gg', 'zHBH36cX8x', 'ip8H86ZNvh', 'RTgHjUFWQO'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, bnfZ4SYIIMAWSTswXq.csHigh entropy of concatenated method names: 'xZjsETYWfS', 'F0Ys7y02v2', 'YarsAbCPbw', 'pllAj9ktg1', 'RZNAzA97U9', 'zvmsILwtak', 'psCsOvhGCS', 'cNUs0eDmX5', 'M0vsr3KD77', 'CX0sblHynN'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, iWE2HKaPDHVenn26YW.csHigh entropy of concatenated method names: 'URnc3TE5Pc', 'HglcjQHgWH', 'aNcuIEB5Oo', 'YY1uOLR5Xs', 'qGLcqtTVfW', 'vdOc47miwV', 'HDccLPxQiV', 'C3dcPDqmbd', 'X7UcgkDxMe', 'NPTcKGBq4C'
                Source: 14.2.JIlApjvRxj.exe.41ccba8.3.raw.unpack, RiKiidHLlgPOlPUrnd.csHigh entropy of concatenated method names: 'Dispose', 'yYxO8V9vjX', 'kyh0dDbSmn', 'bCiddB9vj3', 'EUqOjBkq2p', 'mKyOzjW574', 'ProcessDialogKey', 'u2s0IHTh2a', 'cod0OskpT8', 'yrY00NSg0I'
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeFile created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeJump to dropped file

                Boot Survival

                barindex
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp"

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: F50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: 27A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: 25F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: 8B90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: 9B90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: 9DA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: ADA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: B6C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: C6C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: 1080000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: 2BC0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: 2600000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: 47C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: 8520000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: 9520000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: 9710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: A710000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: B0D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: C0D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: 2CB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: 2E30000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory allocated: 4E30000 memory reserve | memory write watch
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6611Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 587Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6734Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 496Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exe TID: 7848Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7220Thread sleep count: 6611 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7640Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7184Thread sleep count: 587 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7412Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6396Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7436Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe TID: 6288Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: EKSTRE_1022.exe, 0000000D.00000002.2645398048.0000000000E66000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllEL
                Source: JIlApjvRxj.exe, 00000012.00000002.2644657130.0000000001028000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeCode function: 13_2_010CC168 LdrInitializeThunk,LdrInitializeThunk,13_2_010CC168
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, UltraSpeed.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                Source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeMemory written: C:\Users\user\Desktop\EKSTRE_1022.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeMemory written: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeProcess created: C:\Users\user\Desktop\EKSTRE_1022.exe "C:\Users\user\Desktop\EKSTRE_1022.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeProcess created: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"Jump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Users\user\Desktop\EKSTRE_1022.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Users\user\Desktop\EKSTRE_1022.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR
                Source: Yara matchFile source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                Source: C:\Users\user\Desktop\EKSTRE_1022.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: C:\Users\user\AppData\Roaming\JIlApjvRxj.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                Source: Yara matchFile source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000012.00000002.2646438586.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000D.00000002.2647148367.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: JIlApjvRxj.exe PID: 7752, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR
                Source: Yara matchFile source: 14.2.JIlApjvRxj.exe.40ba988.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.409bee8.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.3fd85f0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.3fd85f0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.EKSTRE_1022.exe.409bee8.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 14.2.JIlApjvRxj.exe.40ba988.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: EKSTRE_1022.exe PID: 7828, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: EKSTRE_1022.exe PID: 7584, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: JIlApjvRxj.exe PID: 4520, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API
                1
                DLL Side-Loading
                1
                DLL Side-Loading
                11
                Disable or Modify Tools
                1
                OS Credential Dumping
                1
                File and Directory Discovery
                Remote Services11
                Archive Collected Data
                1
                Ingress Tool Transfer
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job
                1
                Scheduled Task/Job
                111
                Process Injection
                1
                Deobfuscate/Decode Files or Information
                1
                Input Capture
                13
                System Information Discovery
                Remote Desktop Protocol1
                Data from Local System
                11
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                Scheduled Task/Job
                3
                Obfuscated Files or Information
                Security Account Manager11
                Security Software Discovery
                SMB/Windows Admin Shares1
                Email Collection
                2
                Non-Application Layer Protocol
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                Software Packing
                NTDS1
                Process Discovery
                Distributed Component Object Model1
                Input Capture
                13
                Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Timestomp
                LSA Secrets31
                Virtualization/Sandbox Evasion
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading
                Cached Domain Credentials1
                Application Window Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading
                DCSync1
                System Network Configuration Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job31
                Virtualization/Sandbox Evasion
                Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt111
                Process Injection
                /etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1541206 Sample: EKSTRE_1022.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 46 reallyfreegeoip.org 2->46 48 checkip.dyndns.org 2->48 50 checkip.dyndns.com 2->50 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 Sigma detected: Scheduled temp file as task from temp location 2->60 64 10 other signatures 2->64 8 EKSTRE_1022.exe 7 2->8         started        12 JIlApjvRxj.exe 5 2->12         started        signatures3 62 Tries to detect the country of the analysis system (by using the IP) 46->62 process4 file5 38 C:\Users\user\AppData\...\JIlApjvRxj.exe, PE32 8->38 dropped 40 C:\Users\...\JIlApjvRxj.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmp4FA4.tmp, XML 8->42 dropped 44 C:\Users\user\AppData\...KSTRE_1022.exe.log, ASCII 8->44 dropped 66 Uses schtasks.exe or at.exe to add and modify task schedules 8->66 68 Adds a directory exclusion to Windows Defender 8->68 70 Injects a PE file into a foreign processes 8->70 14 EKSTRE_1022.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 5 other processes 8->26 72 Multi AV Scanner detection for dropped file 12->72 74 Machine Learning detection for dropped file 12->74 22 JIlApjvRxj.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 52 reallyfreegeoip.org 188.114.96.3, 443, 49712, 49716 CLOUDFLARENETUS European Union 14->52 54 checkip.dyndns.com 193.122.6.168, 49710, 49714, 80 ORACLE-BMC-31898US United States 14->54 76 Loading BitLocker PowerShell Module 18->76 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        78 Tries to steal Mail credentials (via file / registry access) 22->78 80 Tries to harvest and steal browser information (history, passwords, etc) 22->80 34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        signatures9 process10

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                EKSTRE_1022.exe37%ReversingLabsByteCode-MSIL.Trojan.Generic
                EKSTRE_1022.exe100%Joe Sandbox ML
                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\JIlApjvRxj.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\JIlApjvRxj.exe37%ReversingLabsByteCode-MSIL.Trojan.Generic
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://checkip.dyndns.org/0%URL Reputationsafe
                http://checkip.dyndns.org/q0%URL Reputationsafe
                http://reallyfreegeoip.org0%URL Reputationsafe
                https://reallyfreegeoip.org0%URL Reputationsafe
                http://checkip.dyndns.org0%URL Reputationsafe
                http://checkip.dyndns.com0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://www.chiark.greenend.org.uk/~sgtatham/putty/00%URL Reputationsafe
                https://reallyfreegeoip.org/xml/0%URL Reputationsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                188.114.96.3
                truetrue
                  unknown
                  checkip.dyndns.com
                  193.122.6.168
                  truefalse
                    unknown
                    checkip.dyndns.org
                    unknown
                    unknowntrue
                      unknown
                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                      • URL Reputation: safe
                      unknown
                      https://reallyfreegeoip.org/xml/173.254.250.71false
                        unknown
                        NameSourceMaliciousAntivirus DetectionReputation
                        http://checkip.dyndns.comdEKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpfalse
                          unknown
                          http://microsoft.coJIlApjvRxj.exe, 00000012.00000002.2650089586.0000000006607000.00000004.00000020.00020000.00000000.sdmpfalse
                            unknown
                            https://reallyfreegeoip.org/xml/173.254.250.71dEKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpfalse
                              unknown
                              http://checkip.dyndns.org/qEKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://reallyfreegeoip.orgdEKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002ECB000.00000004.00000800.00020000.00000000.sdmpfalse
                                unknown
                                http://tempuri.org/DataSet1.xsdEKSTRE_1022.exe, JIlApjvRxj.exe.0.drfalse
                                  unknown
                                  http://reallyfreegeoip.orgEKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C5B000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002ECB000.00000004.00000800.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  unknown
                                  http://checkip.dyndns.orgdEKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    unknown
                                    https://reallyfreegeoip.orgEKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    unknown
                                    https://reallyfreegeoip.org/xml/173.254.250.71lEKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      unknown
                                      http://checkip.dyndns.orgEKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C2C000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002E9C000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://checkip.dyndns.comEKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://checkip.dyndns.org/dEKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                        unknown
                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEKSTRE_1022.exe, 00000000.00000002.1424563889.00000000027DD000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1459389939.00000000027FD000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002E31000.00000004.00000800.00020000.00000000.sdmpfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://www.chiark.greenend.org.uk/~sgtatham/putty/0EKSTRE_1022.exe, JIlApjvRxj.exe.0.drfalse
                                        • URL Reputation: safe
                                        unknown
                                        https://api.telegram.org/bot-/sendDocument?chat_id=EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmpfalse
                                          unknown
                                          https://reallyfreegeoip.org/xml/EKSTRE_1022.exe, 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, EKSTRE_1022.exe, 0000000D.00000002.2647148367.0000000002C3E000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, JIlApjvRxj.exe, 00000012.00000002.2646438586.0000000002EAE000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          unknown
                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs
                                          IPDomainCountryFlagASNASN NameMalicious
                                          193.122.6.168
                                          checkip.dyndns.comUnited States
                                          31898ORACLE-BMC-31898USfalse
                                          188.114.96.3
                                          reallyfreegeoip.orgEuropean Union
                                          13335CLOUDFLARENETUStrue
                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1541206
                                          Start date and time:2024-10-24 15:20:07 +02:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 7m 22s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:25
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:EKSTRE_1022.exe
                                          Detection:MAL
                                          Classification:mal100.troj.spyw.evad.winEXE@27/15@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 163
                                          • Number of non-executed functions: 18
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                          • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                          • VT rate limit hit for: EKSTRE_1022.exe
                                          TimeTypeDescription
                                          09:21:00API Interceptor2x Sleep call for process: EKSTRE_1022.exe modified
                                          09:21:01API Interceptor26x Sleep call for process: powershell.exe modified
                                          09:21:04API Interceptor2x Sleep call for process: JIlApjvRxj.exe modified
                                          15:21:02Task SchedulerRun new task: JIlApjvRxj path: C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          193.122.6.168Purchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                          • checkip.dyndns.org/
                                          PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Distribuciones Enelca Ja#U00e9n, S.L. PEDIDO 456799.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          InvoiceXCopy.xlsGet hashmaliciousSnake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Ziraat Bankasi Swift Mesaji,pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          AmountXpayable.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          CLOSURE.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          REVISED INVOICE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Inquiry N_ TM23-10-00.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          188.114.96.3Orden de Compra No. 78986756565344657.xlam.xlsxGet hashmaliciousAgentTeslaBrowse
                                          • paste.ee/d/nwtkd
                                          Doc 784-01965670.exeGet hashmaliciousFormBookBrowse
                                          • www.launchdreamidea.xyz/bd77/
                                          PO1268931024 - Bank Slip.exeGet hashmaliciousPureLog StealerBrowse
                                          • www.timizoasisey.shop/3p0l/
                                          BL.exeGet hashmaliciousFormBookBrowse
                                          • www.launchdreamidea.xyz/bd77/
                                          w49A5FG3yg.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          • 733812cm.n9shteam.in/DefaultWordpress.php
                                          9XHFe6y4Dj.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          • 733812cm.n9shteam.in/DefaultWordpress.php
                                          SecuriteInfo.com.Win32.MalwareX-gen.14607.6011.exeGet hashmaliciousUnknownBrowse
                                          • servicetelemetryserver.shop/api/index.php
                                          t1zTzS9a3r.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                          • abdulbek.top/externalvideoprotectdefaultsqlWindowsdlePrivate.php
                                          aQdB62N7SB.elfGet hashmaliciousShikitega, XmrigBrowse
                                          • main.dsn.ovh/dns/lovely
                                          QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                          • filetransfer.io/data-package/DyuQ5y15/download
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          reallyfreegeoip.orgPurchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                          • 188.114.97.3
                                          Halkbank_Ekstre_20241022_081224_563756.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 188.114.96.3
                                          REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          SIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                          • 188.114.97.3
                                          Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.96.3
                                          PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.97.3
                                          Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.96.3
                                          080210232024.exeGet hashmaliciousMassLogger RATBrowse
                                          • 188.114.97.3
                                          226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          checkip.dyndns.comPurchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                          • 193.122.6.168
                                          Halkbank_Ekstre_20241022_081224_563756.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 132.226.247.73
                                          REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.130.0
                                          SIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                          • 132.226.8.169
                                          Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 193.122.6.168
                                          Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 132.226.247.73
                                          080210232024.exeGet hashmaliciousMassLogger RATBrowse
                                          • 132.226.247.73
                                          226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 193.122.130.0
                                          BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.130.0
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          ORACLE-BMC-31898USPurchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                          • 193.122.6.168
                                          REVISED INVOICE.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.130.0
                                          botnet.spc.elfGet hashmaliciousMirai, MoobotBrowse
                                          • 140.238.98.34
                                          Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 158.101.44.242
                                          PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 193.122.6.168
                                          226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 193.122.130.0
                                          BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.130.0
                                          RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 193.122.6.168
                                          la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                          • 193.123.253.227
                                          la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                          • 193.123.29.81
                                          CLOUDFLARENETUSPurchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                          • 188.114.97.3
                                          https://app.pandadoc.com/document/v2?token=69b8ae0059c2551a9a27ed1b65653c1a0b5ee1ffGet hashmaliciousUnknownBrowse
                                          • 104.16.117.116
                                          https://app.writesonic.com/share/writing-assistant/d140c48b-3642-43bf-a085-e258c1fb4f03Get hashmaliciousUnknownBrowse
                                          • 172.67.71.97
                                          StudioDemo.exeGet hashmaliciousLummaCBrowse
                                          • 188.114.96.3
                                          https://egift.activationshub.com/gift-card/view/8lPFUrjq1LGzg7JHwS8hJJRdL/Get hashmaliciousUnknownBrowse
                                          • 104.18.95.41
                                          5Setup.exeGet hashmaliciousLummaCBrowse
                                          • 188.114.96.3
                                          setup.msiGet hashmaliciousUnknownBrowse
                                          • 172.64.41.3
                                          https://1drv.ms/o/c/3e563d3fb2a98d1c/Emlo5KUbYYNEvKtIF-7SS0EBYSeT3hOOGuv_MbeT-n2y4g?e=HPjqUnGet hashmaliciousHtmlDropperBrowse
                                          • 104.21.45.155
                                          https://railrent-railrent.powerappsportals.com/Get hashmaliciousUnknownBrowse
                                          • 172.67.140.116
                                          https://2007.filemail.com/api/file/get?filekey=58mKUrTMdlmzqkRvo0UdVa2TMjJTCQiSNv5rUBtsDQTNU0dM4JzppUJaOrP_mWxCym0k9l5xEDeaXunPsHq6frY8XZH_gnclw86MefA3bpAlGuDkr77-xSqrMOQIlMdW5cRjwoOSCWIlTwpC48cNKMMHhMKp&track=P8fpm4ry&pk_vid=8a8b18f03738ae4f17297703684d559dGet hashmaliciousHTMLPhisherBrowse
                                          • 104.17.112.233
                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          54328bd36c14bd82ddaa0c04b25ed9adPurchase Order.exeGet hashmaliciousMassLogger RATBrowse
                                          • 188.114.96.3
                                          Halkbank_Ekstre_20241022_081224_563756.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 188.114.96.3
                                          SIPARIS-290124.PDF.exeGet hashmaliciousPureLog Stealer, Snake KeyloggerBrowse
                                          • 188.114.96.3
                                          Renommxterne.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.96.3
                                          PAYMENT ADVISE MT107647545.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          Produccion.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.96.3
                                          080210232024.exeGet hashmaliciousMassLogger RATBrowse
                                          • 188.114.96.3
                                          226999705-124613-sanlccjavap0004-67.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 188.114.96.3
                                          BT-036016002U_RFQ 014-010-02024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          RFQ_64182MR_PDF.R00.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • 188.114.96.3
                                          No context
                                          Process:C:\Users\user\Desktop\EKSTRE_1022.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:true
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                          Process:C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.3810236212315665
                                          Encrypted:false
                                          SSDEEP:48:lylWSU4xympgv4RIoUP7gZ9tK8NPZHUx7u1iMugeC/ZPUyus:lGLHxv2IfLZ2KRH6Oug8s
                                          MD5:46CFAD7E103735ABA6646E3E9F6012AF
                                          SHA1:F864D5F42D478A79AF32EAE14B87265DE193A851
                                          SHA-256:55D9A9F40CF5657C548085C6C2472DF452CF3B1A75515C52F59D8853C5F39E74
                                          SHA-512:8AE818C136BC9AD5A375BDF9B7688C900C8CBE69A17660D428618259E680F338557E5DFF9897E1414E95E2AB1F5B9792965C20FAB7320648FB0B430C10F81A48
                                          Malicious:false
                                          Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode
                                          Process:C:\Users\user\Desktop\EKSTRE_1022.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1583
                                          Entropy (8bit):5.115863867121155
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtoIxxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuToWv
                                          MD5:FA1A9352A7AC073AA7BA9FF5B6B4290F
                                          SHA1:A76D0A104D307F2B6D3CB88610E701099885717B
                                          SHA-256:519E028175C5DFFAEBDB60BDB85978406C35E5EBA60E342241F707FCC54763BB
                                          SHA-512:08B8DE1074F47CA4DD463E6B20373C8ADFEF19D66139531203360E120C32E74673499E7FE4F1752078FE782EC02E2D95EB3B06DEE10DBDE4AAD56580D38DACF1
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor
                                          Process:C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1583
                                          Entropy (8bit):5.115863867121155
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtoIxxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuToWv
                                          MD5:FA1A9352A7AC073AA7BA9FF5B6B4290F
                                          SHA1:A76D0A104D307F2B6D3CB88610E701099885717B
                                          SHA-256:519E028175C5DFFAEBDB60BDB85978406C35E5EBA60E342241F707FCC54763BB
                                          SHA-512:08B8DE1074F47CA4DD463E6B20373C8ADFEF19D66139531203360E120C32E74673499E7FE4F1752078FE782EC02E2D95EB3B06DEE10DBDE4AAD56580D38DACF1
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor
                                          Process:C:\Users\user\Desktop\EKSTRE_1022.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):573960
                                          Entropy (8bit):7.910291827027345
                                          Encrypted:false
                                          SSDEEP:12288:SCfiaVM5GHMoVZYL0VCFQYAAA22zQ5I/slShaMZucL7kR:SYiJ5kVZglAB22zQ56LjI
                                          MD5:B949A48B3046B4B4E6E68564B228FBB2
                                          SHA1:65BD4CEEB0B371E5C578479B7C1B83AE8B9EF29F
                                          SHA-256:F68C0C40AA651D080967EA4EA3C389FC1E3DBAFCD097AC10F01374D0F6AE52D3
                                          SHA-512:2734F5ADBE5244338E919165B61E5C1C4924A30B54EBD0CEB9022CB1621B486E9E7CE5CC932D29CC64BFF89C89302BE6E410A4F2AB950DBDD63AEAAACF5D5781
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 37%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@.................................F...O.......0................6..........(}..p............................................ ............... ..H............text....~... ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B................z.......H........t...i......M...................................................z..}.....(.......(......(.....*..0............{....o....r...p(......,...{....o....(......*...0..]........( .....,R..{....o!....("...o#.....{.....{....o$....("...o%...o&.....{......X.o'......}.....*....0............(......,...((.....*....0..!.........(......,...{....o).....(......*6.r...p(*...&*....{.....(......{....r...po+....*....0..U.........{....,..{.......+....,....(....}......}.....+$.{....,..{....+.
                                          Process:C:\Users\user\Desktop\EKSTRE_1022.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0
                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.910291827027345
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.98%
                                          • Win32 Executable (generic) a (10002005/4) 49.93%
                                          • Windows Screen Saver (13104/52) 0.07%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:EKSTRE_1022.exe
                                          File size:573'960 bytes
                                          MD5:b949a48b3046b4b4e6e68564b228fbb2
                                          SHA1:65bd4ceeb0b371e5c578479b7c1b83ae8b9ef29f
                                          SHA256:f68c0c40aa651d080967ea4ea3c389fc1e3dbafcd097ac10f01374d0f6ae52d3
                                          SHA512:2734f5adbe5244338e919165b61e5c1c4924a30b54ebd0ceb9022cb1621b486e9e7ce5cc932d29cc64bff89c89302be6e410a4f2ab950dbdd63aeaaacf5d5781
                                          SSDEEP:12288:SCfiaVM5GHMoVZYL0VCFQYAAA22zQ5I/slShaMZucL7kR:SYiJ5kVZglAB22zQ56LjI
                                          TLSH:C3C4124136F89BE2D6FFABF41162556203B3771B2939D78D1DC400ED18E3B688A54B17
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0.................. ........@.. ....................................@................................
                                          Icon Hash:00928e8e8686b000
                                          Entrypoint:0x489e9a
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0xAAFFD7DD [Sun Nov 28 18:54:21 2060 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                          Signature Valid:false
                                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                          Signature Validation Error:The digital signature of the object did not verify
                                          Error Number:-2146869232
                                          Not Before, Not After
                                          • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                          Subject Chain
                                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                          Version:3
                                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                          Serial:7C1118CBBADC95DA3752C46E47A27438
                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x89e460x4f.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x630.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x88c000x3608
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x87d280x70.text
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x87ea00x880003ae061c57300b82df02c3e55360c39a4False0.9378608254825368data7.921681038853017IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0x8a0000x6300x800ea6531436aaf8e08a53451deae7a9167False0.33984375data3.4834516097693258IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x8c0000xc0x20099f9f90731f11386fac22638170e1630False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_VERSION0x8a0900x3a0data0.4213362068965517
                                          RT_MANIFEST0x8a4400x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                          DLLImport
                                          mscoree.dll_CorExeMain
                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2024-10-24T15:21:03.866696+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849710193.122.6.16880TCP
                                          2024-10-24T15:21:07.054215+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.849714193.122.6.16880TCP
                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 24, 2024 15:21:02.702706099 CEST4971080192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:21:02.708190918 CEST8049710193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:21:02.708264112 CEST4971080192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:21:02.708482981 CEST4971080192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:21:02.714199066 CEST8049710193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:21:03.556114912 CEST8049710193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:21:03.561868906 CEST4971080192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:21:03.567780972 CEST8049710193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:21:03.809865952 CEST8049710193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:21:03.866695881 CEST4971080192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:21:04.205415964 CEST49712443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:04.205449104 CEST44349712188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:04.205552101 CEST49712443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:04.212364912 CEST49712443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:04.212378979 CEST44349712188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:04.833420992 CEST44349712188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:04.833501101 CEST49712443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:04.837733030 CEST49712443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:04.837738037 CEST44349712188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:04.838001013 CEST44349712188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:04.882370949 CEST49712443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:04.892824888 CEST49712443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:04.939327002 CEST44349712188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:05.042577982 CEST44349712188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:05.042673111 CEST44349712188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:05.042753935 CEST49712443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:05.062947035 CEST49712443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:05.891138077 CEST4971480192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:21:05.897150993 CEST8049714193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:21:05.897245884 CEST4971480192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:21:05.897456884 CEST4971480192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:21:05.906819105 CEST8049714193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:21:06.749663115 CEST8049714193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:21:06.755157948 CEST4971480192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:21:06.760937929 CEST8049714193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:21:07.002935886 CEST8049714193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:21:07.005367041 CEST49716443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:07.005410910 CEST44349716188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:07.005510092 CEST49716443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:07.011703968 CEST49716443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:07.011727095 CEST44349716188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:07.054214954 CEST4971480192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:21:07.629874945 CEST44349716188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:07.630022049 CEST49716443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:07.632005930 CEST49716443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:07.632016897 CEST44349716188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:07.632488012 CEST44349716188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:07.679183960 CEST49716443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:07.696736097 CEST49716443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:07.739330053 CEST44349716188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:07.840065956 CEST44349716188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:07.840308905 CEST44349716188.114.96.3192.168.2.8
                                          Oct 24, 2024 15:21:07.840368032 CEST49716443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:21:07.843463898 CEST49716443192.168.2.8188.114.96.3
                                          Oct 24, 2024 15:22:08.931389093 CEST8049710193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:22:08.931570053 CEST4971080192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:22:12.123620033 CEST8049714193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:22:12.123732090 CEST4971480192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:22:43.851861000 CEST4971080192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:22:44.163899899 CEST4971080192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:22:44.479981899 CEST8049710193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:22:44.481862068 CEST8049710193.122.6.168192.168.2.8
                                          Oct 24, 2024 15:22:44.482017994 CEST4971080192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:22:47.008397102 CEST4971480192.168.2.8193.122.6.168
                                          Oct 24, 2024 15:22:47.282497883 CEST8049714193.122.6.168192.168.2.8
                                          TimestampSource PortDest PortSource IPDest IP
                                          Oct 24, 2024 15:21:02.677881956 CEST6395953192.168.2.81.1.1.1
                                          Oct 24, 2024 15:21:02.686837912 CEST53639591.1.1.1192.168.2.8
                                          Oct 24, 2024 15:21:04.195843935 CEST5168353192.168.2.81.1.1.1
                                          Oct 24, 2024 15:21:04.204798937 CEST53516831.1.1.1192.168.2.8
                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Oct 24, 2024 15:21:02.677881956 CEST192.168.2.81.1.1.10x7f3aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                          Oct 24, 2024 15:21:04.195843935 CEST192.168.2.81.1.1.10x5f53Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Oct 24, 2024 15:21:02.686837912 CEST1.1.1.1192.168.2.80x7f3aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                          Oct 24, 2024 15:21:02.686837912 CEST1.1.1.1192.168.2.80x7f3aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                          Oct 24, 2024 15:21:02.686837912 CEST1.1.1.1192.168.2.80x7f3aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                          Oct 24, 2024 15:21:02.686837912 CEST1.1.1.1192.168.2.80x7f3aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                          Oct 24, 2024 15:21:02.686837912 CEST1.1.1.1192.168.2.80x7f3aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                          Oct 24, 2024 15:21:02.686837912 CEST1.1.1.1192.168.2.80x7f3aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                          Oct 24, 2024 15:21:04.204798937 CEST1.1.1.1192.168.2.80x5f53No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                          Oct 24, 2024 15:21:04.204798937 CEST1.1.1.1192.168.2.80x5f53No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                          • reallyfreegeoip.org
                                          • checkip.dyndns.org
                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.849710193.122.6.168807584C:\Users\user\Desktop\EKSTRE_1022.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 24, 2024 15:21:02.708482981 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Oct 24, 2024 15:21:03.556114912 CEST323INHTTP/1.1 200 OK
                                          Date: Thu, 24 Oct 2024 13:21:03 GMT
                                          Content-Type: text/html
                                          Content-Length: 106
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 93d0a86f68e2f33d9c5a4b475f7a788f
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                          Oct 24, 2024 15:21:03.561868906 CEST127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Oct 24, 2024 15:21:03.809865952 CEST323INHTTP/1.1 200 OK
                                          Date: Thu, 24 Oct 2024 13:21:03 GMT
                                          Content-Type: text/html
                                          Content-Length: 106
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 7c44dd2aa08ec54496d332489e378486
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.849714193.122.6.168807752C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
                                          TimestampBytes transferredDirectionData
                                          Oct 24, 2024 15:21:05.897456884 CEST151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Oct 24, 2024 15:21:06.749663115 CEST323INHTTP/1.1 200 OK
                                          Date: Thu, 24 Oct 2024 13:21:06 GMT
                                          Content-Type: text/html
                                          Content-Length: 106
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: f232ed3047f213ff7cf6dd8bd4e30ca6
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>
                                          Oct 24, 2024 15:21:06.755157948 CEST127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Oct 24, 2024 15:21:07.002935886 CEST323INHTTP/1.1 200 OK
                                          Date: Thu, 24 Oct 2024 13:21:06 GMT
                                          Content-Type: text/html
                                          Content-Length: 106
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 1a20f07f564d68acea74b1a32bacb75e
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 173.254.250.71</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.849712188.114.96.34437584C:\Users\user\Desktop\EKSTRE_1022.exe
                                          TimestampBytes transferredDirectionData
                                          2024-10-24 13:21:04 UTC87OUTGET /xml/173.254.250.71 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-10-24 13:21:05 UTC895INHTTP/1.1 200 OK
                                          Date: Thu, 24 Oct 2024 13:21:04 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 42012
                                          Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6oZQcbwDU7Msg9q6FPYc9pgCrWzATzexf42b8YwJgd3oU%2FDzY4Ly2TRkWMSJMhePBIiKxgligBpiy6bM5PcCHNRJ%2BHG6bguS5UopLGISZOjgMQ%2BNbZkqC%2FJ3DeE0I24N6FHKdPCe"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8d7a4495fff93ab8-DFW
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1726&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=913852&cwnd=250&unsent_bytes=0&cid=d542ad25d8993bc5&ts=223&x=0"
                                          2024-10-24 13:21:05 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                          Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                          2024-10-24 13:21:05 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.849716188.114.96.34437752C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
                                          TimestampBytes transferredDirectionData
                                          2024-10-24 13:21:07 UTC87OUTGET /xml/173.254.250.71 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2024-10-24 13:21:07 UTC898INHTTP/1.1 200 OK
                                          Date: Thu, 24 Oct 2024 13:21:07 GMT
                                          Content-Type: application/xml
                                          Transfer-Encoding: chunked
                                          Connection: close
                                          access-control-allow-origin: *
                                          vary: Accept-Encoding
                                          Cache-Control: max-age=86400
                                          CF-Cache-Status: HIT
                                          Age: 42015
                                          Last-Modified: Thu, 24 Oct 2024 01:40:52 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=O5EwvdU3acGtINbrcFCFEaLG%2BpHrXAN%2FIFhWqOx54XXh4yowDitCehxhmDsM70SYWt866QONh5%2BxT2ObitCzVqGxuKnVt79TAgqVlGlACaSmwP%2FMnaOzz21%2FwOlcSrA2Kyx6A4qt"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8d7a44a778a2e72a-DFW
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1532&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=701&delivery_rate=1827129&cwnd=222&unsent_bytes=0&cid=2da696f862cdbaef&ts=222&x=0"
                                          2024-10-24 13:21:07 UTC366INData Raw: 31 36 37 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 31 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 54 58 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 54 65 78 61 73 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4b 69 6c 6c 65 65 6e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 37 36 35 34 39 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65
                                          Data Ascii: 167<Response><IP>173.254.250.71</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>TX</RegionCode><RegionName>Texas</RegionName><City>Killeen</City><ZipCode>76549</ZipCode><TimeZone>America/Chicago</Time
                                          2024-10-24 13:21:07 UTC5INData Raw: 30 0d 0a 0d 0a
                                          Data Ascii: 0


                                          Click to jump to process

                                          Click to jump to process

                                          Click to dive into process behavior distribution

                                          Click to jump to process

                                          Target ID:0
                                          Start time:09:20:59
                                          Start date:24/10/2024
                                          Path:C:\Users\user\Desktop\EKSTRE_1022.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\EKSTRE_1022.exe"
                                          Imagebase:0x410000
                                          File size:573'960 bytes
                                          MD5 hash:B949A48B3046B4B4E6E68564B228FBB2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1424927570.0000000003FD7000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1424927570.000000000403B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Reputation:low
                                          Has exited:true

                                          Target ID:3
                                          Start time:09:21:00
                                          Start date:24/10/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EKSTRE_1022.exe"
                                          Imagebase:0xb50000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:4
                                          Start time:09:21:00
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6ee680000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:5
                                          Start time:09:21:01
                                          Start date:24/10/2024
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"
                                          Imagebase:0xb50000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:6
                                          Start time:09:21:01
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6ee680000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:7
                                          Start time:09:21:01
                                          Start date:24/10/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp4FA4.tmp"
                                          Imagebase:0x9c0000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:8
                                          Start time:09:21:01
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6ee680000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:9
                                          Start time:09:21:01
                                          Start date:24/10/2024
                                          Path:C:\Users\user\Desktop\EKSTRE_1022.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\EKSTRE_1022.exe"
                                          Imagebase:0x160000
                                          File size:573'960 bytes
                                          MD5 hash:B949A48B3046B4B4E6E68564B228FBB2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          Target ID:10
                                          Start time:09:21:01
                                          Start date:24/10/2024
                                          Path:C:\Users\user\Desktop\EKSTRE_1022.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\EKSTRE_1022.exe"
                                          Imagebase:0x220000
                                          File size:573'960 bytes
                                          MD5 hash:B949A48B3046B4B4E6E68564B228FBB2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          Target ID:11
                                          Start time:09:21:01
                                          Start date:24/10/2024
                                          Path:C:\Users\user\Desktop\EKSTRE_1022.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\EKSTRE_1022.exe"
                                          Imagebase:0x350000
                                          File size:573'960 bytes
                                          MD5 hash:B949A48B3046B4B4E6E68564B228FBB2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          Target ID:12
                                          Start time:09:21:01
                                          Start date:24/10/2024
                                          Path:C:\Users\user\Desktop\EKSTRE_1022.exe
                                          Wow64 process (32bit):false
                                          Commandline:"C:\Users\user\Desktop\EKSTRE_1022.exe"
                                          Imagebase:0x230000
                                          File size:573'960 bytes
                                          MD5 hash:B949A48B3046B4B4E6E68564B228FBB2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:low
                                          Has exited:true

                                          Target ID:13
                                          Start time:09:21:01
                                          Start date:24/10/2024
                                          Path:C:\Users\user\Desktop\EKSTRE_1022.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\EKSTRE_1022.exe"
                                          Imagebase:0x790000
                                          File size:573'960 bytes
                                          MD5 hash:B949A48B3046B4B4E6E68564B228FBB2
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000D.00000002.2644076876.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000D.00000002.2647148367.0000000002D14000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:low
                                          Has exited:false

                                          Target ID:14
                                          Start time:09:21:02
                                          Start date:24/10/2024
                                          Path:C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
                                          Imagebase:0x460000
                                          File size:573'960 bytes
                                          MD5 hash:B949A48B3046B4B4E6E68564B228FBB2
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000E.00000002.1460220249.0000000004059000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 37%, ReversingLabs
                                          Reputation:low
                                          Has exited:true

                                          Target ID:15
                                          Start time:09:21:02
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                          Imagebase:0x7ff605670000
                                          File size:496'640 bytes
                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:false

                                          Target ID:16
                                          Start time:09:21:04
                                          Start date:24/10/2024
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JIlApjvRxj" /XML "C:\Users\user\AppData\Local\Temp\tmp5DFC.tmp"
                                          Imagebase:0x9c0000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          Target ID:17
                                          Start time:09:21:04
                                          Start date:24/10/2024
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6ee680000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Target ID:18
                                          Start time:09:21:05
                                          Start date:24/10/2024
                                          Path:C:\Users\user\AppData\Roaming\JIlApjvRxj.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\AppData\Roaming\JIlApjvRxj.exe"
                                          Imagebase:0xb50000
                                          File size:573'960 bytes
                                          MD5 hash:B949A48B3046B4B4E6E68564B228FBB2
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2646438586.0000000002F84000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Has exited:false

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:11.4%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:3.3%
                                            Total number of Nodes:300
                                            Total number of Limit Nodes:10
                                            execution_graph 39769 6ba3bd8 39770 6ba3bfc 39769->39770 39774 6ba4038 39770->39774 39779 6ba3384 39770->39779 39783 6ba3390 39770->39783 39775 6ba40aa OutputDebugStringW 39774->39775 39777 6ba4042 39774->39777 39778 6ba40ff 39775->39778 39777->39770 39778->39770 39780 6ba4080 OutputDebugStringW 39779->39780 39782 6ba40ff 39780->39782 39782->39770 39784 6ba4130 CloseHandle 39783->39784 39786 6ba419e 39784->39786 39786->39770 39855 6baed08 39856 6baeb5c 39855->39856 39857 6baeb6b 39856->39857 39862 2651526 39856->39862 39890 2651448 39856->39890 39898 2651480 39856->39898 39904 2651470 39856->39904 39863 26514b4 39862->39863 39869 2651529 39862->39869 39864 2651454 39863->39864 39865 26514be 39863->39865 39866 265146e 39864->39866 39870 2651526 12 API calls 39864->39870 39910 26514b0 39864->39910 39930 26514c0 39864->39930 39868 26514e2 39865->39868 39950 2651b3b 39865->39950 39955 2651958 39865->39955 39961 2651efe 39865->39961 39965 2651a9e 39865->39965 39969 2651ddd 39865->39969 39973 2651f92 39865->39973 39978 2651e16 39865->39978 39982 2651b74 39865->39982 39990 26523cc 39865->39990 39995 2651ca2 39865->39995 40000 2651da9 39865->40000 40005 2651fae 39865->40005 40009 265212e 39865->40009 40014 2651cf5 39865->40014 40019 26518c5 39865->40019 40024 26520e3 39865->40024 40028 2651a2a 39865->40028 39866->39857 39867 26514a7 39867->39857 39868->39857 39869->39857 39870->39867 39891 26514e5 39890->39891 39892 265146c 39890->39892 39891->39857 39893 265146e 39892->39893 39895 2651526 12 API calls 39892->39895 39896 26514c0 12 API calls 39892->39896 39897 26514b0 12 API calls 39892->39897 39893->39857 39894 26514a7 39894->39857 39895->39894 39896->39894 39897->39894 39899 2651495 39898->39899 39901 2651526 12 API calls 39899->39901 39902 26514c0 12 API calls 39899->39902 39903 26514b0 12 API calls 39899->39903 39900 26514a7 39900->39857 39901->39900 39902->39900 39903->39900 39905 2651495 39904->39905 39907 2651526 12 API calls 39905->39907 39908 26514c0 12 API calls 39905->39908 39909 26514b0 12 API calls 39905->39909 39906 26514a7 39906->39857 39907->39906 39908->39906 39909->39906 39911 26514da 39910->39911 39912 26518c5 2 API calls 39911->39912 39913 26520e3 2 API calls 39911->39913 39914 2651ca2 2 API calls 39911->39914 39915 26523cc 2 API calls 39911->39915 39916 265212e 2 API calls 39911->39916 39917 2651fae 2 API calls 39911->39917 39918 2651da9 2 API calls 39911->39918 39919 2651a2a 2 API calls 39911->39919 39920 2651cf5 2 API calls 39911->39920 39921 26514e2 39911->39921 39922 2651b74 4 API calls 39911->39922 39923 2651e16 2 API calls 39911->39923 39924 2651f92 2 API calls 39911->39924 39925 2651ddd 2 API calls 39911->39925 39926 2651a9e 2 API calls 39911->39926 39927 2651efe 2 API calls 39911->39927 39928 2651958 2 API calls 39911->39928 39929 2651b3b 2 API calls 39911->39929 39912->39921 39913->39921 39914->39921 39915->39921 39916->39921 39917->39921 39918->39921 39919->39921 39920->39921 39921->39867 39922->39921 39923->39921 39924->39921 39925->39921 39926->39921 39927->39921 39928->39921 39929->39921 39931 26514da 39930->39931 39932 26518c5 2 API calls 39931->39932 39933 26520e3 2 API calls 39931->39933 39934 2651ca2 2 API calls 39931->39934 39935 26523cc 2 API calls 39931->39935 39936 265212e 2 API calls 39931->39936 39937 2651fae 2 API calls 39931->39937 39938 2651da9 2 API calls 39931->39938 39939 2651a2a 2 API calls 39931->39939 39940 2651cf5 2 API calls 39931->39940 39941 26514e2 39931->39941 39942 2651b74 4 API calls 39931->39942 39943 2651e16 2 API calls 39931->39943 39944 2651f92 2 API calls 39931->39944 39945 2651ddd 2 API calls 39931->39945 39946 2651a9e 2 API calls 39931->39946 39947 2651efe 2 API calls 39931->39947 39948 2651958 2 API calls 39931->39948 39949 2651b3b 2 API calls 39931->39949 39932->39941 39933->39941 39934->39941 39935->39941 39936->39941 39937->39941 39938->39941 39939->39941 39940->39941 39941->39867 39942->39941 39943->39941 39944->39941 39945->39941 39946->39941 39947->39941 39948->39941 39949->39941 39951 2651b5f 39950->39951 40033 6bae3f8 39951->40033 40037 6bae3f0 39951->40037 39952 265231e 39956 26518c9 39955->39956 39957 2652414 39956->39957 40041 6bae740 39956->40041 40045 6bae734 39956->40045 39957->39868 40049 6bae318 39961->40049 40053 6bae320 39961->40053 39962 2651f18 39966 2651fc0 39965->39966 40057 6bae4b0 39966->40057 40061 6bae4b8 39966->40061 39971 6bae318 Wow64SetThreadContext 39969->39971 39972 6bae320 Wow64SetThreadContext 39969->39972 39970 2651df7 39971->39970 39972->39970 39974 2651f60 39973->39974 40065 6bae268 39974->40065 40069 6bae270 39974->40069 39975 26522e1 39980 6bae4b8 WriteProcessMemory 39978->39980 39981 6bae4b0 WriteProcessMemory 39978->39981 39979 2651e3a 39979->39868 39980->39979 39981->39979 40073 6bae5a8 39982->40073 40077 6bae5a0 39982->40077 39983 2652370 39983->39868 39984 2651a2c 39984->39983 39986 6bae3f8 VirtualAllocEx 39984->39986 39987 6bae3f0 VirtualAllocEx 39984->39987 39985 265231e 39985->39985 39986->39985 39987->39985 39991 26518f5 39990->39991 39993 6bae740 CreateProcessA 39991->39993 39994 6bae734 CreateProcessA 39991->39994 39992 26519d2 39992->39868 39993->39992 39994->39992 39996 2651cbb 39995->39996 39996->39868 39998 6bae268 ResumeThread 39996->39998 39999 6bae270 ResumeThread 39996->39999 39997 26522e1 39998->39997 39999->39997 40001 2651a2c 40000->40001 40003 6bae3f8 VirtualAllocEx 40001->40003 40004 6bae3f0 VirtualAllocEx 40001->40004 40002 265231e 40002->40002 40003->40002 40004->40002 40006 2651fb4 40005->40006 40007 6bae4b8 WriteProcessMemory 40006->40007 40008 6bae4b0 WriteProcessMemory 40006->40008 40007->40006 40008->40006 40010 2652134 40009->40010 40012 6bae268 ResumeThread 40010->40012 40013 6bae270 ResumeThread 40010->40013 40011 26522e1 40012->40011 40013->40011 40015 2651cfb 40014->40015 40017 6bae268 ResumeThread 40015->40017 40018 6bae270 ResumeThread 40015->40018 40016 26522e1 40017->40016 40018->40016 40020 26518ff 40019->40020 40022 6bae740 CreateProcessA 40020->40022 40023 6bae734 CreateProcessA 40020->40023 40021 26519d2 40021->39868 40022->40021 40023->40021 40025 26520f3 40024->40025 40026 6bae4b8 WriteProcessMemory 40025->40026 40027 6bae4b0 WriteProcessMemory 40025->40027 40026->40025 40027->40025 40029 2651a2c 40028->40029 40031 6bae3f8 VirtualAllocEx 40029->40031 40032 6bae3f0 VirtualAllocEx 40029->40032 40030 265231e 40031->40030 40032->40030 40034 6bae438 VirtualAllocEx 40033->40034 40036 6bae475 40034->40036 40036->39952 40038 6bae438 VirtualAllocEx 40037->40038 40040 6bae475 40038->40040 40040->39952 40042 6bae7c9 40041->40042 40042->40042 40043 6bae92e CreateProcessA 40042->40043 40044 6bae98b 40043->40044 40044->40044 40046 6bae7c9 40045->40046 40046->40046 40047 6bae92e CreateProcessA 40046->40047 40048 6bae98b 40047->40048 40048->40048 40050 6bae365 Wow64SetThreadContext 40049->40050 40052 6bae3ad 40050->40052 40052->39962 40054 6bae365 Wow64SetThreadContext 40053->40054 40056 6bae3ad 40054->40056 40056->39962 40058 6bae500 WriteProcessMemory 40057->40058 40060 6bae557 40058->40060 40060->39966 40062 6bae500 WriteProcessMemory 40061->40062 40064 6bae557 40062->40064 40064->39966 40066 6bae2b0 ResumeThread 40065->40066 40068 6bae2e1 40066->40068 40068->39975 40070 6bae2b0 ResumeThread 40069->40070 40072 6bae2e1 40070->40072 40072->39975 40074 6bae5f3 ReadProcessMemory 40073->40074 40076 6bae637 40074->40076 40076->39984 40078 6bae5f3 ReadProcessMemory 40077->40078 40080 6bae637 40078->40080 40080->39984 39739 2652760 39740 26528eb 39739->39740 39741 2652786 39739->39741 39741->39740 39744 26529e0 PostMessageW 39741->39744 39746 26529d9 PostMessageW 39741->39746 39745 2652a4c 39744->39745 39745->39741 39747 2652a4c 39746->39747 39747->39741 39787 f5ac50 39791 f5ad37 39787->39791 39796 f5ad48 39787->39796 39788 f5ac5f 39793 f5ad64 39791->39793 39792 f5ad7c 39792->39788 39793->39792 39794 f5af80 GetModuleHandleW 39793->39794 39795 f5afad 39794->39795 39795->39788 39797 f5ad59 39796->39797 39798 f5ad7c 39796->39798 39797->39798 39799 f5af80 GetModuleHandleW 39797->39799 39798->39788 39800 f5afad 39799->39800 39800->39788 40081 6ba1b00 40082 6ba1b1c 40081->40082 40086 6ba2a38 40082->40086 40091 6ba2a28 40082->40091 40083 6ba1bc6 40087 6ba2a4a 40086->40087 40096 6ba2a78 40087->40096 40101 6ba2a68 40087->40101 40088 6ba2a5e 40088->40083 40092 6ba2a4a 40091->40092 40094 6ba2a78 2 API calls 40092->40094 40095 6ba2a68 2 API calls 40092->40095 40093 6ba2a5e 40093->40083 40094->40093 40095->40093 40097 6ba2a92 40096->40097 40106 6ba2b38 40097->40106 40111 6ba2b48 40097->40111 40098 6ba2ab5 40098->40088 40102 6ba2a92 40101->40102 40104 6ba2b38 2 API calls 40102->40104 40105 6ba2b48 2 API calls 40102->40105 40103 6ba2ab5 40103->40088 40104->40103 40105->40103 40107 6ba2b46 40106->40107 40116 6ba2ca8 40107->40116 40119 6ba2ca0 40107->40119 40108 6ba2bf3 40108->40098 40112 6ba2b6c 40111->40112 40114 6ba2ca8 NtQueryInformationProcess 40112->40114 40115 6ba2ca0 NtQueryInformationProcess 40112->40115 40113 6ba2bf3 40113->40098 40114->40113 40115->40113 40117 6ba2cf3 NtQueryInformationProcess 40116->40117 40118 6ba2d36 40117->40118 40118->40108 40120 6ba2cf3 NtQueryInformationProcess 40119->40120 40121 6ba2d36 40120->40121 40121->40108 39801 b7d01c 39803 b7d034 39801->39803 39802 b7d08e 39803->39802 39806 4d22817 39803->39806 39811 4d22818 39803->39811 39807 4d22845 39806->39807 39808 4d22877 39807->39808 39816 4d22da0 39807->39816 39821 4d22da8 39807->39821 39808->39808 39812 4d22845 39811->39812 39813 4d22877 39812->39813 39814 4d22da0 2 API calls 39812->39814 39815 4d22da8 2 API calls 39812->39815 39813->39813 39814->39813 39815->39813 39818 4d22daa 39816->39818 39817 4d22e48 39817->39808 39826 4d22e50 39818->39826 39830 4d22e60 39818->39830 39823 4d22dbc 39821->39823 39822 4d22e48 39822->39808 39824 4d22e50 2 API calls 39823->39824 39825 4d22e60 2 API calls 39823->39825 39824->39822 39825->39822 39827 4d22e62 39826->39827 39828 4d22e71 39827->39828 39833 4d24030 39827->39833 39828->39817 39831 4d24030 2 API calls 39830->39831 39832 4d22e71 39830->39832 39831->39832 39832->39817 39837 4d24050 39833->39837 39841 4d2404f 39833->39841 39834 4d2403a 39834->39828 39838 4d24092 39837->39838 39840 4d24099 39837->39840 39839 4d240ea CallWindowProcW 39838->39839 39838->39840 39839->39840 39840->39834 39842 4d24092 39841->39842 39843 4d24099 39841->39843 39842->39843 39844 4d240ea CallWindowProcW 39842->39844 39843->39834 39844->39843 39748 f54668 39749 f5467a 39748->39749 39750 f54686 39749->39750 39752 f54778 39749->39752 39753 f5479d 39752->39753 39757 f54887 39753->39757 39761 f54888 39753->39761 39758 f548af 39757->39758 39760 f5498c 39758->39760 39765 f544f0 39758->39765 39763 f548af 39761->39763 39762 f5498c 39763->39762 39764 f544f0 CreateActCtxA 39763->39764 39764->39762 39766 f55918 CreateActCtxA 39765->39766 39768 f559db 39766->39768 39845 f5d3d8 39846 f5d41e 39845->39846 39849 f5d5b8 39846->39849 39852 f5b730 39849->39852 39853 f5d620 DuplicateHandle 39852->39853 39854 f5d50b 39853->39854

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 0 6bae734-6bae7d5 2 6bae80e-6bae82e 0->2 3 6bae7d7-6bae7e1 0->3 8 6bae830-6bae83a 2->8 9 6bae867-6bae896 2->9 3->2 4 6bae7e3-6bae7e5 3->4 6 6bae808-6bae80b 4->6 7 6bae7e7-6bae7f1 4->7 6->2 10 6bae7f3 7->10 11 6bae7f5-6bae804 7->11 8->9 13 6bae83c-6bae83e 8->13 17 6bae898-6bae8a2 9->17 18 6bae8cf-6bae989 CreateProcessA 9->18 10->11 11->11 12 6bae806 11->12 12->6 14 6bae840-6bae84a 13->14 15 6bae861-6bae864 13->15 19 6bae84e-6bae85d 14->19 20 6bae84c 14->20 15->9 17->18 21 6bae8a4-6bae8a6 17->21 31 6bae98b-6bae991 18->31 32 6bae992-6baea18 18->32 19->19 22 6bae85f 19->22 20->19 23 6bae8a8-6bae8b2 21->23 24 6bae8c9-6bae8cc 21->24 22->15 26 6bae8b6-6bae8c5 23->26 27 6bae8b4 23->27 24->18 26->26 28 6bae8c7 26->28 27->26 28->24 31->32 42 6baea1a-6baea1e 32->42 43 6baea28-6baea2c 32->43 42->43 44 6baea20 42->44 45 6baea2e-6baea32 43->45 46 6baea3c-6baea40 43->46 44->43 45->46 47 6baea34 45->47 48 6baea42-6baea46 46->48 49 6baea50-6baea54 46->49 47->46 48->49 50 6baea48 48->50 51 6baea66-6baea6d 49->51 52 6baea56-6baea5c 49->52 50->49 53 6baea6f-6baea7e 51->53 54 6baea84 51->54 52->51 53->54 56 6baea85 54->56 56->56
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BAE976
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID: J+Au$J+Au
                                            • API String ID: 963392458-2378654435
                                            • Opcode ID: 80176fbedd23788e0e8bf91e581e586a6b39cd7e60e10d771ab388d186d602ad
                                            • Instruction ID: 681934293b6f6b8e23a725827ae843f31d5801a09badf5996d4821b5fce47580
                                            • Opcode Fuzzy Hash: 80176fbedd23788e0e8bf91e581e586a6b39cd7e60e10d771ab388d186d602ad
                                            • Instruction Fuzzy Hash: 0CA148B1D04319DFEB60DF68C84179EBBB2FF44310F1485A9E809A7240DB759986DF91

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 280 6ba2ca0-6ba2d34 NtQueryInformationProcess 282 6ba2d3d-6ba2d51 280->282 283 6ba2d36-6ba2d3c 280->283 283->282
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06BA2D27
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID: J+Au
                                            • API String ID: 1778838933-687355315
                                            • Opcode ID: 0f1f7fe77a95f61554ad2a531a6eb993b55a65a4d3ef2bfc11f19e10f7b1329b
                                            • Instruction ID: 228c3727b57b84cb3cdd0ce26eb14494ebda87cb3d2a9149ec297288e31f997c
                                            • Opcode Fuzzy Hash: 0f1f7fe77a95f61554ad2a531a6eb993b55a65a4d3ef2bfc11f19e10f7b1329b
                                            • Instruction Fuzzy Hash: 0621DBB6900349DFCB10CF9AD984ADEBBF4FB48310F10842AE918A7650C375A944CFA1

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 285 6ba2ca8-6ba2d34 NtQueryInformationProcess 287 6ba2d3d-6ba2d51 285->287 288 6ba2d36-6ba2d3c 285->288 288->287
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06BA2D27
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID: J+Au
                                            • API String ID: 1778838933-687355315
                                            • Opcode ID: a5ab1d9d3cc1979af0365a9a7b12614815c541ba0cf3804fbb0dbdd3e48a8b4d
                                            • Instruction ID: 86e3a1715cf52544d6284eebe656dbd2c311bb944b866989ad308afcce9fbdf2
                                            • Opcode Fuzzy Hash: a5ab1d9d3cc1979af0365a9a7b12614815c541ba0cf3804fbb0dbdd3e48a8b4d
                                            • Instruction Fuzzy Hash: 0621BDB5900349DFCB10DF9AD884ADEFBF4FB48310F10842AE918A7250C375A944CFA5
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0fb87610aa39cf4e8f4cc45a89764f82ef7ec05d6a3e8d832892bb9a79fd225f
                                            • Instruction ID: 6609f17cfe7d249aaef34b59e3060e3965ba67062dac92f947b727d0619fc20b
                                            • Opcode Fuzzy Hash: 0fb87610aa39cf4e8f4cc45a89764f82ef7ec05d6a3e8d832892bb9a79fd225f
                                            • Instruction Fuzzy Hash: 6842A274E01218CFDB64DFA9C984B9DBBB2FF48305F1481A9E809AB355D734A981CF51
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 128c259982e72ffa9425ce7a5ad883629d22576660c2fb5829d5749e33210257
                                            • Instruction ID: ecc1f75e43ab44a41e4d2883a23e2bd0cc13929a4ac2a2b33e809bd45ecd6b4a
                                            • Opcode Fuzzy Hash: 128c259982e72ffa9425ce7a5ad883629d22576660c2fb5829d5749e33210257
                                            • Instruction Fuzzy Hash: 4CC1BA31B007148FEB19DB75C860BAFB7E6AF89B44F1444ADE9468B390CB39E805CB51
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e94a40f7abc368c3af2ad9dbf563e89786c288642d8e4e0386681b8e1eac027
                                            • Instruction ID: d17254e9a820440e8333219af069f974f18767c333ab712ae0be8afde8282995
                                            • Opcode Fuzzy Hash: 8e94a40f7abc368c3af2ad9dbf563e89786c288642d8e4e0386681b8e1eac027
                                            • Instruction Fuzzy Hash: 56615A75E002099FDF04DFA9D8849EEBBF6FF89310F14842AE815A7254DB749906CB90
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ec3ac41f364ea2db078edf8ba555e229abaa33327d7c445e835612fe88f5856d
                                            • Instruction ID: 6b224d0ad44a98212057d422dfa131b937a8d1bd95b1560e40f10bc81992f0fe
                                            • Opcode Fuzzy Hash: ec3ac41f364ea2db078edf8ba555e229abaa33327d7c445e835612fe88f5856d
                                            • Instruction Fuzzy Hash: 9F71F774E05318CFEB55CF69C994B9DBBB2BF88300F1481AAE808AB365D7359941CF51
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e4cc4b5541983f9b9febf8ae0682217fd150906273137b25da5ee6cce514f9d
                                            • Instruction ID: 341a110e6c45f21577d26765bddc147b83193b83a757e0f1e3bd708cb46334a0
                                            • Opcode Fuzzy Hash: 7e4cc4b5541983f9b9febf8ae0682217fd150906273137b25da5ee6cce514f9d
                                            • Instruction Fuzzy Hash: 355106B4D1E308DFEB84CFAAD5442FDBBFEAB4A300F00A165D419A6246D7348546CB84
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 63fe72b010bed318f0aaca2f7575477c258702dee590f59a1a4f717386e40fd9
                                            • Instruction ID: 2df7b4a6cfe571ba6727ce5357aa91e3a618c141d25fe04df33465b8255816b2
                                            • Opcode Fuzzy Hash: 63fe72b010bed318f0aaca2f7575477c258702dee590f59a1a4f717386e40fd9
                                            • Instruction Fuzzy Hash: 8B5190B1D002189FDB18CFEAD8846EEBBF2FF89300F10816AD419AB254DB745A46CF50
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8f495e26a67bdac81da12eadec61e8dbc91e98220b695a295fc67e0122764156
                                            • Instruction ID: 0b7bfbc5509581f35f3e9943c44892f9f816ebadf3153301e64f50ad53e9d530
                                            • Opcode Fuzzy Hash: 8f495e26a67bdac81da12eadec61e8dbc91e98220b695a295fc67e0122764156
                                            • Instruction Fuzzy Hash: 9541A7B1E046199FDB18DFEAD88469EFBF2EF89300F14C16AD418AB254DB345A46CF40
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c28d2c7e6641df11dfc70008411d4f1eeb6ba6408b1a391fa47f54a9340789c6
                                            • Instruction ID: 3940fadcbeafc8404b326d2311f91c251e3a584a427dfe4eb5c9c92c24f4048d
                                            • Opcode Fuzzy Hash: c28d2c7e6641df11dfc70008411d4f1eeb6ba6408b1a391fa47f54a9340789c6
                                            • Instruction Fuzzy Hash: 7E11E9B1D056188BEB18CFA7CD453DEFAF3AFC8300F14C56A940976254DB7509468A44
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9af9d7f15a3375ddbda5bcac2441cb4dc8cc0ed7a1616b9faf7a90d66aa30b7e
                                            • Instruction ID: 93ec5b55d1249d2e3e3119c069b399aefa655d6852f7311fd2931843d55249e7
                                            • Opcode Fuzzy Hash: 9af9d7f15a3375ddbda5bcac2441cb4dc8cc0ed7a1616b9faf7a90d66aa30b7e
                                            • Instruction Fuzzy Hash: 5811E3B1D046588BEB18CFABC80439EFEF7AFC8300F14C16A940966258DB7509468A84
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 588bcb9ec37de99f4a7e11a5865cd1b090ab3df3ee76fd12dd5c96a51b9210b5
                                            • Instruction ID: df437f92f81693351740ed3c8c13012eeac82d7e9fb9a9ab1452e46869df802a
                                            • Opcode Fuzzy Hash: 588bcb9ec37de99f4a7e11a5865cd1b090ab3df3ee76fd12dd5c96a51b9210b5
                                            • Instruction Fuzzy Hash: C1E0E53898E228CBCB18CE94E9542F8B7FCEB4E315F0124A5DC0EA7221C7305A96CE04
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 509b2131afcde7804afb239db3a994bbc4896d56478a59dc70f6435e4e87035b
                                            • Instruction ID: a9e5d372944af098c6a0b4f00862bd635a4af8eb101e0fa03d7b88f4e8c2cec0
                                            • Opcode Fuzzy Hash: 509b2131afcde7804afb239db3a994bbc4896d56478a59dc70f6435e4e87035b
                                            • Instruction Fuzzy Hash: 38E04F78D4E114CBCB049A68A9541F8B7FCDB4A215F0524F6DC4E97212D2304552CA19

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 57 6bae740-6bae7d5 59 6bae80e-6bae82e 57->59 60 6bae7d7-6bae7e1 57->60 65 6bae830-6bae83a 59->65 66 6bae867-6bae896 59->66 60->59 61 6bae7e3-6bae7e5 60->61 63 6bae808-6bae80b 61->63 64 6bae7e7-6bae7f1 61->64 63->59 67 6bae7f3 64->67 68 6bae7f5-6bae804 64->68 65->66 70 6bae83c-6bae83e 65->70 74 6bae898-6bae8a2 66->74 75 6bae8cf-6bae989 CreateProcessA 66->75 67->68 68->68 69 6bae806 68->69 69->63 71 6bae840-6bae84a 70->71 72 6bae861-6bae864 70->72 76 6bae84e-6bae85d 71->76 77 6bae84c 71->77 72->66 74->75 78 6bae8a4-6bae8a6 74->78 88 6bae98b-6bae991 75->88 89 6bae992-6baea18 75->89 76->76 79 6bae85f 76->79 77->76 80 6bae8a8-6bae8b2 78->80 81 6bae8c9-6bae8cc 78->81 79->72 83 6bae8b6-6bae8c5 80->83 84 6bae8b4 80->84 81->75 83->83 85 6bae8c7 83->85 84->83 85->81 88->89 99 6baea1a-6baea1e 89->99 100 6baea28-6baea2c 89->100 99->100 101 6baea20 99->101 102 6baea2e-6baea32 100->102 103 6baea3c-6baea40 100->103 101->100 102->103 104 6baea34 102->104 105 6baea42-6baea46 103->105 106 6baea50-6baea54 103->106 104->103 105->106 107 6baea48 105->107 108 6baea66-6baea6d 106->108 109 6baea56-6baea5c 106->109 107->106 110 6baea6f-6baea7e 108->110 111 6baea84 108->111 109->108 110->111 113 6baea85 111->113 113->113
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06BAE976
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID: J+Au$J+Au
                                            • API String ID: 963392458-2378654435
                                            • Opcode ID: 4ca116e9b4e8da707775fdd8980c7ac303035749a93afdf5a7dcf0dc0c536f63
                                            • Instruction ID: f602f25ea9124f7134f3f9554f8898d50ea231e8f4fe0b4eac81d04b557b34f3
                                            • Opcode Fuzzy Hash: 4ca116e9b4e8da707775fdd8980c7ac303035749a93afdf5a7dcf0dc0c536f63
                                            • Instruction Fuzzy Hash: 11916AB1D04319CFEB60DF68C84179EBBB2FF48310F1485A9E808A7280DB759986DF91

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 114 f5ad48-f5ad57 115 f5ad83-f5ad87 114->115 116 f5ad59-f5ad66 call f59374 114->116 117 f5ad89-f5ad93 115->117 118 f5ad9b-f5addc 115->118 123 f5ad7c 116->123 124 f5ad68 116->124 117->118 125 f5adde-f5ade6 118->125 126 f5ade9-f5adf7 118->126 123->115 169 f5ad6e call f5afe0 124->169 170 f5ad6e call f5afdc 124->170 125->126 128 f5adf9-f5adfe 126->128 129 f5ae1b-f5ae1d 126->129 127 f5ad74-f5ad76 127->123 130 f5aeb8-f5af78 127->130 132 f5ae00-f5ae07 call f5a0b0 128->132 133 f5ae09 128->133 131 f5ae20-f5ae27 129->131 164 f5af80-f5afab GetModuleHandleW 130->164 165 f5af7a-f5af7d 130->165 135 f5ae34-f5ae3b 131->135 136 f5ae29-f5ae31 131->136 134 f5ae0b-f5ae19 132->134 133->134 134->131 138 f5ae3d-f5ae45 135->138 139 f5ae48-f5ae4a call f5a0c0 135->139 136->135 138->139 143 f5ae4f-f5ae51 139->143 145 f5ae53-f5ae5b 143->145 146 f5ae5e-f5ae63 143->146 145->146 147 f5ae65-f5ae6c 146->147 148 f5ae81-f5ae8e 146->148 147->148 150 f5ae6e-f5ae7e call f5a0d0 call f5a0e0 147->150 154 f5aeb1-f5aeb7 148->154 155 f5ae90-f5aeae 148->155 150->148 155->154 166 f5afb4-f5afc8 164->166 167 f5afad-f5afb3 164->167 165->164 167->166 169->127 170->127
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00F5AF9E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID: J+Au
                                            • API String ID: 4139908857-687355315
                                            • Opcode ID: 1d129f3a1d065754fad5956d647ca3dac7d8effd7b375b2258c5a55170cda9ff
                                            • Instruction ID: 30f6ceb2ca1596a8217dbcee5e96ed991d2a115688034e0bfe34ba8d772b6470
                                            • Opcode Fuzzy Hash: 1d129f3a1d065754fad5956d647ca3dac7d8effd7b375b2258c5a55170cda9ff
                                            • Instruction Fuzzy Hash: 99716570A00B058FD724DF2AD44575ABBF1FF88315F008A2DD98AD7A40DB79E859CB92

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 171 f544f0-f559d9 CreateActCtxA 174 f559e2-f55a3c 171->174 175 f559db-f559e1 171->175 182 f55a3e-f55a41 174->182 183 f55a4b-f55a4f 174->183 175->174 182->183 184 f55a51-f55a5d 183->184 185 f55a60 183->185 184->185 187 f55a61 185->187 187->187
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00F559C9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID: J+Au
                                            • API String ID: 2289755597-687355315
                                            • Opcode ID: 2d245d1d13d9b69e7fa7b1adf163b91dad842f86388d0dd8c6f8c3ef6c624db7
                                            • Instruction ID: 6d13346bba83ecee2553a47968557d3040095720d56f7909fcf20cd0e075dcf3
                                            • Opcode Fuzzy Hash: 2d245d1d13d9b69e7fa7b1adf163b91dad842f86388d0dd8c6f8c3ef6c624db7
                                            • Instruction Fuzzy Hash: 8541F2B1D0071DCFDB24DFA9C88478EBBB5BF48714F20816AD508AB251DB756949CF90

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 204 4d24050-4d2408c 205 4d24092-4d24097 204->205 206 4d2413c-4d2415c 204->206 207 4d240ea-4d24122 CallWindowProcW 205->207 208 4d24099-4d240d0 205->208 212 4d2415f-4d2416c 206->212 210 4d24124-4d2412a 207->210 211 4d2412b-4d2413a 207->211 215 4d240d2-4d240d8 208->215 216 4d240d9-4d240e8 208->216 210->211 211->212 215->216 216->212
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04D24111
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1426175203.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d20000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID: J+Au
                                            • API String ID: 2714655100-687355315
                                            • Opcode ID: 06ee4b96ffc5b42132cfe27e9de022bbd6070f3a74d89dd4fba5f6259b00de79
                                            • Instruction ID: 1432bb950109ca0c1815f8dea6af22ee0908bd5ad27558e551833637b41c7315
                                            • Opcode Fuzzy Hash: 06ee4b96ffc5b42132cfe27e9de022bbd6070f3a74d89dd4fba5f6259b00de79
                                            • Instruction Fuzzy Hash: F5414BB8A00319DFDB14CF99C548A9ABBF5FF98318F24C458D519A7321D375A841CFA0

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 188 f55917-f559d9 CreateActCtxA 190 f559e2-f55a3c 188->190 191 f559db-f559e1 188->191 198 f55a3e-f55a41 190->198 199 f55a4b-f55a4f 190->199 191->190 198->199 200 f55a51-f55a5d 199->200 201 f55a60 199->201 200->201 203 f55a61 201->203 203->203
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00F559C9
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID: J+Au
                                            • API String ID: 2289755597-687355315
                                            • Opcode ID: a4beadfdf32b4057f69c29ce15c0c90feca6870c78b8b521a261b90545b7d393
                                            • Instruction ID: f306b703e30de2bec20462e3caae24162c860b74ef21929d2539ef6d116e8905
                                            • Opcode Fuzzy Hash: a4beadfdf32b4057f69c29ce15c0c90feca6870c78b8b521a261b90545b7d393
                                            • Instruction Fuzzy Hash: 3641F1B1D0071DCFDB24DFA9C88478EBBB1BF88714F20816AD508AB251DB756949CF50

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 218 6bae4b0-6bae506 220 6bae508-6bae514 218->220 221 6bae516-6bae555 WriteProcessMemory 218->221 220->221 223 6bae55e-6bae58e 221->223 224 6bae557-6bae55d 221->224 224->223
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BAE548
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID: J+Au
                                            • API String ID: 3559483778-687355315
                                            • Opcode ID: a488dc054332e7fba3a491b28d082e532357ded0d5ce81e3ea07111213c63ba2
                                            • Instruction ID: 9bd2378998388209cbac29ae4f387e42ed2c8e439b715d58414a4e61170d25e5
                                            • Opcode Fuzzy Hash: a488dc054332e7fba3a491b28d082e532357ded0d5ce81e3ea07111213c63ba2
                                            • Instruction Fuzzy Hash: 3E2146B1D003499FDB10CFAAC881BEEBBF1FF88310F10842AE919A7240D7799945DB60

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 228 6bae4b8-6bae506 230 6bae508-6bae514 228->230 231 6bae516-6bae555 WriteProcessMemory 228->231 230->231 233 6bae55e-6bae58e 231->233 234 6bae557-6bae55d 231->234 234->233
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06BAE548
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID: J+Au
                                            • API String ID: 3559483778-687355315
                                            • Opcode ID: 2007f41cc132228dab4a35514bda946331588731da2eaeea993d05d3a3f07065
                                            • Instruction ID: cddf751ca4a492267cf64bee4eb47cc26de5867d3d24152be92fcc65f3f0a914
                                            • Opcode Fuzzy Hash: 2007f41cc132228dab4a35514bda946331588731da2eaeea993d05d3a3f07065
                                            • Instruction Fuzzy Hash: DE2136B19003499FDF10DFAAC885BDEBBF5FF48310F10842AEA19A7240D7799945DBA4

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 254 6bae5a0-6bae635 ReadProcessMemory 257 6bae63e-6bae66e 254->257 258 6bae637-6bae63d 254->258 258->257
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BAE628
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID: J+Au
                                            • API String ID: 1726664587-687355315
                                            • Opcode ID: ac96554584251868d39bc780f907502d46c1e0a92f68370d413fc4dfe6ec3382
                                            • Instruction ID: 16fd38685c4532d0c530c1ab78707e6b0625ab954cff56cc7fdfe6ba15334569
                                            • Opcode Fuzzy Hash: ac96554584251868d39bc780f907502d46c1e0a92f68370d413fc4dfe6ec3382
                                            • Instruction Fuzzy Hash: 0821F4B18003499FDB10DFAAC881BEEBBB5FF88310F108429E959A7241D779A945DB64

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 244 6bae318-6bae36b 246 6bae37b-6bae3ab Wow64SetThreadContext 244->246 247 6bae36d-6bae379 244->247 249 6bae3ad-6bae3b3 246->249 250 6bae3b4-6bae3e4 246->250 247->246 249->250
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BAE39E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID: J+Au
                                            • API String ID: 983334009-687355315
                                            • Opcode ID: 16b50f7bef592a9f0eb942e526dc7707039955c773f0804f3cd67b4c65e28a7e
                                            • Instruction ID: b293fa6ec1cdeec8c3117668e6bb948a80485efa875634a0c704cefaee363938
                                            • Opcode Fuzzy Hash: 16b50f7bef592a9f0eb942e526dc7707039955c773f0804f3cd67b4c65e28a7e
                                            • Instruction Fuzzy Hash: FA2145B1D003098FDB60CFAAC4857EEBBF5EF88310F148429D959A7240CB789946CFA5

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 238 f5b730-f5d6b4 DuplicateHandle 240 f5d6b6-f5d6bc 238->240 241 f5d6bd-f5d6da 238->241 240->241
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00F5D5E6,?,?,?,?,?), ref: 00F5D6A7
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID: J+Au
                                            • API String ID: 3793708945-687355315
                                            • Opcode ID: d5bc8a4ab920ea988a0667c3a5d5f46df10529c21883cfc0fb1e9d42309fde39
                                            • Instruction ID: d022f4b9f1749004f0e823b981b457443641fc72743c03bdc0a6985157130a96
                                            • Opcode Fuzzy Hash: d5bc8a4ab920ea988a0667c3a5d5f46df10529c21883cfc0fb1e9d42309fde39
                                            • Instruction Fuzzy Hash: 532105B5901249DFDB10CF9AD484ADEBBF4FB48310F14801AE918A7310C378A954CFA4

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 272 6bae5a8-6bae635 ReadProcessMemory 275 6bae63e-6bae66e 272->275 276 6bae637-6bae63d 272->276 276->275
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06BAE628
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID: J+Au
                                            • API String ID: 1726664587-687355315
                                            • Opcode ID: 09395e359b9d259f056403412ea0c616f0f9f50a18af316f590c5e6033b1dced
                                            • Instruction ID: 60191ca5be61cbcae9cb41915db06cf188a858cbb78799ee0d7089cf865a8f67
                                            • Opcode Fuzzy Hash: 09395e359b9d259f056403412ea0c616f0f9f50a18af316f590c5e6033b1dced
                                            • Instruction Fuzzy Hash: C12116B1C003499FDB10DFAAC880BDEBBF5FF48310F508429E919A7240D7799501DBA4

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 262 6bae320-6bae36b 264 6bae37b-6bae3ab Wow64SetThreadContext 262->264 265 6bae36d-6bae379 262->265 267 6bae3ad-6bae3b3 264->267 268 6bae3b4-6bae3e4 264->268 265->264 267->268
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06BAE39E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID: J+Au
                                            • API String ID: 983334009-687355315
                                            • Opcode ID: 240c8f9326eacf6734f220f4fb492c01c13ab03ac03907ef34ddf40155658efd
                                            • Instruction ID: 99c71e256308d53e6b83440a27d742d2a48a0638f45b7409408354821454a4ed
                                            • Opcode Fuzzy Hash: 240c8f9326eacf6734f220f4fb492c01c13ab03ac03907ef34ddf40155658efd
                                            • Instruction Fuzzy Hash: 4C213871D003098FDB10DFAAC4857AEBBF4EF88310F148429D559A7240CB789945CFA4
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BAE466
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID: J+Au
                                            • API String ID: 4275171209-687355315
                                            • Opcode ID: 4ba29523caf80718b56c3e9ebe5126ede1be6330de727e547ce79dfca021169a
                                            • Instruction ID: 133012060b8401f11bb9613ee526996c727c934fe14ec823223a61eec062bdb7
                                            • Opcode Fuzzy Hash: 4ba29523caf80718b56c3e9ebe5126ede1be6330de727e547ce79dfca021169a
                                            • Instruction Fuzzy Hash: 7B1156728003498FDF20DFAAC844BEEBBF5EF88320F248419E555A7250CB759905CFA0
                                            APIs
                                            • OutputDebugStringW.KERNELBASE(00000000), ref: 06BA40F0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: DebugOutputString
                                            • String ID: J+Au
                                            • API String ID: 1166629820-687355315
                                            • Opcode ID: ef5a5abe7d196764d38ce5dd57aaebef5a4b7ce08a7143203b370a610d40a859
                                            • Instruction ID: 01edd76b5e2992d350c8756ca8a287f4b84d9292d356760cef3f3665620a020f
                                            • Opcode Fuzzy Hash: ef5a5abe7d196764d38ce5dd57aaebef5a4b7ce08a7143203b370a610d40a859
                                            • Instruction Fuzzy Hash: 8A1126B1C0475A9FCB14DF9AD444B9EFBF4FB48710F10816AD919A3240C7B5A914CFA5
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06BAE466
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID: J+Au
                                            • API String ID: 4275171209-687355315
                                            • Opcode ID: 6772a057910d133af7a3defb24d43055f3eec1826c71d5620dcd5d44c3b2f1c5
                                            • Instruction ID: fea82f86bc75c7799f790d5a12db2a6871e0e7953cb5e6754759635499608005
                                            • Opcode Fuzzy Hash: 6772a057910d133af7a3defb24d43055f3eec1826c71d5620dcd5d44c3b2f1c5
                                            • Instruction Fuzzy Hash: CD1137718003499FDB10DFAAC844BDEBBF9EF88720F148419E515A7250CB75A544DFA0
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 06BAE2D2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID: J+Au
                                            • API String ID: 947044025-687355315
                                            • Opcode ID: 5a85c5595350617e8d9a50a448d97b84b7179ea95744dbd4e0826d965a9a09bb
                                            • Instruction ID: b2a7fc2c8287c439c1d69deca6706a0c963852d3ae2e6007d2ecc6c82935c526
                                            • Opcode Fuzzy Hash: 5a85c5595350617e8d9a50a448d97b84b7179ea95744dbd4e0826d965a9a09bb
                                            • Instruction Fuzzy Hash: D61176B1C003498FDB20DFAAC4847EEFBF5AB88320F248429D419A7240CB799805CF94
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 06BAE2D2
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID: J+Au
                                            • API String ID: 947044025-687355315
                                            • Opcode ID: e3395a854279bc26004553dc7509c0d5fb2d741001a41025c4f5680206df36e0
                                            • Instruction ID: 1eab36faa9e9263bd00c73e54c4600ae204febcbd2bc091e92404e6c7da93a71
                                            • Opcode Fuzzy Hash: e3395a854279bc26004553dc7509c0d5fb2d741001a41025c4f5680206df36e0
                                            • Instruction Fuzzy Hash: 991158B18003498FDB10DFAAC44479EFBF4EB88320F248419D519A7240CB79A504CB94
                                            APIs
                                            • OutputDebugStringW.KERNELBASE(00000000), ref: 06BA40F0
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: DebugOutputString
                                            • String ID: J+Au
                                            • API String ID: 1166629820-687355315
                                            • Opcode ID: fa6d5e4e87daa1ca7f2405ff727cbfeecc56de470e3e079ce48591544627e80f
                                            • Instruction ID: 8008446e4443c637adddbb0801052e1927a88888bb108b8080fbc93d53d1025f
                                            • Opcode Fuzzy Hash: fa6d5e4e87daa1ca7f2405ff727cbfeecc56de470e3e079ce48591544627e80f
                                            • Instruction Fuzzy Hash: 9C111FB5C0465A9FCB14CF9AD944B9EFBF4FB88320F10816AD818A7250C778A614CFA1
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00F5AF9E
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID: J+Au
                                            • API String ID: 4139908857-687355315
                                            • Opcode ID: 1d1f378373679477ab52e4c9829d7a99b404d1d924bc9f7aa368dcd112670762
                                            • Instruction ID: 5493bd1e053a3e4529090a5f7c176f78972336a360dd59aba4c73bb0da08c09e
                                            • Opcode Fuzzy Hash: 1d1f378373679477ab52e4c9829d7a99b404d1d924bc9f7aa368dcd112670762
                                            • Instruction Fuzzy Hash: F21110B5C003498FCB10CF9AC444BDEFBF4EB88324F10851AD919A7210C379A545CFA1
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 02652A3D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID: J+Au
                                            • API String ID: 410705778-687355315
                                            • Opcode ID: 0ba00a357e933821b515992335c06927d10ff629c3b16ab8473427e385e27df8
                                            • Instruction ID: 81a5cd78b76ae4f7eb33216822b003eb2b37844e2620b768196c52315b44eff5
                                            • Opcode Fuzzy Hash: 0ba00a357e933821b515992335c06927d10ff629c3b16ab8473427e385e27df8
                                            • Instruction Fuzzy Hash: 8311F2B58002499FDB20DF9AD985BEEFBF4FB48320F208419E959A7240C375A945CFA1
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 02652A3D
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID: J+Au
                                            • API String ID: 410705778-687355315
                                            • Opcode ID: 8a0c6767f30f7b493e369dff3853468a9b023b64d1dacaa910a28ab3c6fb6f77
                                            • Instruction ID: 899164d6c5779f3aae2d1d550cb2c779ae3f0dbcbdb676ca67560a78a6536c89
                                            • Opcode Fuzzy Hash: 8a0c6767f30f7b493e369dff3853468a9b023b64d1dacaa910a28ab3c6fb6f77
                                            • Instruction Fuzzy Hash: D211D3B58003499FDB20DF9AD985BDEFBF8FB48324F108419E918A7250C375A944CFA5
                                            APIs
                                            • CloseHandle.KERNELBASE(00000000), ref: 06BA418F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID: J+Au
                                            • API String ID: 2962429428-687355315
                                            • Opcode ID: 4e60f0f0ea9584cdb4f8a9c0582f145f6b37695a4165a6d6e55be5d10afb8d76
                                            • Instruction ID: 9078c45ab2d30dea023a0556cd2ad789d8aafeaa888ff489ff8ad67f87784c36
                                            • Opcode Fuzzy Hash: 4e60f0f0ea9584cdb4f8a9c0582f145f6b37695a4165a6d6e55be5d10afb8d76
                                            • Instruction Fuzzy Hash: 031128B18043598FDB10DF9AC8457EEFBF4EB48320F108469D518A3251D778A944CFA5
                                            APIs
                                            • CloseHandle.KERNELBASE(00000000), ref: 06BA418F
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID: J+Au
                                            • API String ID: 2962429428-687355315
                                            • Opcode ID: 4addc385b5ef615bcae64dee0577b5dd8fe08ae4564d0dcfc6955a4f05774513
                                            • Instruction ID: 48a9f043ef51007331c4eaaecbc4acc1acc1152bcbfe675c6b1128727c5f3aef
                                            • Opcode Fuzzy Hash: 4addc385b5ef615bcae64dee0577b5dd8fe08ae4564d0dcfc6955a4f05774513
                                            • Instruction Fuzzy Hash: 851125B1900349CFDB10CF9AC9857EEBBF4EF48324F20845AD518A3651D378A544CFA5
                                            APIs
                                            • OutputDebugStringW.KERNELBASE(00000000), ref: 06BA40F0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: DebugOutputString
                                            • String ID:
                                            • API String ID: 1166629820-0
                                            • Opcode ID: f8c9c544eeef010c379389d88a99fba33d9959c47eedceaf0d38d3a8d35f12b9
                                            • Instruction ID: 93dc419623c09b0bcaef0329d2edee06bb7c1f4a0e00a207c0263a07567c0bfb
                                            • Opcode Fuzzy Hash: f8c9c544eeef010c379389d88a99fba33d9959c47eedceaf0d38d3a8d35f12b9
                                            • Instruction Fuzzy Hash: A2110EF2C09309CFDB20CFA8D8007ADBBB0FF81310F21819AC418A7281C7769958CBA1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1423633028.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b6d000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c3268641a0709fe5c5754aaae393e012bbe405b16e104757f9a3efec03d5b08e
                                            • Instruction ID: 75bd23e978787adb8abe167876317081b7d337f6e63cf8542f02b7158898b175
                                            • Opcode Fuzzy Hash: c3268641a0709fe5c5754aaae393e012bbe405b16e104757f9a3efec03d5b08e
                                            • Instruction Fuzzy Hash: 37210371A04304DFDB14DF10D9C0B16BFA6FB95320F2481A9E9091B256C3BAD856CBA2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1423633028.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b6d000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 547d133e34eedb4666fca2bf6ed0358598a95181c15dcf544b3bb41d05183a27
                                            • Instruction ID: dbb55ba19e4fd092c05be770f473457fec642c429c7297e40306e7bfe3235a01
                                            • Opcode Fuzzy Hash: 547d133e34eedb4666fca2bf6ed0358598a95181c15dcf544b3bb41d05183a27
                                            • Instruction Fuzzy Hash: A6210675A04344DFDB04DF10D9C4B16BBA5FB98324F24C5A9D9090B356C73AEC56CBA2
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1423721002.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b7d000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 932a8822362863c4199d45027da9aadfaf853ed738d0f3827e9fd7638400c031
                                            • Instruction ID: abd12bb8c68486b1f04b31cd15852a3819cdd9598bfa51b4faac0da86c5b464b
                                            • Opcode Fuzzy Hash: 932a8822362863c4199d45027da9aadfaf853ed738d0f3827e9fd7638400c031
                                            • Instruction Fuzzy Hash: 7421CF75604204AFDB05DF10D9C4B26BBB5FF84314F24C6ADE85E4B292C336D846CA61
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1423721002.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b7d000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b4d4e7447f7566114342b8c45e06687edb36826c863e51c7f0ed65d1549a7dd9
                                            • Instruction ID: f9f1b796dfe8e516c7deba2a0695e1f7961a5e9125703d8931365ede5bd5adf6
                                            • Opcode Fuzzy Hash: b4d4e7447f7566114342b8c45e06687edb36826c863e51c7f0ed65d1549a7dd9
                                            • Instruction Fuzzy Hash: 8E21FF756043009FDB14DF10D9D4B16BBB1EB84314F20C5ADD80E4B286C33AD806CA62
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1423721002.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b7d000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9218c75d3a08485e9d5ca0d39730197fa9318e0baa695561a8b4d6fc87a8e1b8
                                            • Instruction ID: 42ae3b9ec359606808896abffba34e08c827bb1882517aa427b73b9051613ffb
                                            • Opcode Fuzzy Hash: 9218c75d3a08485e9d5ca0d39730197fa9318e0baa695561a8b4d6fc87a8e1b8
                                            • Instruction Fuzzy Hash: 302162755083849FCB02CF14D994B15BFB1EF46314F28C5DAD8498F2A7C33A9856CB62
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1423633028.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b6d000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                            • Instruction ID: 57a28c92c7971f489d001fc73ef4dbce12f8dd5b206b2ef4499729f256b9c5b7
                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                            • Instruction Fuzzy Hash: 01110376A04240CFCB01CF00D5C0B16BFB2FB94324F24C2A9D8090B356C33AE856CBA1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1423633028.0000000000B6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B6D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b6d000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                            • Instruction ID: 1c704b39ad19f50c28a9bd5f59bc357d9fae01fa963380fe79b1dd1e7ff70455
                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                            • Instruction Fuzzy Hash: CF11D376A04244CFCB15CF10D9C4B16BFB2FB95324F24C6ADD8094B256C37AD856CBA1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1423721002.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_b7d000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                            • Instruction ID: f3f97dd7d46c6846952a03233f8a7a2c9243ccb1b303b0804ce1176929f3e80b
                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                            • Instruction Fuzzy Hash: 9D117975604284DFCB15DF14D5C4B15BBB2FB84324F28C6A9D8494B696C33AD84ACB61
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1426175203.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d20000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6900b3ca9db34c718b166843b5f9c701bb468389ce99bf46527322bbe1ad7844
                                            • Instruction ID: abf6c939065f406296d0359d89785462c20cac832060d43a5f76c99360aafb95
                                            • Opcode Fuzzy Hash: 6900b3ca9db34c718b166843b5f9c701bb468389ce99bf46527322bbe1ad7844
                                            • Instruction Fuzzy Hash: 1A1284B9901746ABE310CF65EA4C3893FB1F7A5318F908209D2612EAE1D7BD194ACF44
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac94f117aef9edf7d15727cd6c4ddcbf9553cfe9b406d76474c48032896b5c74
                                            • Instruction ID: a7796cb733201358f1563fece8e1aba3a1db85a58df4a30b331ceba042d1d24d
                                            • Opcode Fuzzy Hash: ac94f117aef9edf7d15727cd6c4ddcbf9553cfe9b406d76474c48032896b5c74
                                            • Instruction Fuzzy Hash: 1AE11BB4E042598FDB14DFA8C580AAEFBF2FF89300F2481A9D458A7355D735A941CFA0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: afbf914af1551729b5a25e91a900dd823070e8f558b9a5b9d37d2081d04d15f2
                                            • Instruction ID: 751a23be99126376e713e4d7334fe33a640aac10702092cddd1a18ae5dd816a7
                                            • Opcode Fuzzy Hash: afbf914af1551729b5a25e91a900dd823070e8f558b9a5b9d37d2081d04d15f2
                                            • Instruction Fuzzy Hash: 58E11BB4E042198FDB14DFA9C580AAEFBF2FF89305F2481A9D458A7355D734A942CF60
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0009d3157319f885d0952388cf71b391e5cc814c72fa76643c5777fa3bf93b89
                                            • Instruction ID: 5b4e814ffef9c1ef1ede71a511001cf46bf81ab72816909f910a3697e8e1f691
                                            • Opcode Fuzzy Hash: 0009d3157319f885d0952388cf71b391e5cc814c72fa76643c5777fa3bf93b89
                                            • Instruction Fuzzy Hash: D5E1FCB4E042598FDB14DFA9C580AAEFBB2FF89305F2481A9D414AB355D7349D41CFA0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67373262dee7dbb5a53323cff40df777afbe4e64f10324ee6e9147e945219939
                                            • Instruction ID: 953b1e73ebf9d542c317a065a8945bc7d43c08ca17d5c3ed2f4156248b1781b4
                                            • Opcode Fuzzy Hash: 67373262dee7dbb5a53323cff40df777afbe4e64f10324ee6e9147e945219939
                                            • Instruction Fuzzy Hash: B9E11DB4E042598FDB14DFA9C580AAEFBF2FF89305F2481A9D414AB355D734A942CF60
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7ea7248a338984bb8743d76a8b4aa535eeee440080fbff55df9ba3a968c83372
                                            • Instruction ID: aac32076b0aaadf75906ee8799c9e0c408116ec108b9191d9fd2a7ce9cb2c897
                                            • Opcode Fuzzy Hash: 7ea7248a338984bb8743d76a8b4aa535eeee440080fbff55df9ba3a968c83372
                                            • Instruction Fuzzy Hash: 53E11CB4E042598FDB54DFA8C580AAEFBF2FF89305F2481A9D414AB355D731A941CFA0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37d19873126de0d4d26243cd68cef09d21d7bc68fdd828e82cf0637cfbcb0b9f
                                            • Instruction ID: 24324a1be32c2856bf6a849bd6a3f41a516b806a66d68289c995210b75595227
                                            • Opcode Fuzzy Hash: 37d19873126de0d4d26243cd68cef09d21d7bc68fdd828e82cf0637cfbcb0b9f
                                            • Instruction Fuzzy Hash: 00E11CB4E042598FDB14DFA8C5809AEFBF2FF89305F2481A9D458A7355C735A941CFA0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 78b6deec345f3185a74a461fdde4dc3b572bb7506dce3a9415fb5c6eb90b3bd0
                                            • Instruction ID: b6da36d405baf136620f40b18c00511b6cd8186bb085819f8c15f1fa6671b18c
                                            • Opcode Fuzzy Hash: 78b6deec345f3185a74a461fdde4dc3b572bb7506dce3a9415fb5c6eb90b3bd0
                                            • Instruction Fuzzy Hash: 94E12AB4E042598FDB54DFA8C580AAEFBF2FF89305F2481A9D414AB355D731A942CF60
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4a19b0240daa7cacf0754157e80375e7a716245f603185cd53be95c9f0c0458f
                                            • Instruction ID: ed6b4d7125c4d63ae12c1c1cb50b3b16b9551e3e53e76f646dd208e40787c58a
                                            • Opcode Fuzzy Hash: 4a19b0240daa7cacf0754157e80375e7a716245f603185cd53be95c9f0c0458f
                                            • Instruction Fuzzy Hash: 4EE11CB4E042598FDB14DFA8C580AAEFBF2FF89304F2481A9D458AB355D735A941CF60
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 603d0426755f297004eb29f4835a23af18ebc14ba3a4f89861cb10c126f57ea9
                                            • Instruction ID: 907a8904717c849647d8259de74994f463763b27f8db820b1251c168bb736e4f
                                            • Opcode Fuzzy Hash: 603d0426755f297004eb29f4835a23af18ebc14ba3a4f89861cb10c126f57ea9
                                            • Instruction Fuzzy Hash: 20E11CB4E042598FDB14DF98C5809AEFBF2FF89304F2481A9D458AB355D735A942CFA0
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424299853.0000000000F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F50000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_f50000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 75471c81ae2f9308f6d97ceec317e055247021bb0856f1b3ed085d35d7386493
                                            • Instruction ID: ca1274f63a99a817d3f37e22ad35f119ddf059248159f18ddd06a90c0a7ab2ed
                                            • Opcode Fuzzy Hash: 75471c81ae2f9308f6d97ceec317e055247021bb0856f1b3ed085d35d7386493
                                            • Instruction Fuzzy Hash: 1CA16036E002058FCF05DFB4D84459EB7B2FF85311B1945BAE901AB266EB35ED0ADB80
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1426175203.0000000004D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D20000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_4d20000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 03d7c9327a60eaf57c3ff9cd21e0f2b65b1847dd0f1af0f520196697597ca366
                                            • Instruction ID: 139d7dbbf3f8b0a07481f10a9d5a59fe16c8ed5c651a6682f16357a37d5fc3be
                                            • Opcode Fuzzy Hash: 03d7c9327a60eaf57c3ff9cd21e0f2b65b1847dd0f1af0f520196697597ca366
                                            • Instruction Fuzzy Hash: 5FC1F8B9801746EBE710CF65EA4C3897BB1FB99324F508309D2616BAD0DBBD184ACF44
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f8547c9448b21a232261f64cf1c77e28358104c3857793fb866f464143317da6
                                            • Instruction ID: ce82dde26db6e09d36303bbb586269aeab845f010551a8c0fbe3c2a949d0a2f7
                                            • Opcode Fuzzy Hash: f8547c9448b21a232261f64cf1c77e28358104c3857793fb866f464143317da6
                                            • Instruction Fuzzy Hash: 19718FB5E042188FDB54CFAAC984A9EFBF2FF88301F14C16AD419AB215DB349942CF50
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ec6ded7dcb2b70b3752f3ffbeb7d77ee187bf5da298cf691af87eba9146956ce
                                            • Instruction ID: eb3383c54f90febbd6adc1b4608c2cd05f0db63150d43650a008ed44ae665961
                                            • Opcode Fuzzy Hash: ec6ded7dcb2b70b3752f3ffbeb7d77ee187bf5da298cf691af87eba9146956ce
                                            • Instruction Fuzzy Hash: 56512AB4E042198FDB54CFA9C5805AEFBF2FF89301F2481AAD418AB315D7319942CF60
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fb5e46a5e334284b24c84f6cebd42a434842aa3f6ad17eb447fcba0cfbbfa943
                                            • Instruction ID: 90030ff107695b96e2a5c0727708231feae69bc49835048b07c4bb8434e0e7d8
                                            • Opcode Fuzzy Hash: fb5e46a5e334284b24c84f6cebd42a434842aa3f6ad17eb447fcba0cfbbfa943
                                            • Instruction Fuzzy Hash: F25127B4E042198FDB14CFA9C5805AEBBF2FF89204F24C1A9D458AB355D7359942CFA1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bc7728c3da14150f607c0d3b18ba5094da9d20e136130246bfbd520da2192bb0
                                            • Instruction ID: c0250e72837739c336e73b292652242b76601885dbf53654d7447037efcc1e72
                                            • Opcode Fuzzy Hash: bc7728c3da14150f607c0d3b18ba5094da9d20e136130246bfbd520da2192bb0
                                            • Instruction Fuzzy Hash: 585119B4E042198FDB14CFA9C5805AEFBF2FF89301F2481A9D458A7356D7359942CF61
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1427687424.0000000006BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_6ba0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88df3681ec1f04a169e6efaaabc743d508eb5e974fdf7d4cb73718434d9f255b
                                            • Instruction ID: fad3ccf2fe053faba18b68323c07187f1f5506a5a097655c7c53828cdfc4a58a
                                            • Opcode Fuzzy Hash: 88df3681ec1f04a169e6efaaabc743d508eb5e974fdf7d4cb73718434d9f255b
                                            • Instruction Fuzzy Hash: 39518EB5E046188FDB48CFAAD98469EFBF2FF88300F14C06AD419AB315DB749946CB50
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.1424480411.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_2650000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 46f3008b3cd511a2b22562807bbe59442d5ac982256255be78aea0b5b49b9a0a
                                            • Instruction ID: 923bedbcbd80012c0aaf50a03c9965090d9a7ce78b40c955545df6698cfe038e
                                            • Opcode Fuzzy Hash: 46f3008b3cd511a2b22562807bbe59442d5ac982256255be78aea0b5b49b9a0a
                                            • Instruction Fuzzy Hash: FAC09B15D8D03CD689184885AC250F9FB7CD397075F003073DD1FA34124110525BD559

                                            Execution Graph

                                            Execution Coverage:15.7%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:14.3%
                                            Total number of Nodes:28
                                            Total number of Limit Nodes:3
                                            execution_graph 9158 10c46d8 9159 10c46e4 9158->9159 9162 10c48c9 9159->9162 9163 10c48e4 9162->9163 9167 10c4f08 9163->9167 9172 10c4ef8 9163->9172 9164 10c4713 9168 10c4f2a 9167->9168 9169 10c4ff6 9168->9169 9177 10cc76c 9168->9177 9183 10cc168 9168->9183 9169->9164 9173 10c4f08 9172->9173 9174 10c4ff6 9173->9174 9175 10cc76c 2 API calls 9173->9175 9176 10cc168 LdrInitializeThunk 9173->9176 9174->9164 9175->9174 9176->9174 9181 10cc623 9177->9181 9178 10cc764 LdrInitializeThunk 9180 10cc8c1 9178->9180 9180->9169 9181->9178 9182 10cc168 LdrInitializeThunk 9181->9182 9182->9181 9184 10cc17a 9183->9184 9186 10cc17f 9183->9186 9184->9169 9185 10cc8a9 LdrInitializeThunk 9185->9184 9186->9184 9186->9185 9187 10cca58 9188 10cca5f 9187->9188 9190 10cca65 9187->9190 9189 10cc168 LdrInitializeThunk 9188->9189 9188->9190 9192 10ccde6 9188->9192 9189->9192 9191 10cc168 LdrInitializeThunk 9191->9192 9192->9190 9192->9191

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 878 10cc168-10cc178 879 10cc17f-10cc18b 878->879 880 10cc17a 878->880 883 10cc18d 879->883 884 10cc192-10cc1a7 879->884 881 10cc2ab-10cc2b5 880->881 883->881 887 10cc1ad-10cc1b8 884->887 888 10cc2bb-10cc2fb call 10c5d08 884->888 891 10cc1be-10cc1c5 887->891 892 10cc2b6 887->892 906 10cc302-10cc378 call 10c5d08 call 10c5c00 888->906 893 10cc1c7-10cc1de 891->893 894 10cc1f2-10cc1fd 891->894 892->888 905 10cc1e4-10cc1e7 893->905 893->906 899 10cc1ff-10cc207 894->899 900 10cc20a-10cc214 894->900 899->900 908 10cc29e-10cc2a3 900->908 909 10cc21a-10cc224 900->909 905->892 910 10cc1ed-10cc1f0 905->910 938 10cc3df-10cc454 call 10c5ca8 906->938 939 10cc37a-10cc3b7 906->939 908->881 909->892 916 10cc22a-10cc246 909->916 910->893 910->894 921 10cc248 916->921 922 10cc24a-10cc24d 916->922 921->881 924 10cc24f-10cc252 922->924 925 10cc254-10cc257 922->925 926 10cc25a-10cc268 924->926 925->926 926->892 931 10cc26a-10cc271 926->931 931->881 933 10cc273-10cc279 931->933 933->892 934 10cc27b-10cc280 933->934 934->892 936 10cc282-10cc295 934->936 936->892 944 10cc297-10cc29a 936->944 947 10cc4f3-10cc4f9 938->947 941 10cc3be-10cc3dc 939->941 942 10cc3b9 939->942 941->938 942->941 944->933 946 10cc29c 944->946 946->881 948 10cc4ff-10cc517 947->948 949 10cc459-10cc46c 947->949 950 10cc519-10cc526 948->950 951 10cc52b-10cc53e 948->951 952 10cc46e 949->952 953 10cc473-10cc4c4 949->953 954 10cc8c1-10cc9bf 950->954 955 10cc545-10cc561 951->955 956 10cc540 951->956 952->953 970 10cc4c6-10cc4d4 953->970 971 10cc4d7-10cc4e9 953->971 961 10cc9c7-10cc9d1 954->961 962 10cc9c1-10cc9c6 call 10c5ca8 954->962 959 10cc568-10cc58c 955->959 960 10cc563 955->960 956->955 967 10cc58e 959->967 968 10cc593-10cc5c5 959->968 960->959 962->961 967->968 976 10cc5cc-10cc60e 968->976 977 10cc5c7 968->977 970->948 973 10cc4eb 971->973 974 10cc4f0 971->974 973->974 974->947 979 10cc615-10cc61e 976->979 980 10cc610 976->980 977->976 981 10cc846-10cc84c 979->981 980->979 982 10cc852-10cc865 981->982 983 10cc623-10cc648 981->983 986 10cc86c-10cc887 982->986 987 10cc867 982->987 984 10cc64f-10cc686 983->984 985 10cc64a 983->985 995 10cc68d-10cc6bf 984->995 996 10cc688 984->996 985->984 988 10cc88e-10cc8a2 986->988 989 10cc889 986->989 987->986 993 10cc8a9-10cc8bf LdrInitializeThunk 988->993 994 10cc8a4 988->994 989->988 993->954 994->993 998 10cc6c1-10cc6e6 995->998 999 10cc723-10cc736 995->999 996->995 1000 10cc6ed-10cc71b 998->1000 1001 10cc6e8 998->1001 1002 10cc73d-10cc762 999->1002 1003 10cc738 999->1003 1000->999 1001->1000 1006 10cc764-10cc765 1002->1006 1007 10cc771-10cc7a9 1002->1007 1003->1002 1006->982 1008 10cc7ab 1007->1008 1009 10cc7b0-10cc811 call 10cc168 1007->1009 1008->1009 1015 10cc818-10cc83c 1009->1015 1016 10cc813 1009->1016 1019 10cc83e 1015->1019 1020 10cc843 1015->1020 1016->1015 1019->1020 1020->981
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2646206568.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_10c0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ca70cf1d281ccf2251c3b71ebad181cdd4a66ef2e59652b44f2b81355bdc2cbf
                                            • Instruction ID: e4813eb5e4f8cf8a202cba083fb508bd20d96ee19871b78dbe2b7b92e088646d
                                            • Opcode Fuzzy Hash: ca70cf1d281ccf2251c3b71ebad181cdd4a66ef2e59652b44f2b81355bdc2cbf
                                            • Instruction Fuzzy Hash: 04221974E002198FEB14DFA8C984B9EBBB2BF88700F1485A9D449AB351DB319D85CF50

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1659 10cc76c 1660 10cc82b-10cc83c 1659->1660 1661 10cc83e 1660->1661 1662 10cc843-10cc84c 1660->1662 1661->1662 1664 10cc852-10cc865 1662->1664 1665 10cc623-10cc648 1662->1665 1668 10cc86c-10cc887 1664->1668 1669 10cc867 1664->1669 1666 10cc64f-10cc686 1665->1666 1667 10cc64a 1665->1667 1678 10cc68d-10cc6bf 1666->1678 1679 10cc688 1666->1679 1667->1666 1670 10cc88e-10cc8a2 1668->1670 1671 10cc889 1668->1671 1669->1668 1675 10cc8a9-10cc8bf LdrInitializeThunk 1670->1675 1676 10cc8a4 1670->1676 1671->1670 1677 10cc8c1-10cc9bf 1675->1677 1676->1675 1681 10cc9c7-10cc9d1 1677->1681 1682 10cc9c1-10cc9c6 call 10c5ca8 1677->1682 1684 10cc6c1-10cc6e6 1678->1684 1685 10cc723-10cc736 1678->1685 1679->1678 1682->1681 1687 10cc6ed-10cc71b 1684->1687 1688 10cc6e8 1684->1688 1690 10cc73d-10cc762 1685->1690 1691 10cc738 1685->1691 1687->1685 1688->1687 1694 10cc764-10cc765 1690->1694 1695 10cc771-10cc7a9 1690->1695 1691->1690 1694->1664 1696 10cc7ab 1695->1696 1697 10cc7b0-10cc811 call 10cc168 1695->1697 1696->1697 1703 10cc818-10cc82a 1697->1703 1704 10cc813 1697->1704 1703->1660 1704->1703
                                            APIs
                                            • LdrInitializeThunk.NTDLL(00000000), ref: 010CC8AE
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2646206568.00000000010C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 010C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_10c0000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: a6877d0bf9146fb088720485d1fd250c16d3ac6f1402aea10fa08a8eebb4cd7b
                                            • Instruction ID: 00a63fffb3078e78cc70a79b46994109dd8dfbff46559bbc0ccf570469d315ee
                                            • Opcode Fuzzy Hash: a6877d0bf9146fb088720485d1fd250c16d3ac6f1402aea10fa08a8eebb4cd7b
                                            • Instruction Fuzzy Hash: 48116074E002099FEB14DBA8D584AEEBBF5FB88714F148159E888E7342D7309C45CF60
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2645113224.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_ded000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7d4e601a4da20b18d63b9e2bd644320317ff829a9f9f3f844ede37a8d539f1cd
                                            • Instruction ID: 8d1d5e2c7389ed2041c708a1cd4a1b485db227c08b2e3ec59ea8c731385e90fa
                                            • Opcode Fuzzy Hash: 7d4e601a4da20b18d63b9e2bd644320317ff829a9f9f3f844ede37a8d539f1cd
                                            • Instruction Fuzzy Hash: F5212275604384DFDB10EF10D980B26BBA2FB84314F28C56DE8490B282CB3AD847CA72
                                            Memory Dump Source
                                            • Source File: 0000000D.00000002.2645113224.0000000000DED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DED000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_13_2_ded000_EKSTRE_1022.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0c67b27e7db1012611b9190b012f3c1dbe9a726457710eacb7bdd87195ab82f
                                            • Instruction ID: 61cf8c8eb7e208197d84f8cf83f0993bf161b5afc0b5d5e72f4ba0ee8b7ceb7c
                                            • Opcode Fuzzy Hash: f0c67b27e7db1012611b9190b012f3c1dbe9a726457710eacb7bdd87195ab82f
                                            • Instruction Fuzzy Hash: B3214B7550D3C09FCB03DB24D990711BF71AB46214F2985EBD8898F2A7C63A980ACB62

                                            Execution Graph

                                            Execution Coverage:11.2%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:229
                                            Total number of Limit Nodes:12
                                            execution_graph 55068 6ea3d5a 55070 6ea3c94 55068->55070 55073 6ea4038 55070->55073 55078 6ea3384 55070->55078 55082 6ea3390 55070->55082 55074 6ea40aa OutputDebugStringW 55073->55074 55077 6ea4042 55073->55077 55076 6ea40ff 55074->55076 55076->55070 55077->55070 55079 6ea4080 OutputDebugStringW 55078->55079 55081 6ea40ff 55079->55081 55081->55070 55083 6ea4130 CloseHandle 55082->55083 55085 6ea419e 55083->55085 55085->55070 55086 6ea3bd8 55088 6ea3bfc 55086->55088 55087 6ea3384 OutputDebugStringW 55087->55088 55088->55087 55089 6ea3390 CloseHandle 55088->55089 55090 6ea4038 OutputDebugStringW 55088->55090 55089->55088 55090->55088 55128 6eaed08 55129 6eaeb5c 55128->55129 55130 6eaeb6b 55129->55130 55133 47c07a8 55129->55133 55138 47c0798 55129->55138 55134 47c07bd 55133->55134 55143 47c084e 55134->55143 55163 47c07e7 55134->55163 55135 47c07cf 55135->55130 55139 47c07a8 55138->55139 55141 47c084e 12 API calls 55139->55141 55142 47c07e7 12 API calls 55139->55142 55140 47c07cf 55140->55130 55141->55140 55142->55140 55144 47c07dc 55143->55144 55146 47c0851 55143->55146 55145 47c077c 55144->55145 55182 47c0e9c 55144->55182 55189 47c0e63 55144->55189 55194 47c0c80 55144->55194 55199 47c0dc6 55144->55199 55203 47c1226 55144->55203 55207 47c1105 55144->55207 55211 47c140b 55144->55211 55215 47c16ee 55144->55215 55220 47c0bed 55144->55220 55225 47c10d1 55144->55225 55230 47c0d50 55144->55230 55235 47c12d6 55144->55235 55239 47c1456 55144->55239 55244 47c113e 55144->55244 55248 47c101d 55144->55248 55253 47c0fdd 55144->55253 55145->55135 55146->55135 55164 47c0802 55163->55164 55165 47c080a 55164->55165 55166 47c0e9c 4 API calls 55164->55166 55167 47c0fdd 2 API calls 55164->55167 55168 47c101d 2 API calls 55164->55168 55169 47c113e 2 API calls 55164->55169 55170 47c1456 2 API calls 55164->55170 55171 47c12d6 2 API calls 55164->55171 55172 47c0d50 2 API calls 55164->55172 55173 47c10d1 2 API calls 55164->55173 55174 47c0bed 2 API calls 55164->55174 55175 47c16ee 2 API calls 55164->55175 55176 47c140b 2 API calls 55164->55176 55177 47c1105 2 API calls 55164->55177 55178 47c1226 2 API calls 55164->55178 55179 47c0dc6 2 API calls 55164->55179 55180 47c0c80 2 API calls 55164->55180 55181 47c0e63 2 API calls 55164->55181 55165->55135 55166->55165 55167->55165 55168->55165 55169->55165 55170->55165 55171->55165 55172->55165 55173->55165 55174->55165 55175->55165 55176->55165 55177->55165 55178->55165 55179->55165 55180->55165 55181->55165 55259 6eae5a8 55182->55259 55263 6eae5a0 55182->55263 55183 47c0d54 55184 47c1698 55183->55184 55267 6eae3f8 55183->55267 55271 6eae3f7 55183->55271 55184->55145 55191 47c0d54 55189->55191 55190 47c1698 55190->55145 55191->55190 55192 6eae3f8 VirtualAllocEx 55191->55192 55193 6eae3f7 VirtualAllocEx 55191->55193 55192->55191 55193->55191 55195 47c0bf1 55194->55195 55196 47c15a3 55195->55196 55275 6eae740 55195->55275 55279 6eae734 55195->55279 55196->55145 55200 47c12e8 55199->55200 55283 6eae4b8 55200->55283 55287 6eae4b7 55200->55287 55291 6eae31f 55203->55291 55295 6eae320 55203->55295 55204 47c1240 55209 6eae31f Wow64SetThreadContext 55207->55209 55210 6eae320 Wow64SetThreadContext 55207->55210 55208 47c111f 55209->55208 55210->55208 55212 47c141b 55211->55212 55213 6eae4b8 WriteProcessMemory 55212->55213 55214 6eae4b7 WriteProcessMemory 55212->55214 55213->55212 55214->55212 55216 47c0c1d 55215->55216 55217 47c15a3 55216->55217 55218 6eae740 CreateProcessA 55216->55218 55219 6eae734 CreateProcessA 55216->55219 55217->55145 55218->55216 55219->55216 55221 47c0c1d 55220->55221 55222 47c15a3 55221->55222 55223 6eae740 CreateProcessA 55221->55223 55224 6eae734 CreateProcessA 55221->55224 55222->55145 55223->55221 55224->55221 55226 47c0d54 55225->55226 55227 47c1698 55226->55227 55228 6eae3f8 VirtualAllocEx 55226->55228 55229 6eae3f7 VirtualAllocEx 55226->55229 55227->55145 55228->55226 55229->55226 55231 47c0d54 55230->55231 55232 47c1698 55231->55232 55233 6eae3f8 VirtualAllocEx 55231->55233 55234 6eae3f7 VirtualAllocEx 55231->55234 55232->55145 55233->55231 55234->55231 55236 47c12dc 55235->55236 55237 6eae4b8 WriteProcessMemory 55236->55237 55238 6eae4b7 WriteProcessMemory 55236->55238 55237->55236 55238->55236 55240 47c145c 55239->55240 55299 6eae26f 55240->55299 55303 6eae270 55240->55303 55241 47c1609 55246 6eae4b8 WriteProcessMemory 55244->55246 55247 6eae4b7 WriteProcessMemory 55244->55247 55245 47c1162 55245->55145 55246->55245 55247->55245 55249 47c1023 55248->55249 55251 6eae26f ResumeThread 55249->55251 55252 6eae270 ResumeThread 55249->55252 55250 47c1609 55251->55250 55252->55250 55255 47c0fe3 55253->55255 55254 47c159d 55254->55145 55255->55254 55257 6eae26f ResumeThread 55255->55257 55258 6eae270 ResumeThread 55255->55258 55256 47c1609 55257->55256 55258->55256 55260 6eae5ac ReadProcessMemory 55259->55260 55262 6eae637 55260->55262 55262->55183 55264 6eae5a8 ReadProcessMemory 55263->55264 55266 6eae637 55264->55266 55266->55183 55268 6eae438 VirtualAllocEx 55267->55268 55270 6eae475 55268->55270 55270->55183 55272 6eae438 VirtualAllocEx 55271->55272 55274 6eae475 55272->55274 55274->55183 55276 6eae744 55275->55276 55276->55276 55277 6eae92e CreateProcessA 55276->55277 55278 6eae98b 55277->55278 55280 6eae740 CreateProcessA 55279->55280 55282 6eae98b 55280->55282 55284 6eae500 WriteProcessMemory 55283->55284 55286 6eae557 55284->55286 55286->55200 55288 6eae500 WriteProcessMemory 55287->55288 55290 6eae557 55288->55290 55290->55200 55292 6eae365 Wow64SetThreadContext 55291->55292 55294 6eae3ad 55292->55294 55294->55204 55296 6eae365 Wow64SetThreadContext 55295->55296 55298 6eae3ad 55296->55298 55298->55204 55300 6eae2b0 ResumeThread 55299->55300 55302 6eae2e1 55300->55302 55302->55241 55304 6eae2b0 ResumeThread 55303->55304 55306 6eae2e1 55304->55306 55306->55241 55307 82af3d8 55308 82af3e4 55307->55308 55312 6ea1afd 55308->55312 55316 6ea1b00 55308->55316 55309 82af3f5 55313 6ea1b00 55312->55313 55320 6ea2a28 55313->55320 55314 6ea1bc6 55314->55309 55317 6ea1b1c 55316->55317 55319 6ea2a28 2 API calls 55317->55319 55318 6ea1bc6 55318->55309 55319->55318 55321 6ea2a4a 55320->55321 55325 6ea2a78 55321->55325 55329 6ea2a75 55321->55329 55322 6ea2a5e 55322->55314 55326 6ea2a92 55325->55326 55333 6ea2b38 55326->55333 55330 6ea2a78 55329->55330 55332 6ea2b38 2 API calls 55330->55332 55331 6ea2ab5 55331->55322 55332->55331 55334 6ea2b3f 55333->55334 55338 6ea2ca8 55334->55338 55341 6ea2ca0 55334->55341 55335 6ea2ab5 55335->55322 55339 6ea2cf3 NtQueryInformationProcess 55338->55339 55340 6ea2d36 55339->55340 55340->55335 55342 6ea2ca7 NtQueryInformationProcess 55341->55342 55344 6ea2d36 55342->55344 55344->55335 55091 47c19c8 55092 47c1b53 55091->55092 55093 47c19ee 55091->55093 55093->55092 55096 47c1c48 PostMessageW 55093->55096 55098 47c1c47 PostMessageW 55093->55098 55097 47c1cb4 55096->55097 55097->55093 55099 47c1cb4 55098->55099 55099->55093 55100 266ac50 55101 266ac5f 55100->55101 55104 266ad37 55100->55104 55109 266ad48 55100->55109 55105 266ad7c 55104->55105 55106 266ad59 55104->55106 55105->55101 55106->55105 55107 266af80 GetModuleHandleW 55106->55107 55108 266afad 55107->55108 55108->55101 55110 266ad7c 55109->55110 55111 266ad59 55109->55111 55110->55101 55111->55110 55112 266af80 GetModuleHandleW 55111->55112 55113 266afad 55112->55113 55113->55101 55043 4d74050 55044 4d74092 55043->55044 55046 4d74099 55043->55046 55045 4d740ea CallWindowProcW 55044->55045 55044->55046 55045->55046 55047 2664668 55048 266467a 55047->55048 55049 2664686 55048->55049 55051 2664778 55048->55051 55052 266479d 55051->55052 55056 2664887 55052->55056 55060 2664888 55052->55060 55058 26648af 55056->55058 55057 266498c 55057->55057 55058->55057 55064 26644f0 55058->55064 55061 26648af 55060->55061 55062 266498c 55061->55062 55063 26644f0 CreateActCtxA 55061->55063 55063->55062 55065 2665918 CreateActCtxA 55064->55065 55067 26659db 55065->55067 55114 266d3d8 55115 266d41e 55114->55115 55119 266d5b7 55115->55119 55122 266d5b8 55115->55122 55116 266d50b 55125 266b730 55119->55125 55123 266d5e6 55122->55123 55124 266b730 DuplicateHandle 55122->55124 55123->55116 55124->55123 55126 266d620 DuplicateHandle 55125->55126 55127 266d5e6 55126->55127 55127->55116

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1210 6eae734-6eae73e 1211 6eae740-6eae743 1210->1211 1212 6eae744-6eae7d5 1210->1212 1211->1212 1214 6eae80e-6eae82e 1212->1214 1215 6eae7d7-6eae7e1 1212->1215 1222 6eae830-6eae83a 1214->1222 1223 6eae867-6eae896 1214->1223 1215->1214 1216 6eae7e3-6eae7e5 1215->1216 1217 6eae808-6eae80b 1216->1217 1218 6eae7e7-6eae7f1 1216->1218 1217->1214 1220 6eae7f3 1218->1220 1221 6eae7f5-6eae804 1218->1221 1220->1221 1221->1221 1224 6eae806 1221->1224 1222->1223 1225 6eae83c-6eae83e 1222->1225 1229 6eae898-6eae8a2 1223->1229 1230 6eae8cf-6eae989 CreateProcessA 1223->1230 1224->1217 1227 6eae840-6eae84a 1225->1227 1228 6eae861-6eae864 1225->1228 1231 6eae84e-6eae85d 1227->1231 1232 6eae84c 1227->1232 1228->1223 1229->1230 1233 6eae8a4-6eae8a6 1229->1233 1243 6eae98b-6eae991 1230->1243 1244 6eae992-6eaea18 1230->1244 1231->1231 1234 6eae85f 1231->1234 1232->1231 1235 6eae8a8-6eae8b2 1233->1235 1236 6eae8c9-6eae8cc 1233->1236 1234->1228 1238 6eae8b6-6eae8c5 1235->1238 1239 6eae8b4 1235->1239 1236->1230 1238->1238 1240 6eae8c7 1238->1240 1239->1238 1240->1236 1243->1244 1254 6eaea1a-6eaea1e 1244->1254 1255 6eaea28-6eaea2c 1244->1255 1254->1255 1256 6eaea20 1254->1256 1257 6eaea2e-6eaea32 1255->1257 1258 6eaea3c-6eaea40 1255->1258 1256->1255 1257->1258 1259 6eaea34 1257->1259 1260 6eaea42-6eaea46 1258->1260 1261 6eaea50-6eaea54 1258->1261 1259->1258 1260->1261 1264 6eaea48 1260->1264 1262 6eaea66-6eaea6d 1261->1262 1263 6eaea56-6eaea5c 1261->1263 1265 6eaea6f-6eaea7e 1262->1265 1266 6eaea84 1262->1266 1263->1262 1264->1261 1265->1266 1268 6eaea85 1266->1268 1268->1268
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06EAE976
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 8543bd2045b0a45b94e8efac432e3e2024f718d1fc173265c091f49471111fcd
                                            • Instruction ID: 8e110143fb2a375137e46f207c131326d3aac7b81372d0fc9fddd4a668cd2694
                                            • Opcode Fuzzy Hash: 8543bd2045b0a45b94e8efac432e3e2024f718d1fc173265c091f49471111fcd
                                            • Instruction Fuzzy Hash: 1EA16B71D00319CFEB60DF68C841BEEBBB2BF44314F0495A9E818AB240DB75A985DF91
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06EA2D27
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID:
                                            • API String ID: 1778838933-0
                                            • Opcode ID: 11ea9fb5f7cdbd02be633c79e8fb642e1f3bc3b5dc2efc4874a9a48551c2c26a
                                            • Instruction ID: 8aeb8cd41b3e5c4d74836b153274fe4cb36fd99fb0176efa56d9561c1d1da19a
                                            • Opcode Fuzzy Hash: 11ea9fb5f7cdbd02be633c79e8fb642e1f3bc3b5dc2efc4874a9a48551c2c26a
                                            • Instruction Fuzzy Hash: D221DEB5901349EFCB10DF9AD885ADEBBF4BB48320F10852AE928A7250C375A544CFA5
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 06EA2D27
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID:
                                            • API String ID: 1778838933-0
                                            • Opcode ID: a8c4c88f0abf21f940077794ed98bab139b40be9ec830f481f40808be79243eb
                                            • Instruction ID: 0ae839283b247d0c85c1d4b5a4cc55cf7c76bf879c50d0b2d9c279efbdcaa3a8
                                            • Opcode Fuzzy Hash: a8c4c88f0abf21f940077794ed98bab139b40be9ec830f481f40808be79243eb
                                            • Instruction Fuzzy Hash: D521BAB59003499FCB10DF9AD884ADEBBF4FB48320F10842AE918A7250C375AA44CFA5
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c74e5dec2810135c8d2c9a4952cf2318cc0a58a68479b642e56a9b327c27cd85
                                            • Instruction ID: 5d3e0b4c727d317c70e2fbe0a3f2802b69a85c6a6979baa2632be2013b1fcb40
                                            • Opcode Fuzzy Hash: c74e5dec2810135c8d2c9a4952cf2318cc0a58a68479b642e56a9b327c27cd85
                                            • Instruction Fuzzy Hash: 11128F70A102199FDB18DF6AC854BAEBBF6FF88301F148519E916DB391DB349D81CB90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d9dc59e37b8c5da714817563de944c4fdffd4faf3d030c04d5c078fe8c3f209
                                            • Instruction ID: e060a199be14de33ff5186ce231aa10b38d8b23be99f6ef01a4b62b5acc234ed
                                            • Opcode Fuzzy Hash: 8d9dc59e37b8c5da714817563de944c4fdffd4faf3d030c04d5c078fe8c3f209
                                            • Instruction Fuzzy Hash: B532BF70D112198FEB64DF69C680A8EFBB6FF48312F55C199D448AB211DB309986CFA0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d2f4483e96cc868237a055117d625a3fbafd88c39a75d4ebb7b5e2a7cb83c652
                                            • Instruction ID: cd6beab7583da1d6114d0a8f3295bf5277616c9598decd50d405e336dfdb839d
                                            • Opcode Fuzzy Hash: d2f4483e96cc868237a055117d625a3fbafd88c39a75d4ebb7b5e2a7cb83c652
                                            • Instruction Fuzzy Hash: FFD13E74A10229DFCB14CFA9C988AADBBF2FF88701F15815AE816AB265D731DC41CF50

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1269 6eae740-6eae7d5 1272 6eae80e-6eae82e 1269->1272 1273 6eae7d7-6eae7e1 1269->1273 1280 6eae830-6eae83a 1272->1280 1281 6eae867-6eae896 1272->1281 1273->1272 1274 6eae7e3-6eae7e5 1273->1274 1275 6eae808-6eae80b 1274->1275 1276 6eae7e7-6eae7f1 1274->1276 1275->1272 1278 6eae7f3 1276->1278 1279 6eae7f5-6eae804 1276->1279 1278->1279 1279->1279 1282 6eae806 1279->1282 1280->1281 1283 6eae83c-6eae83e 1280->1283 1287 6eae898-6eae8a2 1281->1287 1288 6eae8cf-6eae989 CreateProcessA 1281->1288 1282->1275 1285 6eae840-6eae84a 1283->1285 1286 6eae861-6eae864 1283->1286 1289 6eae84e-6eae85d 1285->1289 1290 6eae84c 1285->1290 1286->1281 1287->1288 1291 6eae8a4-6eae8a6 1287->1291 1301 6eae98b-6eae991 1288->1301 1302 6eae992-6eaea18 1288->1302 1289->1289 1292 6eae85f 1289->1292 1290->1289 1293 6eae8a8-6eae8b2 1291->1293 1294 6eae8c9-6eae8cc 1291->1294 1292->1286 1296 6eae8b6-6eae8c5 1293->1296 1297 6eae8b4 1293->1297 1294->1288 1296->1296 1298 6eae8c7 1296->1298 1297->1296 1298->1294 1301->1302 1312 6eaea1a-6eaea1e 1302->1312 1313 6eaea28-6eaea2c 1302->1313 1312->1313 1314 6eaea20 1312->1314 1315 6eaea2e-6eaea32 1313->1315 1316 6eaea3c-6eaea40 1313->1316 1314->1313 1315->1316 1317 6eaea34 1315->1317 1318 6eaea42-6eaea46 1316->1318 1319 6eaea50-6eaea54 1316->1319 1317->1316 1318->1319 1322 6eaea48 1318->1322 1320 6eaea66-6eaea6d 1319->1320 1321 6eaea56-6eaea5c 1319->1321 1323 6eaea6f-6eaea7e 1320->1323 1324 6eaea84 1320->1324 1321->1320 1322->1319 1323->1324 1326 6eaea85 1324->1326 1326->1326
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06EAE976
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: a588dd0a5478bdb73b8f581c5a50d6514ef836c97a4ba41467c75472cd4e4fee
                                            • Instruction ID: a05643b058d8d7fb849baaf31908ce34d40d4ab6c5eb39f260b71f6a4e8a5b9d
                                            • Opcode Fuzzy Hash: a588dd0a5478bdb73b8f581c5a50d6514ef836c97a4ba41467c75472cd4e4fee
                                            • Instruction Fuzzy Hash: CD915C71D00319CFEB64DF69C8417EDBBB2BF44314F1485A9E808AB240DB75A985DF91

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1327 266ad48-266ad57 1328 266ad83-266ad87 1327->1328 1329 266ad59-266ad66 call 2669374 1327->1329 1331 266ad9b-266addc 1328->1331 1332 266ad89-266ad93 1328->1332 1334 266ad7c 1329->1334 1335 266ad68 1329->1335 1338 266adde-266ade6 1331->1338 1339 266ade9-266adf7 1331->1339 1332->1331 1334->1328 1382 266ad6e call 266afe0 1335->1382 1383 266ad6e call 266afdf 1335->1383 1338->1339 1340 266ae1b-266ae1d 1339->1340 1341 266adf9-266adfe 1339->1341 1346 266ae20-266ae27 1340->1346 1343 266ae00-266ae07 call 266a0b0 1341->1343 1344 266ae09 1341->1344 1342 266ad74-266ad76 1342->1334 1345 266aeb8-266af78 1342->1345 1348 266ae0b-266ae19 1343->1348 1344->1348 1377 266af80-266afab GetModuleHandleW 1345->1377 1378 266af7a-266af7d 1345->1378 1349 266ae34-266ae3b 1346->1349 1350 266ae29-266ae31 1346->1350 1348->1346 1352 266ae3d-266ae45 1349->1352 1353 266ae48-266ae4a call 266a0c0 1349->1353 1350->1349 1352->1353 1356 266ae4f-266ae51 1353->1356 1358 266ae53-266ae5b 1356->1358 1359 266ae5e-266ae63 1356->1359 1358->1359 1360 266ae65-266ae6c 1359->1360 1361 266ae81-266ae8e 1359->1361 1360->1361 1363 266ae6e-266ae7e call 266a0d0 call 266a0e0 1360->1363 1368 266ae90-266aeae 1361->1368 1369 266aeb1-266aeb7 1361->1369 1363->1361 1368->1369 1379 266afb4-266afc8 1377->1379 1380 266afad-266afb3 1377->1380 1378->1377 1380->1379 1382->1342 1383->1342
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0266AF9E
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: ce3fef29b7fe9ab10bc8e2683715ddda5291f32277ab351c11eb7af5739324ee
                                            • Instruction ID: b613592f3da57301976c42964c50c7920efab553b657b08df8a6c47440fa1ee8
                                            • Opcode Fuzzy Hash: ce3fef29b7fe9ab10bc8e2683715ddda5291f32277ab351c11eb7af5739324ee
                                            • Instruction Fuzzy Hash: 5E713670A00B059FD724DFAAD45876ABBF1FF88304F008A2DD48AA7B40DB75E945CB91

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1384 26644f0-26659d9 CreateActCtxA 1387 26659e2-2665a3c 1384->1387 1388 26659db-26659e1 1384->1388 1395 2665a3e-2665a41 1387->1395 1396 2665a4b-2665a4f 1387->1396 1388->1387 1395->1396 1397 2665a60 1396->1397 1398 2665a51-2665a5d 1396->1398 1400 2665a61 1397->1400 1398->1397 1400->1400
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 026659C9
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 0eb4bec4302e50c2403de69678798d733fb5e0519e4b11ab4068e574012ad829
                                            • Instruction ID: 5e675beb407a3ee50c17a235c3a17d9c1ab5fe01ce36401605c47b8e9773d701
                                            • Opcode Fuzzy Hash: 0eb4bec4302e50c2403de69678798d733fb5e0519e4b11ab4068e574012ad829
                                            • Instruction Fuzzy Hash: 274124B0D0031DCFDB24DFAAC84479EBBB5BF44704F608169D409AB250DB756946CF50

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1417 4d74050-4d7408c 1418 4d74092-4d74097 1417->1418 1419 4d7413c-4d7415c 1417->1419 1420 4d740ea-4d74122 CallWindowProcW 1418->1420 1421 4d74099-4d740d0 1418->1421 1425 4d7415f-4d7416c 1419->1425 1422 4d74124-4d7412a 1420->1422 1423 4d7412b-4d7413a 1420->1423 1427 4d740d2-4d740d8 1421->1427 1428 4d740d9-4d740e8 1421->1428 1422->1423 1423->1425 1427->1428 1428->1425
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 04D74111
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1464388850.0000000004D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D70000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_4d70000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: ec32527337cbe4fd98d7037b651e604995fcb27088b975a3ba3eafdf68c75714
                                            • Instruction ID: 8e4381b543e287aad478945488473f26b45df80ddd6d7ea5097d87f4906af9bf
                                            • Opcode Fuzzy Hash: ec32527337cbe4fd98d7037b651e604995fcb27088b975a3ba3eafdf68c75714
                                            • Instruction Fuzzy Hash: 63414CB9A00309DFDB15DF89C448AAABBF5FB88314F258459D519AB321D375A841CFA0

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1401 2665917-26659d9 CreateActCtxA 1403 26659e2-2665a3c 1401->1403 1404 26659db-26659e1 1401->1404 1411 2665a3e-2665a41 1403->1411 1412 2665a4b-2665a4f 1403->1412 1404->1403 1411->1412 1413 2665a60 1412->1413 1414 2665a51-2665a5d 1412->1414 1416 2665a61 1413->1416 1414->1413 1416->1416
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 026659C9
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 50d49b304885fb1c1c4c74305c1eb259115b0fd7e7b086696968ebe26324c7a7
                                            • Instruction ID: f26675072044200399663d50fd4149762a03a0a2e48f4eb24f355e2daf44a5a0
                                            • Opcode Fuzzy Hash: 50d49b304885fb1c1c4c74305c1eb259115b0fd7e7b086696968ebe26324c7a7
                                            • Instruction Fuzzy Hash: FF4102B1D0071DCFDB24DFAAC885B9EBBB1BF88704F60816AD409AB250DB756946CF50

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1441 6eae4b8-6eae506 1443 6eae508-6eae514 1441->1443 1444 6eae516-6eae555 WriteProcessMemory 1441->1444 1443->1444 1446 6eae55e-6eae58e 1444->1446 1447 6eae557-6eae55d 1444->1447 1447->1446
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06EAE548
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 45931122f095d9c0acab4eaa4607fa7376a794b35762e95d388aaff5e63bc0bd
                                            • Instruction ID: e97fbf68e47d7a62b942d00216a4367a645ceed2a60598295f026bc419ed4df3
                                            • Opcode Fuzzy Hash: 45931122f095d9c0acab4eaa4607fa7376a794b35762e95d388aaff5e63bc0bd
                                            • Instruction Fuzzy Hash: BD2136759003499FDF10DFAAC881BDEBBF5FF48310F50842AE919A7240D779A944DBA0

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1431 6eae4b7-6eae506 1433 6eae508-6eae514 1431->1433 1434 6eae516-6eae555 WriteProcessMemory 1431->1434 1433->1434 1436 6eae55e-6eae58e 1434->1436 1437 6eae557-6eae55d 1434->1437 1437->1436
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06EAE548
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 879c2d7c87aeebb305717494d4fe62bd0dc57b49c8ead06483e3ea04d174653d
                                            • Instruction ID: 4d39f4b3626c8e5e85e8cebdd10211c93ca8f645c7018edbdd39b9274b086053
                                            • Opcode Fuzzy Hash: 879c2d7c87aeebb305717494d4fe62bd0dc57b49c8ead06483e3ea04d174653d
                                            • Instruction Fuzzy Hash: CF2136759003499FDF10DFAAC881BDEBBF5FF48310F50842AE919A7240D7799945DBA0

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1451 6eae5a0-6eae5a6 1452 6eae5a8-6eae5ab 1451->1452 1453 6eae5ac-6eae635 ReadProcessMemory 1451->1453 1452->1453 1456 6eae63e-6eae66e 1453->1456 1457 6eae637-6eae63d 1453->1457 1457->1456
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06EAE628
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: ed36fa90a471956fdf61184e459bb2f35b9e84e90e4a4580970cd287de5d6b27
                                            • Instruction ID: 27af044b4e165bf62d1e2834c6834dab0f18bbe7adb92a3ae5258c1088f22e01
                                            • Opcode Fuzzy Hash: ed36fa90a471956fdf61184e459bb2f35b9e84e90e4a4580970cd287de5d6b27
                                            • Instruction Fuzzy Hash: A92125758003499FDB10DFAAC885BEEBBF5FF88310F508429E518A7240D778A901DBA0

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1461 266b730-266d6b4 DuplicateHandle 1463 266d6b6-266d6bc 1461->1463 1464 266d6bd-266d6da 1461->1464 1463->1464
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0266D5E6,?,?,?,?,?), ref: 0266D6A7
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: ab4af093abc14d4bea4a75acf40bb5105e3dbefecae288ab259cbff8174d3f40
                                            • Instruction ID: 21e77111818a376ee1e16cfa8061486e3c2343ce4cd7f95d467b5355f95ab7eb
                                            • Opcode Fuzzy Hash: ab4af093abc14d4bea4a75acf40bb5105e3dbefecae288ab259cbff8174d3f40
                                            • Instruction Fuzzy Hash: DC2116B59003089FDB10CF9AD984AEEBFF4FB48310F14801AE918A7350C378A950CFA4

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1487 6eae5a8-6eae635 ReadProcessMemory 1491 6eae63e-6eae66e 1487->1491 1492 6eae637-6eae63d 1487->1492 1492->1491
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06EAE628
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 152dc0be9e5e7f254938cabc31e2593a1dff496264ee5a32cbca5529ab8ecb74
                                            • Instruction ID: 582c600850422aa7580b5b80032e37687a233484c64018f6eac6908cd3214a6c
                                            • Opcode Fuzzy Hash: 152dc0be9e5e7f254938cabc31e2593a1dff496264ee5a32cbca5529ab8ecb74
                                            • Instruction Fuzzy Hash: 9421F871C003499FDB10DFAAC881BDEBBF5FF88310F508429E519A7240D779A944DBA4

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1477 6eae320-6eae36b 1479 6eae37b-6eae3ab Wow64SetThreadContext 1477->1479 1480 6eae36d-6eae379 1477->1480 1482 6eae3ad-6eae3b3 1479->1482 1483 6eae3b4-6eae3e4 1479->1483 1480->1479 1482->1483
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06EAE39E
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: a7315007c50fcd2b7884087f859107023778f2f125f27e9b7b383c606340b257
                                            • Instruction ID: 049cd77e09faee0e8af4abd79c309634f95e1e04e18c6e0922f6e4bef1828e1f
                                            • Opcode Fuzzy Hash: a7315007c50fcd2b7884087f859107023778f2f125f27e9b7b383c606340b257
                                            • Instruction Fuzzy Hash: 6B213571D003098FDB10DFAAC485BAEBBF4AF88324F54842AD459A7240CB78A944CFA4

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1467 6eae31f-6eae36b 1469 6eae37b-6eae3ab Wow64SetThreadContext 1467->1469 1470 6eae36d-6eae379 1467->1470 1472 6eae3ad-6eae3b3 1469->1472 1473 6eae3b4-6eae3e4 1469->1473 1470->1469 1472->1473
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06EAE39E
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 4457e2a1b75b611d208e5cb95fdced6fb8f9a86cb0eca4ed4b23f610b277bb93
                                            • Instruction ID: ae8539cbd85653dc87cb7ea59af83940f794d2add9dceef73d33862ca0094695
                                            • Opcode Fuzzy Hash: 4457e2a1b75b611d208e5cb95fdced6fb8f9a86cb0eca4ed4b23f610b277bb93
                                            • Instruction Fuzzy Hash: AD213571D003098FDB10DFAAC4857EEBBF4EF88324F54842AD459A7240CB78A945CFA0
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0266D5E6,?,?,?,?,?), ref: 0266D6A7
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 830ccadf4a6216d9649be94ed37b997c52e32ff98a3ccc6f50f0336370117ef2
                                            • Instruction ID: 8b79e2eb5dba5b2b254bff4b15171c8150244eedbd4a247c8e882fa2a22974f9
                                            • Opcode Fuzzy Hash: 830ccadf4a6216d9649be94ed37b997c52e32ff98a3ccc6f50f0336370117ef2
                                            • Instruction Fuzzy Hash: 4A21F0B5900309DFDB10CFAAD584AEEBBF5FB48324F64801AE958A3350C378A954CF64
                                            APIs
                                            • OutputDebugStringW.KERNELBASE(00000000), ref: 06EA40F0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: DebugOutputString
                                            • String ID:
                                            • API String ID: 1166629820-0
                                            • Opcode ID: f979691d4afdca8f523c5221a9949d757e7fc9a4a9bdd9e26cbe1cd8fa6a2494
                                            • Instruction ID: 66c2306d86ca303c81e1fad1775ad28906a6c4bf2ea57e192eb173023e8c020a
                                            • Opcode Fuzzy Hash: f979691d4afdca8f523c5221a9949d757e7fc9a4a9bdd9e26cbe1cd8fa6a2494
                                            • Instruction Fuzzy Hash: 401134B1C05349CFCB10DFA8D84079EBBF0EF41314F204199D418A72C1DB756958CBA2
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06EAE466
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 87ca06cecd7404298b458b323d709e20cd57cb5b8a31c894f07bbd3f3667379a
                                            • Instruction ID: 88f7c8f1a31b72be1cbdedbd2094505dc0e489e26b7a29adf4cfdb5ba3f209a5
                                            • Opcode Fuzzy Hash: 87ca06cecd7404298b458b323d709e20cd57cb5b8a31c894f07bbd3f3667379a
                                            • Instruction Fuzzy Hash: 6B1134768003499FDF10DFAAC845BDEBBF9EF88720F148819E519A7250CB75A944DFA0
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06EAE466
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: f5313d66686f7659a49dc04ec63ea1756ab0f909cea7f8ac498cf35cb576dcc8
                                            • Instruction ID: c0c45d12dab2c9508a14aa8e65d60bc95ed00eec307f7cef12b1fb0454432037
                                            • Opcode Fuzzy Hash: f5313d66686f7659a49dc04ec63ea1756ab0f909cea7f8ac498cf35cb576dcc8
                                            • Instruction Fuzzy Hash: AC1153728003498FDB10DFAAC844BDEBBF5EF88320F108819E529A7250CB75A944CFA0
                                            APIs
                                            • OutputDebugStringW.KERNELBASE(00000000), ref: 06EA40F0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: DebugOutputString
                                            • String ID:
                                            • API String ID: 1166629820-0
                                            • Opcode ID: 205f2d85afea8f45c6dc2aed492e4664e3c98e8a610a6558ba0682fbbf9a9825
                                            • Instruction ID: a2c7bd81779995e49ad0d528144103b473dca7435a38012eb79cf37f4f0853c6
                                            • Opcode Fuzzy Hash: 205f2d85afea8f45c6dc2aed492e4664e3c98e8a610a6558ba0682fbbf9a9825
                                            • Instruction Fuzzy Hash: CC1133B1C0071ADFCB14DF9AD444B9EFBF4FB48210F10812AD819A7280D3B4A914CFA5
                                            APIs
                                            • OutputDebugStringW.KERNELBASE(00000000), ref: 06EA40F0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: DebugOutputString
                                            • String ID:
                                            • API String ID: 1166629820-0
                                            • Opcode ID: be0a7c08f3680394bd2cfe30b4fb5cedb800f4555221432632eb78414f9501be
                                            • Instruction ID: ba91c622b5e1ab7d44946b8e4b290e040283a02aa998cb32055be45c2049d685
                                            • Opcode Fuzzy Hash: be0a7c08f3680394bd2cfe30b4fb5cedb800f4555221432632eb78414f9501be
                                            • Instruction Fuzzy Hash: F31142B1C0035A9FCB14DF9AD841B9EFBF4FB48320F10812AD818A7240D7B4A554CFA1
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: f94a6bf2308438de42dc6678f4831c27424ed2143fdabf37392193e0d0ab0b7c
                                            • Instruction ID: eb7b8b215dfbd84cd1c9592c26dddfe87935acf7ac26de8be656b9387b3fc4e9
                                            • Opcode Fuzzy Hash: f94a6bf2308438de42dc6678f4831c27424ed2143fdabf37392193e0d0ab0b7c
                                            • Instruction Fuzzy Hash: 3A1125719003498FDB24DFAAC4457DEFBF5AF88724F24841AD519A7240CB79A944CBA4
                                            APIs
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: e7d1443c5de2f4b87455b2b047d07b8174b49a8747670e3c09114663779d8466
                                            • Instruction ID: 9c1dc61142a29ced053ac5f753350de036df51e8b6136fd2d43db52c664215c7
                                            • Opcode Fuzzy Hash: e7d1443c5de2f4b87455b2b047d07b8174b49a8747670e3c09114663779d8466
                                            • Instruction Fuzzy Hash: 48113671D003498FDB24DFAAC8457DEFBF9AF88724F24841AD519A7240CB79A944CFA4
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0266AF9E
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1459093156.0000000002660000.00000040.00000800.00020000.00000000.sdmp, Offset: 02660000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_2660000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: aa40d7d8236d412b3c5ceb5e5fc79afbb55f72d1c39dc9bead968e5a506f7872
                                            • Instruction ID: 32fa9d14d86c581bed42a8c247a7193fb5d8ac45b3f217e3236def028ed7ce34
                                            • Opcode Fuzzy Hash: aa40d7d8236d412b3c5ceb5e5fc79afbb55f72d1c39dc9bead968e5a506f7872
                                            • Instruction Fuzzy Hash: D411E0B6C003498FDB14DF9AD544BDEFBF5AB88224F10845AD829B7610C3B9A545CFA1
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 047C1CA5
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1463731450.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_47c0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: a0daa79f98c70b5138d9b347d53cb419634b0daa5e942a9a420bb834481734e2
                                            • Instruction ID: 14a5ace2a161a8be806a6542ff8d2f9ab076e347bdd2e56c7b836a81a8facdae
                                            • Opcode Fuzzy Hash: a0daa79f98c70b5138d9b347d53cb419634b0daa5e942a9a420bb834481734e2
                                            • Instruction Fuzzy Hash: 7311D0B58003499FDB20DF9AC985BDEBBF8FB48320F10841AE918A7641C375A944CFA5
                                            APIs
                                            • PostMessageW.USER32(?,?,?,?), ref: 047C1CA5
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1463731450.00000000047C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 047C0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_47c0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 08d101ee71b4d8f76390edd08fe678dba5248ef09e1059aa931e7e11eef0b145
                                            • Instruction ID: 525879f0a34499ba1a95ba0a23607dc1d7569d4ad962dbd59e8142ea551848bd
                                            • Opcode Fuzzy Hash: 08d101ee71b4d8f76390edd08fe678dba5248ef09e1059aa931e7e11eef0b145
                                            • Instruction Fuzzy Hash: 7B11D0B58003499FDB20DF9AD985BDEBFF8FB48320F10841AE918A7641C375A944CFA1
                                            APIs
                                            • CloseHandle.KERNELBASE(00000000), ref: 06EA418F
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: 430d0ead21e5a8cdcc212468981ce25ab8f279da422bcf7d2cfae0264b4a5e79
                                            • Instruction ID: 82c32c521d6a599e6396a515cb04ae23fc3e7a760dda4859eba5d95f59f30d05
                                            • Opcode Fuzzy Hash: 430d0ead21e5a8cdcc212468981ce25ab8f279da422bcf7d2cfae0264b4a5e79
                                            • Instruction Fuzzy Hash: 011128B1800349CFEB10DF9AC845BEEFBF4EB58324F108469E518A7281D778A944CFA5
                                            APIs
                                            • CloseHandle.KERNELBASE(00000000), ref: 06EA418F
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470158710.0000000006EA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EA0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_6ea0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: c9705bbcee8d12a4db060aa86d629bd4b3959e2774b6ba5725b8d1a7fd336dff
                                            • Instruction ID: 1a3d047cce2ea34cd54e0a1a0d91f203785d97842956cf00de72cbfa669d4242
                                            • Opcode Fuzzy Hash: c9705bbcee8d12a4db060aa86d629bd4b3959e2774b6ba5725b8d1a7fd336dff
                                            • Instruction Fuzzy Hash: 231158B1800309CFDB10DF9AC845BDEBBF4AB48324F108419D428A3281D778A544CFA1
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 929f49a3878f61f93889ea6c694cfbd97bd3f506e66bf58cea239c69be5cd2a8
                                            • Instruction ID: f0de6df033a2efc0a6c1f8afe709111a5c5eb19d45e4ac7dac238134fde47674
                                            • Opcode Fuzzy Hash: 929f49a3878f61f93889ea6c694cfbd97bd3f506e66bf58cea239c69be5cd2a8
                                            • Instruction Fuzzy Hash: C86201B0D21F02CBD7745F7486887AEBAA1AF55315F204D2ED0FECA280EB3595818F52
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8a733ca36dba576c43776a5540f38e47f42d382ea34a57096555ff7b1340e30c
                                            • Instruction ID: 4d46a00d2bfec359ade1e38ce053ab8a326356e5a920ba425dbcdd7854e32c9d
                                            • Opcode Fuzzy Hash: 8a733ca36dba576c43776a5540f38e47f42d382ea34a57096555ff7b1340e30c
                                            • Instruction Fuzzy Hash: 52328E74A10206DFCB14CF68D984AAEBBF6FF88702F158559E509DB6A5C730EC81CB61
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8d7f721bf868c48a97ebeaf33774e9163306db43c3bafea934378e3abf39a6c9
                                            • Instruction ID: 73dcf26013120b3ed8acf853391fe24eb18f6f20b9edcdb5eb63800404275533
                                            • Opcode Fuzzy Hash: 8d7f721bf868c48a97ebeaf33774e9163306db43c3bafea934378e3abf39a6c9
                                            • Instruction Fuzzy Hash: 22225A34B20205DFD708DF64E498A6DBBB2FF88701F60801DE94A9B395DB79AC46CB54
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 213a1885e9979cf368d7d4c7fb7155f19a4075a0ec4748f519e62f92b556cfdd
                                            • Instruction ID: b9d4f806c8338c1a0120d7b0d166c3875d267a60e2748a0ed5e7758b8a9a9907
                                            • Opcode Fuzzy Hash: 213a1885e9979cf368d7d4c7fb7155f19a4075a0ec4748f519e62f92b556cfdd
                                            • Instruction Fuzzy Hash: 542267F0915F438BD7705F6486C82AFBAA0AF16309F204D5FC0FE8A255E73691869F46
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf6c492b48c326df5e6faa0b9d2c8f3f37eedeb110d039c3d54ad779de69286a
                                            • Instruction ID: f9f57fa780cf83a564ca62955c636eafc7a88bad51cac177a344386fa5695801
                                            • Opcode Fuzzy Hash: cf6c492b48c326df5e6faa0b9d2c8f3f37eedeb110d039c3d54ad779de69286a
                                            • Instruction Fuzzy Hash: 71125930A10219DFDB15DF69D984AAEBBF2FF88312F148559E84ADB261DB30ED41CB50
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0e2f53919d6963aa11c8404bc3b5b7812250ee16c810416ce2488829c27be3e
                                            • Instruction ID: 61bf74fb0e9df0b615de893aebe0d130eb948a94741f86710a67561313ad4060
                                            • Opcode Fuzzy Hash: e0e2f53919d6963aa11c8404bc3b5b7812250ee16c810416ce2488829c27be3e
                                            • Instruction Fuzzy Hash: F802BF34A10309DFCB15CF68C884AAEBBF6FF89311F14856AE8159B361D731E956CB90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4e88ec3309b30160ee2ff911a49e3f36b28a02c50ef7c5191a77d18f0b4fab6
                                            • Instruction ID: c5bc387b7e30ee2f8af097f2dda9935933d0afc7e22aabe5a45fc5fad04026e2
                                            • Opcode Fuzzy Hash: e4e88ec3309b30160ee2ff911a49e3f36b28a02c50ef7c5191a77d18f0b4fab6
                                            • Instruction Fuzzy Hash: 6BF14B78A1021ADFCB15CF59C484DAEBBFAFF88301B16C569E95597291C734EC42CB90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 235edbcf300ae04470c4da72e7e6f2d8946f43e3f81952e45482a28a15466efe
                                            • Instruction ID: a1f3ea0eff63057edf2f347301603a511af6ae0633e7ad1f317e80a571cc9128
                                            • Opcode Fuzzy Hash: 235edbcf300ae04470c4da72e7e6f2d8946f43e3f81952e45482a28a15466efe
                                            • Instruction Fuzzy Hash: E5B15E30331602CFDB2D9A69C99473936E6EF85752F1840BAE512CF3B5DAA5CC42DB41
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 47df66b5a8bf177aacec3048bc808eb49326f413816e158310703a03b118de6e
                                            • Instruction ID: 867f6ad198df8406c94d4c485e6a2d84c650b9c06afb6b9209d89f63f269c97c
                                            • Opcode Fuzzy Hash: 47df66b5a8bf177aacec3048bc808eb49326f413816e158310703a03b118de6e
                                            • Instruction Fuzzy Hash: 8DB1C130714201DFDB199F7AD884B6A7BE6AF88346F148429E916CB394DF75C882C7A0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce9195bff109493a90f621c08c03d34f96e47490ceacc1a4aa6a5d881894d7c9
                                            • Instruction ID: 4d2d7feb7873c354a80899fc8861c67c2b83c9b8c1dff07414ab3426d37dcef8
                                            • Opcode Fuzzy Hash: ce9195bff109493a90f621c08c03d34f96e47490ceacc1a4aa6a5d881894d7c9
                                            • Instruction Fuzzy Hash: 8781A574B20205DFCB18DF6EC884AA9BBB6FF88716F158169D426D7361D731D881CB60
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67ebcff325bf93420a269008dfa075647dd53a97e65fbfe60ba79c46f223202d
                                            • Instruction ID: 2aaca7c0d98df100d0ef3a8cc7f0299c01bde1b9d82b06af080129e36befa2a6
                                            • Opcode Fuzzy Hash: 67ebcff325bf93420a269008dfa075647dd53a97e65fbfe60ba79c46f223202d
                                            • Instruction Fuzzy Hash: 4771EE707146029FDB29AB78D858A3E77A6EF99301F58406ED906DB7A0DF34EC0187A1
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fe22223b7c1ce8a309a401257272f2dab3e94cf024600fd55a1a2e79eddadf15
                                            • Instruction ID: e0d88af1627a9f6f0051821fcb0856bebcd54c91f19448e883798afe01a9674e
                                            • Opcode Fuzzy Hash: fe22223b7c1ce8a309a401257272f2dab3e94cf024600fd55a1a2e79eddadf15
                                            • Instruction Fuzzy Hash: 8981D238720611CFCB14EF68D4989697BF6BF89B05B1581A9E902DB375DBB1EC01CB90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fc0bacdc552b578a0b18db63316b046061057175517db9a3baf365879becc900
                                            • Instruction ID: 596f30c6bec0b9627a94267226d2bd0756db500fc56230e32477d04cb6a61750
                                            • Opcode Fuzzy Hash: fc0bacdc552b578a0b18db63316b046061057175517db9a3baf365879becc900
                                            • Instruction Fuzzy Hash: CC711934720226CFCB19DF29C594A7E7BE6AF49702B5940A9E906CB3B1DB71DC41CB90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 71d990f06eccc18863987102ad1683397e70edb9c4e3e88d665caf814c839058
                                            • Instruction ID: a50c4a7407fc4cc48b88ae6eccc3039102cf19cc9ba849f529146d913fb3c232
                                            • Opcode Fuzzy Hash: 71d990f06eccc18863987102ad1683397e70edb9c4e3e88d665caf814c839058
                                            • Instruction Fuzzy Hash: BB91FB3190061ACFDB10EF68C884A9DF7B1FF89304F11C69AD5497B225EB30AA85CF91
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f0be706a3f7de7da11a9d84ce9918a07a9916567f5848b018090d85c8e40dee5
                                            • Instruction ID: 844db3cbc645e00b729e2a044259427500f324567ea37f83a983ecc5b01c61f8
                                            • Opcode Fuzzy Hash: f0be706a3f7de7da11a9d84ce9918a07a9916567f5848b018090d85c8e40dee5
                                            • Instruction Fuzzy Hash: C0712B35B10218CFCB18EFA4C5549AD77F2FF89711B2444A9D405AB3A1CB76EC41CBA5
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2669e34c9e79aea004aec56390bff0dcf2fc7be01fa67df0499d8090bd6bef89
                                            • Instruction ID: ea52a4306d3534d2a89262238b61bec84803e82235111d2754ba0faf809534e0
                                            • Opcode Fuzzy Hash: 2669e34c9e79aea004aec56390bff0dcf2fc7be01fa67df0499d8090bd6bef89
                                            • Instruction Fuzzy Hash: 23714D34A10606DFDB28DFA5D48466DBBF2BF88302F24802AE846EB395DB34D845CB54
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6d1894653f8fc95e69ff564121192c29279caf24f02d372c5b4800c23aece6fc
                                            • Instruction ID: 55f546eb832bf16151525712543a156a616b746376a2a50c409eabd513dd6479
                                            • Opcode Fuzzy Hash: 6d1894653f8fc95e69ff564121192c29279caf24f02d372c5b4800c23aece6fc
                                            • Instruction Fuzzy Hash: 2A71C275A10209AFCF05DFA9D880ADEBBF6FF48310F14852AF915A3250D731A951DFA0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5689d27fe79fb9c2abbd6508a9da0f1f12af9acb7b6541dce20fceb83fbf944b
                                            • Instruction ID: c3df11120b497c8ce33387f2a58cfa9b20fe78e19f58b4b6e4a3dd83b3cb77b0
                                            • Opcode Fuzzy Hash: 5689d27fe79fb9c2abbd6508a9da0f1f12af9acb7b6541dce20fceb83fbf944b
                                            • Instruction Fuzzy Hash: 7961F5343216109FD645AB70E45AA7D3BA3E789B01F60800CFA4A4B3C9DFBE5D479B85
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3364034986253a5e3090aeaf0e3ac0fac4920f1fe5500ace706a5a005d1a21bc
                                            • Instruction ID: d7281595e1194e12e60669629a377658a602427d3232ee22ffb92645f042f605
                                            • Opcode Fuzzy Hash: 3364034986253a5e3090aeaf0e3ac0fac4920f1fe5500ace706a5a005d1a21bc
                                            • Instruction Fuzzy Hash: 5F5189347106118FCB18AB79C854A6EB7E6FF89B01B15456DE906CB361EFB5DC018B90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e2ed6493ab1d150b78e75e37255ad064ff8abe6971d5590aad32b9aba0ac6dd
                                            • Instruction ID: 3a35cee64e6f61ba01142ef4a29064730642cad3a12307ce3ba10c5330aa0336
                                            • Opcode Fuzzy Hash: 8e2ed6493ab1d150b78e75e37255ad064ff8abe6971d5590aad32b9aba0ac6dd
                                            • Instruction Fuzzy Hash: C9618975E1074ACFDB15CFA5C6406EEBBF2AF8A301F64821AE845AB641D770A981CB50
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0442378ab553bcf7a212490e8806cdd17f979fc520f933b48479d9af455b4371
                                            • Instruction ID: e59980e74fe209b7ab6fe33d0a7e8b445da74e2c0d5c578c1c982705df6aa3db
                                            • Opcode Fuzzy Hash: 0442378ab553bcf7a212490e8806cdd17f979fc520f933b48479d9af455b4371
                                            • Instruction Fuzzy Hash: 0851AB74E1074ACFCF21CFA5C5406EEBBF2AF89311F64821AE855AB681D770A981CB50
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 53fe0db90522b5d45ef412aa891597c1b7a5e5c713e1253e7cda4e8ef8efdf0f
                                            • Instruction ID: 8c0b7828fb02f42c651bf6bbc396d79619c1b27d114a4e8c1c15a96446efd0d4
                                            • Opcode Fuzzy Hash: 53fe0db90522b5d45ef412aa891597c1b7a5e5c713e1253e7cda4e8ef8efdf0f
                                            • Instruction Fuzzy Hash: C051A474E012199FDB08DFA9D994AAEFBB2FF88300F10812AE915AB354DB755906CF50
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3139f3f1ff227af36ed22337eae7bcf83bc95bc325a58eb0fda6693b0cdc7920
                                            • Instruction ID: 0a2058866ba801cd58816344c3ea4a97d9be78fc56902eb600be54c23398685b
                                            • Opcode Fuzzy Hash: 3139f3f1ff227af36ed22337eae7bcf83bc95bc325a58eb0fda6693b0cdc7920
                                            • Instruction Fuzzy Hash: 4441E130A14249DFCF15CFA4C884ADEBFB2BF89311F048056E815AB2A5D371E856CBA0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fbbd996dfc302ae95d31626562457513a9a54ad76b8ed5361aa80d36f7be41de
                                            • Instruction ID: ad5b90f2d34030adf68244e5c22663d958ee1ca8e07963ce3ec4da8537bcc7d2
                                            • Opcode Fuzzy Hash: fbbd996dfc302ae95d31626562457513a9a54ad76b8ed5361aa80d36f7be41de
                                            • Instruction Fuzzy Hash: 9D51D574E012199FDB08DFE9D884A9EFBB2FF88300F10812AE915AB354DB715906CF50
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3bce1a1a4caa6047c99fc2a9f5f4735529560b3f6d6b971442c7921c0f26cf6a
                                            • Instruction ID: dce9551927e28e35e0486f276b0696ae03970f7032b13852b5fba21baddad72b
                                            • Opcode Fuzzy Hash: 3bce1a1a4caa6047c99fc2a9f5f4735529560b3f6d6b971442c7921c0f26cf6a
                                            • Instruction Fuzzy Hash: 97410270910601AFC714CB69CC84966B7AEEFC03767198729D929973A5E731ED12CBE0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6ca94d49c208d105a4b5cd8e2e813f9d0d024344619e2707de104293357f7354
                                            • Instruction ID: db12925270a77a3b20cd18dcb3cf631491590c672a310b8c1224714b1e04fc37
                                            • Opcode Fuzzy Hash: 6ca94d49c208d105a4b5cd8e2e813f9d0d024344619e2707de104293357f7354
                                            • Instruction Fuzzy Hash: 8551B674E002199FDB08DFE9D944AAEFBB2FF88300F108129E915AB354DB715906CF50
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7797c07c20e8aef9614696dbb788784e75a85dc90fe95007e0a4b2c454700421
                                            • Instruction ID: d1513f0d59e7dbcbea1bcd76f6ef47b9a99f31ae873c805a561b1b0eb3695af8
                                            • Opcode Fuzzy Hash: 7797c07c20e8aef9614696dbb788784e75a85dc90fe95007e0a4b2c454700421
                                            • Instruction Fuzzy Hash: 84417175E10219CBEB14FFB4D0547ADBAB2EF88316F14482ED801B7350CBB59881CBA9
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a06c2a458c23b848be301bc3dca8cd8c8a1ae0d0bd466385c31d5957a1013580
                                            • Instruction ID: 4904e08918985eeda799e08d4a577291b7b437903a271b81f069e92dac85fe32
                                            • Opcode Fuzzy Hash: a06c2a458c23b848be301bc3dca8cd8c8a1ae0d0bd466385c31d5957a1013580
                                            • Instruction Fuzzy Hash: A941D230B146058FDB01EB68C814AADBBF6EFC5311F15816AE40ADB3A1DB74DD81CB91
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31f6620eb1013b4dea56c6e33bed5a2c78a12efd0a5864f0f0055601cfc7fe69
                                            • Instruction ID: f086d47f4cde749c86ded387290d7c283c0be72156ed3a728e5681c26a246604
                                            • Opcode Fuzzy Hash: 31f6620eb1013b4dea56c6e33bed5a2c78a12efd0a5864f0f0055601cfc7fe69
                                            • Instruction Fuzzy Hash: B941CB30A00319DFDB15DF64C884BAABBF6FF88315F04802EE9169B251DB759946DBA0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d3aa4b2bdbc711f1e6f44cdb70a4020b0655e4260986d21b57b265f0d31f6a46
                                            • Instruction ID: e88b767c87e022f2067f046dedcd03a506611abbaa9347d0c9bbf9792d42b397
                                            • Opcode Fuzzy Hash: d3aa4b2bdbc711f1e6f44cdb70a4020b0655e4260986d21b57b265f0d31f6a46
                                            • Instruction Fuzzy Hash: 3531723161420ADFDB05AFA5D894AAF3FB2EF48341F048029FA069B345CB35D961DFA1
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 49d754765d46a05bc75cf4c86a721fb36c4e6029e6beac470898f7b88d8481f3
                                            • Instruction ID: 755bcf94a239ccab688ec22bb8eb032f5f9144cfbdcb2490d1616048f3e3874d
                                            • Opcode Fuzzy Hash: 49d754765d46a05bc75cf4c86a721fb36c4e6029e6beac470898f7b88d8481f3
                                            • Instruction Fuzzy Hash: 0431C6707242068FDB29EB35D854A3DB76AFF85722B144C9ED852CB245DF64CC41C791
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dd77a3aa2727a54be09d98e603bb9e878e350470c0ec6f344d9250ef4c24d156
                                            • Instruction ID: 38bdcb9bf975308a545910ca7a262677613cdfd46a4abc53bf2df6fb0456566c
                                            • Opcode Fuzzy Hash: dd77a3aa2727a54be09d98e603bb9e878e350470c0ec6f344d9250ef4c24d156
                                            • Instruction Fuzzy Hash: FD21C531325212CBDB186A36849433E75DBAFC5766F14843DD912DB399DE66CC82D780
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e16ada2fa3cab9f1215fcbf643a3b9f3a79f34ed7f410111514e7762f245937
                                            • Instruction ID: b8f815319b7bf2231140201f39b866da3aa877438f88615ee32194d9e712d2ee
                                            • Opcode Fuzzy Hash: 6e16ada2fa3cab9f1215fcbf643a3b9f3a79f34ed7f410111514e7762f245937
                                            • Instruction Fuzzy Hash: 7B31A276E1021AAFCF01DFA8D8809EEBBF6FF8C310F15412AF915A3210D73199659B90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48d1992fb57ada5e2bd20804a1ce6c90ce6191e0ba9ac901e53db386f53ed05d
                                            • Instruction ID: 99b392c4b4183ec7cbd53962feaf8494ea38745fe483477e4daaab0f6d772335
                                            • Opcode Fuzzy Hash: 48d1992fb57ada5e2bd20804a1ce6c90ce6191e0ba9ac901e53db386f53ed05d
                                            • Instruction Fuzzy Hash: 59318074E51615CFEB18EF7590543AD7AB2EF88312F10883EC802B7391CBB989858B95
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8ef55e2ae2ad067c5f59f20cf94119c7664a11ff570758fe80145864291ba27e
                                            • Instruction ID: c94fbece8feaa26248009e573cf857f635e9a2c037edf91ceb6791a8eb7db541
                                            • Opcode Fuzzy Hash: 8ef55e2ae2ad067c5f59f20cf94119c7664a11ff570758fe80145864291ba27e
                                            • Instruction Fuzzy Hash: 9331B435610205DFDB14DF65C844BAEBBB6EF84305F00456DD6029B6B1EB35ED4ACB90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1458383982.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_dbd000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e2e1d8eb6bee010b9032f3edaf1174915a30c8ac576b216eaec714a1daaff0ae
                                            • Instruction ID: 90d23a6fb1bf275f4600468804a9ec2fa071099c939e5cea6a34b2a55662bff2
                                            • Opcode Fuzzy Hash: e2e1d8eb6bee010b9032f3edaf1174915a30c8ac576b216eaec714a1daaff0ae
                                            • Instruction Fuzzy Hash: 132125B5604304DFDB04DF10D9C4B56BB66FB98324F24C66DE84A0B256D33AE856CBB2
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1458383982.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_dbd000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 811ca8d51993f41632ae229adaa0afbe0cbf74a874fd6bad0d29bbdc0264939f
                                            • Instruction ID: 27f45b829585ae90008d7e3e25f89919ed8e1aa951bcd6c27e58a41801c6762d
                                            • Opcode Fuzzy Hash: 811ca8d51993f41632ae229adaa0afbe0cbf74a874fd6bad0d29bbdc0264939f
                                            • Instruction Fuzzy Hash: 45213371504200DFDB10DF10D9C0B66BFA6FB88328F24C169E84A0B246D336D806CBB2
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2ff8946af780e6d68279700b6c5b9011578623da43474ddb97536c5d293781e1
                                            • Instruction ID: 80b139fe34b8a6a8e95c9df4ff1cec93cedd8fa405eb815eb54ba341b9fd4a2b
                                            • Opcode Fuzzy Hash: 2ff8946af780e6d68279700b6c5b9011578623da43474ddb97536c5d293781e1
                                            • Instruction Fuzzy Hash: 92216D70B006058FCB04EB68C549AADBBF6EF88311F14415AE81ADB3B1EB70DD41CB91
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 42e50f949075422ce25b355910fa82d16685aafe02fecc8af223da2dd5967eb0
                                            • Instruction ID: ba8ab3ad06995fdb371bd81998cda20c5d3e8511b409d668e70dd1cdd6a4f028
                                            • Opcode Fuzzy Hash: 42e50f949075422ce25b355910fa82d16685aafe02fecc8af223da2dd5967eb0
                                            • Instruction Fuzzy Hash: 2221DE38721612CFC719AA3AD454A2EBBA2EFC8792714806DE916CB394CE31DC418BD0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b200a4f77e1ee1ea1f63b98662015e82772ffb2c6799409a4d37e7ee73439f7
                                            • Instruction ID: 94683cf5e73b719349aa7f962ed4e0ad036fd4be16e6236f40fbac5c5a2072ce
                                            • Opcode Fuzzy Hash: 2b200a4f77e1ee1ea1f63b98662015e82772ffb2c6799409a4d37e7ee73439f7
                                            • Instruction Fuzzy Hash: 1021D331610205DFDB20DF65C844AAEB7B6EF84301F00456DD6029B6B1EB35E94ACB90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1458462205.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_dcd000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df53596bb05ec1a14c8dc48881d327b8cf8c3efb0fe4a3735c610cf1734262fe
                                            • Instruction ID: d54f27d0cbdea380915ac44acaae6f868c8c2d7f7280a6f789f9808ed7c4646e
                                            • Opcode Fuzzy Hash: df53596bb05ec1a14c8dc48881d327b8cf8c3efb0fe4a3735c610cf1734262fe
                                            • Instruction Fuzzy Hash: D121CF756043059FDB14DF18D984F16BBA6FB84324F24C56DE84A4B286C33AD847DA72
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1458462205.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_dcd000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16ed9ed2068bad4f034b55f0f22fc7f25bb0be3c172f17f2050d2ed7c8c045c4
                                            • Instruction ID: 621e4ee3ba0609e92aa043f45ea7523f9a6adb94d002d6d9fb77cc0eff7b29e6
                                            • Opcode Fuzzy Hash: 16ed9ed2068bad4f034b55f0f22fc7f25bb0be3c172f17f2050d2ed7c8c045c4
                                            • Instruction Fuzzy Hash: AA21CFB5604305AFDB05DF10D984F26FBA6FB84314F24C67DE8494B296C336D846CA61
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: df551559bfca8b4685c8e14811163e8fcba89dad1a563152e2e7556e9412fb8a
                                            • Instruction ID: f003515b2a532b05334978021899f409f8bd54343adc3d20245ba93a9b8d2112
                                            • Opcode Fuzzy Hash: df551559bfca8b4685c8e14811163e8fcba89dad1a563152e2e7556e9412fb8a
                                            • Instruction Fuzzy Hash: 7A216674A2021AEFEB18DFA5D944BAEBBB6BF44301F10442DE501A7380DB759901EBA4
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4bd3799ef378aaeea8559fa872b87c6cf1c7eda5fd6bea692d6204735a169433
                                            • Instruction ID: 342056a59f3046c829aef75bce6c086cd43c15de941a5e6da8b3e5a7eb4998d3
                                            • Opcode Fuzzy Hash: 4bd3799ef378aaeea8559fa872b87c6cf1c7eda5fd6bea692d6204735a169433
                                            • Instruction Fuzzy Hash: 4F21B275E1021AEFDF059FB0D85499DBBB2FF89304B448519E002BB264DB75A855CF90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 94267de3ff9d529d25095fd337208c37c514bece05b53245ee4d13b883a5e39d
                                            • Instruction ID: 1df74548c5047459ae904957a11f2c40beaf7fe8278f65ac02eca22610ac34b7
                                            • Opcode Fuzzy Hash: 94267de3ff9d529d25095fd337208c37c514bece05b53245ee4d13b883a5e39d
                                            • Instruction Fuzzy Hash: 2021FF31E10219EFDB05AFA0D8949DEBBB6FFC9304B488519E002BB260DB75A855CB90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2efcdd57d290b15486df012f6f3343f4b8b693b9a6fa31b964c6ee1b3fbc4558
                                            • Instruction ID: 20aa498de60a05906823488b2ac0bae413c280a188b523ae69d64bd2f7b73ed9
                                            • Opcode Fuzzy Hash: 2efcdd57d290b15486df012f6f3343f4b8b693b9a6fa31b964c6ee1b3fbc4558
                                            • Instruction Fuzzy Hash: 26219A31A15209DFDB05AE68D484BAA3BA2EF44311F008038F9068B344CA79D961CBE0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1458462205.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_dcd000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c2df9647d1cba0ca24f1038a08564ea32f562fad188efade10bbdb12c60953cb
                                            • Instruction ID: 45ec2eba67ef89c2feecbd3a4e8f919a1edc70796ff63bebd21242caa8ed72dd
                                            • Opcode Fuzzy Hash: c2df9647d1cba0ca24f1038a08564ea32f562fad188efade10bbdb12c60953cb
                                            • Instruction Fuzzy Hash: 342186755093808FC702CF24D990B15BF71EB46314F28C5EED8498B697C33A980ACB62
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 694125f87ad5a83c44de5173e44d69b725ed666d9b121867d914e7a477444e3f
                                            • Instruction ID: ad0e60a912dafe5e8eb33a8135ff6f71aac6fc1897b19bde0764d76c743a063a
                                            • Opcode Fuzzy Hash: 694125f87ad5a83c44de5173e44d69b725ed666d9b121867d914e7a477444e3f
                                            • Instruction Fuzzy Hash: 7511DD74A20259EFEB18DFA5D944BAE7BB2BF80300F00462DE411A7380DB308801DBA4
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1458383982.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_dbd000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                            • Instruction ID: 3e84e4eaaef49ce0c99aaac9876476761bdc4697047cd26e20bf34332d72f3a0
                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                            • Instruction Fuzzy Hash: 2811E676504240DFCB15CF14D5C4B56BF72FB94324F28C6A9D84A0B657C33AE85ACBA2
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1458383982.0000000000DBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DBD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_dbd000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                            • Instruction ID: 327bc1099d18b3c81fc0001fb2dec71c49bd68bbc2f3c4e061dcdc2b79acabc2
                                            • Opcode Fuzzy Hash: e3062b24f5b0128947100ec6e500ced3c6d63245422b7ec3b5033f72fc324263
                                            • Instruction Fuzzy Hash: 7211E676504284CFCB15CF14D5C4B56BFB2FB94324F28C6A9D84A0B656C33AD856CBA1
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 48f91e05bbb0914bf62a6c006361fff0eb5fef9e7f012a60ca5933345efc9c5c
                                            • Instruction ID: 7fbc70dfed29f146f7763fcfe974b0679bfd5f15026e2fec2fffb4ce08314486
                                            • Opcode Fuzzy Hash: 48f91e05bbb0914bf62a6c006361fff0eb5fef9e7f012a60ca5933345efc9c5c
                                            • Instruction Fuzzy Hash: 96110634A14205EFCB10CFA8CC848AEBBF9EF44321B148065D414E7362E730E904CB72
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1458462205.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_dcd000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                            • Instruction ID: f587632a631109559f0ca652a61cdef803b69cd6ec1f5b8b7f4f8598b3158bf8
                                            • Opcode Fuzzy Hash: 8009cd9747851c6a16484d38da83a80e1112e09f0888f91abd329c0e09305381
                                            • Instruction Fuzzy Hash: 66118B76504284DFCB15DF14D9C4B15FBA2FB84324F28C6AED8494B696C33AD84ACB61
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ef25716bd57660e96c73d0550652f85df36a1c247cd0a54784b765c12084e5e
                                            • Instruction ID: bd973ae85b6e002f729099d8f8a257e178f4b263707d40c4eeddc6968934a890
                                            • Opcode Fuzzy Hash: 0ef25716bd57660e96c73d0550652f85df36a1c247cd0a54784b765c12084e5e
                                            • Instruction Fuzzy Hash: 3701D4B2B001186BDB059E59D810BAF3BAADFC8791F148029FA05D7380DE72DD119BA5
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3f8911348ce3e81f6a23a25c5a8ef34bd3521e8f1aadbf38ae361040aad5d10
                                            • Instruction ID: 0e08433f94b586a57ec44075b45c8f9040b2e45658777892ce9d932955b30c2a
                                            • Opcode Fuzzy Hash: e3f8911348ce3e81f6a23a25c5a8ef34bd3521e8f1aadbf38ae361040aad5d10
                                            • Instruction Fuzzy Hash: 06018F353205018FDB18EA2DD850E6AB3A6FFD4306B14406DE946CB320EA71FC01CB90
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d855e881de211100a578ff677e0554dafa87beb966842daad5d1fdfbdb4be918
                                            • Instruction ID: 78e5d975dee169bfe691e76c6f18260901af5c35a67a455bec8273f9c09853e7
                                            • Opcode Fuzzy Hash: d855e881de211100a578ff677e0554dafa87beb966842daad5d1fdfbdb4be918
                                            • Instruction Fuzzy Hash: F2014475D10609CFEB14EFA594547AD7AB1EF88313F14442DC401B6381CBB98985CFA9
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acbebc3f7e83f40577198809438d9e547d0564075ae71141cde9db3a21ef7997
                                            • Instruction ID: ddc9585f9f0e7405dd1658643284b2c4f5f1c87483cd473ddb35842962eea2fe
                                            • Opcode Fuzzy Hash: acbebc3f7e83f40577198809438d9e547d0564075ae71141cde9db3a21ef7997
                                            • Instruction Fuzzy Hash: 40F04F2560E3C44FDB079B78582459A3FB09F5720070A45EBD089CF2B7D619881A8792
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c209b1d0d546bdc82b62252fc9d76877b80280623f40a0a7c423ba28afa55951
                                            • Instruction ID: 625d5f0dc1b4be81e7137a4b22049b4a1f0a9365c4f5ef168f83c0be6aa98309
                                            • Opcode Fuzzy Hash: c209b1d0d546bdc82b62252fc9d76877b80280623f40a0a7c423ba28afa55951
                                            • Instruction Fuzzy Hash: D5F031343205018FDB18AA6DD450D6EB7E7BFD4712715907EE946CB324DA71EC028B94
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2162ac56cb7906cdb2ef454e01497ec51f8c2d04632f6ddfa11934a2e6d024ec
                                            • Instruction ID: 4b54f62390d15e56b24df74c939aa8d1cb674f00c38bfc3ca6963646a179d942
                                            • Opcode Fuzzy Hash: 2162ac56cb7906cdb2ef454e01497ec51f8c2d04632f6ddfa11934a2e6d024ec
                                            • Instruction Fuzzy Hash: 22F06235B10314DFCB18AB65E405A7E7BABEBC1711F40882DE44687350DF359803CBA4
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 851d0623d75cece7bc6f15aa747ab765e03a755cabc4d449ed945601ae50eea4
                                            • Instruction ID: c7bed4c94b0646a43e56afce7e79159614929e9d23d6d43f3cad1d2be9fd26bf
                                            • Opcode Fuzzy Hash: 851d0623d75cece7bc6f15aa747ab765e03a755cabc4d449ed945601ae50eea4
                                            • Instruction Fuzzy Hash: 99F08235B04314DFCB18AB65E40497F7BABEFC5761F50882DE44687340CE35A806CBA5
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f1198c61e6b2869c6ec7311027394f8d0ff044e1c99b70fef2d08fd650a539b0
                                            • Instruction ID: d845f82828ee7017e0214a564852207da6430fe58e3693d073f8aff862e5fa08
                                            • Opcode Fuzzy Hash: f1198c61e6b2869c6ec7311027394f8d0ff044e1c99b70fef2d08fd650a539b0
                                            • Instruction Fuzzy Hash: 8AF0F935B102198FCB00EB98D4489DDB7F6FF88725F194199E946B7360CB71AD05CBA4
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5b9cb23ebca14255d3e5899b27cb6b1d706e469616ece49e3768c5051abd0d46
                                            • Instruction ID: 873c9867b3bb22d73abc8d06f2ff35f3ceb208ffd0840c1190cc964d82f361e9
                                            • Opcode Fuzzy Hash: 5b9cb23ebca14255d3e5899b27cb6b1d706e469616ece49e3768c5051abd0d46
                                            • Instruction Fuzzy Hash: 9AF08230910609CFCB04EF78C5056AABBB4FF45301F61869ED809AB221EB71ED85CBD1
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f7347153fb4ccda03fd43eaa2dc0693c1b362d70ed66eae223c5f7f19552f31c
                                            • Instruction ID: 11dd1d359018e2755e813c5451053245db70b4c14a723ade93c96c71714fafe2
                                            • Opcode Fuzzy Hash: f7347153fb4ccda03fd43eaa2dc0693c1b362d70ed66eae223c5f7f19552f31c
                                            • Instruction Fuzzy Hash: 2DE02B363401484FCB00A75AE800C9DBFFECFC5A2A71440ABE50CC7221D634AD028790
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5adec061b594b16540d74c98600682b0e9c083267b9d38dc060cf1d4a047a9fe
                                            • Instruction ID: cc88aed03a931d7aeed6e2d655016820fc9dfcbcfe01f844fef7738a656984d2
                                            • Opcode Fuzzy Hash: 5adec061b594b16540d74c98600682b0e9c083267b9d38dc060cf1d4a047a9fe
                                            • Instruction Fuzzy Hash: 42F06DB1D1020A9FDB04DFA9C8017AEBFF4EF48300F14849AD505E7341E770A6108F91
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 207dee520534ee02a47ff09721ab87c74af3dbb102ba80709d649b605cbe7e0d
                                            • Instruction ID: 3236bbe024b84fd679a5d4edc281b5d3121db98a76f65cb1c4ec329bd92994d1
                                            • Opcode Fuzzy Hash: 207dee520534ee02a47ff09721ab87c74af3dbb102ba80709d649b605cbe7e0d
                                            • Instruction Fuzzy Hash: 60F03AB0D1420A9FDB44DFA9C801AAEBBF8EF48310F0045A9D909E7340D77096508F91
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4c2be77f470b2dfb078c268ddc32207722447359cf4c64697a47f40a15e01b7d
                                            • Instruction ID: 6b6e0807262f37625aa767b7383543bd1ea24f65b87499b24a2778f01d3a8c05
                                            • Opcode Fuzzy Hash: 4c2be77f470b2dfb078c268ddc32207722447359cf4c64697a47f40a15e01b7d
                                            • Instruction Fuzzy Hash: 39F08230E1060ACFEB14FF75945876D7AA2AF84302F04843CC405A6280DBB884818FA5
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9cf206bdde630e77c6c85e6af6bd82ba197bd9ad8dc8aaaa26fa5d683687f078
                                            • Instruction ID: f45dd2226014dd6a4c10d987da2e9e41b521eccd1d48090018c92fe6a506e451
                                            • Opcode Fuzzy Hash: 9cf206bdde630e77c6c85e6af6bd82ba197bd9ad8dc8aaaa26fa5d683687f078
                                            • Instruction Fuzzy Hash: 37F03031911619CFCB00EB78C504499B7B4EF45704F55869ED8486B325E771E985CBC1
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6c3f455cb32557401a2ab5f8f2f6c7eeabfd42fce382d4066db3495548019b38
                                            • Instruction ID: 519fb540afb7f2f2d4159fde6b57e74c6c4cbbdded3c1ff465c479676aceefa0
                                            • Opcode Fuzzy Hash: 6c3f455cb32557401a2ab5f8f2f6c7eeabfd42fce382d4066db3495548019b38
                                            • Instruction Fuzzy Hash: 31F0303534A7808FE315E7B89560BDB7BA79FC5366F0404BED48587292DA759801C760
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f177f1929a4bcdb931214f4433e9c47ede05fb55a6dc10eed2549f1f10f060f5
                                            • Instruction ID: 8c6b7ce6d47e537250fd765ddb248544530ebeabe075cc2efaf891f1bf6e3d73
                                            • Opcode Fuzzy Hash: f177f1929a4bcdb931214f4433e9c47ede05fb55a6dc10eed2549f1f10f060f5
                                            • Instruction Fuzzy Hash: A3E01A353467148BE724AAB9D550FDBB6ABAFC5766F0004BDD94A87380DB72A801C7A0
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 19099e2edbb14d02863f87f0b531ab8a632179bd406964214dc99bb8e65ceede
                                            • Instruction ID: b1b1db7b1cad984b37c68c108bb8603486235d3e00089c5e0235a0ec647ec739
                                            • Opcode Fuzzy Hash: 19099e2edbb14d02863f87f0b531ab8a632179bd406964214dc99bb8e65ceede
                                            • Instruction Fuzzy Hash: B1E0C272304620578634661A64019ABB7E9DFC4721B08052FD60987240EF62E8438394
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a9b547c01bf8f968041a5420a2803437999d96ff5470b80da22342ddee09e230
                                            • Instruction ID: 39e9f31b38f49089afdd8495d3d2791896d42e1ddf4ac923bf51cf420449a496
                                            • Opcode Fuzzy Hash: a9b547c01bf8f968041a5420a2803437999d96ff5470b80da22342ddee09e230
                                            • Instruction Fuzzy Hash: 09E02B371501086BE742EA80EC05F5237FCAB24771F084822F805C9111E711F075E750
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2db2a5ebd1944e95dfbbebf8ef97612c038ffb2a1237406938db174108db6512
                                            • Instruction ID: b96141e8868a234ae4c08706839c352048a1576944b60752b665323bc342d719
                                            • Opcode Fuzzy Hash: 2db2a5ebd1944e95dfbbebf8ef97612c038ffb2a1237406938db174108db6512
                                            • Instruction Fuzzy Hash: 01D05E7015A7899FD3025AB6AC09BB53FE8DB03206F0904A6B149C6492DA6448498BF2
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a058876a5675dadf97bffcaf7b23320f4f10e1d936c4c1a6d0bedc9b6e3605fa
                                            • Instruction ID: ba3df829fbebc6dd9c31d34df8ea5b7283b368d1e1dd59e041fa0b113751b609
                                            • Opcode Fuzzy Hash: a058876a5675dadf97bffcaf7b23320f4f10e1d936c4c1a6d0bedc9b6e3605fa
                                            • Instruction Fuzzy Hash: 02D05E323501248FD3009BB9F848F9277ECEF49B65B0180A6E20CCB221DBA2DC008790
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 681c3a2486f7c7af6899090ebb90022704ec01a298c1ec89c28fc2b93d468b50
                                            • Instruction ID: 9e38576d5aa936d37943b0100028485a938929e60ea03146aa0477cc3d4adff4
                                            • Opcode Fuzzy Hash: 681c3a2486f7c7af6899090ebb90022704ec01a298c1ec89c28fc2b93d468b50
                                            • Instruction Fuzzy Hash: D4C01223340424131609714F6810C5FB6DD89C6969250402BE508873104D986D0341E5
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 441dc1b07cca3b9bcec01df16d00b7bc1f59c4bf0672a6ecdb83f8b775559768
                                            • Instruction ID: 20772d696b07dc44d96b10342a31938f66db5681da0c1d9c3eb7e228fa5eeb0a
                                            • Opcode Fuzzy Hash: 441dc1b07cca3b9bcec01df16d00b7bc1f59c4bf0672a6ecdb83f8b775559768
                                            • Instruction Fuzzy Hash: FCD0127001538C8FD606FB65AC555553B6BFB81541B108559A9154E01FEF7459048BB1
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fca7a0ae7efb6dbdfe5aa7fdb64c93c4d7df8288ae379aa300e090b42f7c5f0f
                                            • Instruction ID: 352e99271971c012f57dc8f49730a5851781fbe0924f0129a42da96e146a7781
                                            • Opcode Fuzzy Hash: fca7a0ae7efb6dbdfe5aa7fdb64c93c4d7df8288ae379aa300e090b42f7c5f0f
                                            • Instruction Fuzzy Hash: 73D0A7E250428017E759DA2D94883957FC29F6A318F0CC4F4CE418924BE9294527C281
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 16fd69308eb0750fd98dcd2b4a9e400e648cbb1a3ffb92ed4002904121514dce
                                            • Instruction ID: b026d0bb007e225e0f332751be0b2cfff524fe0bfd0c3845a22dff967578acd3
                                            • Opcode Fuzzy Hash: 16fd69308eb0750fd98dcd2b4a9e400e648cbb1a3ffb92ed4002904121514dce
                                            • Instruction Fuzzy Hash: 5ED0A734951603DFDF12DF68E868604B7A0FB40305B00C295D0018B009E778E482CB84
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e3e2acbf44e9c5f71bc68e9728a18aa7622ca392ab8d969bd4b9ac71f3cf682
                                            • Instruction ID: 720b8a49aa5d25cd62fe8f89c0530210c321dca216770b79426bec82019b44e2
                                            • Opcode Fuzzy Hash: 6e3e2acbf44e9c5f71bc68e9728a18aa7622ca392ab8d969bd4b9ac71f3cf682
                                            • Instruction Fuzzy Hash: EFC0123101030CCFD905FB65E845555376FF6C4541B40C518A5150A51EDF785D044BB1
                                            Memory Dump Source
                                            • Source File: 0000000E.00000002.1470754386.00000000082A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 082A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_14_2_82a0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e232bf56176022f27eda1c44fb13a3521f6b8f75fbb124f4fadc627ff1ec3964
                                            • Instruction ID: 730caa9bbe4e79ed18e084f0691f441a89c9b4103ce5fd64c37cb65735c0d2af
                                            • Opcode Fuzzy Hash: e232bf56176022f27eda1c44fb13a3521f6b8f75fbb124f4fadc627ff1ec3964
                                            • Instruction Fuzzy Hash: 0DC08C30052349CBD310ABAAF54CB2836E9AF01303F580020B20A804909EB40040CB65

                                            Execution Graph

                                            Execution Coverage:13.6%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:28
                                            Total number of Limit Nodes:3
                                            execution_graph 9919 2cb46d8 9920 2cb46e4 9919->9920 9923 2cb48c9 9920->9923 9924 2cb48e4 9923->9924 9928 2cb4ef8 9924->9928 9933 2cb4f08 9924->9933 9925 2cb4713 9929 2cb4f08 9928->9929 9930 2cb4ff6 9929->9930 9938 2cbc168 9929->9938 9942 2cbc76c 9929->9942 9930->9925 9934 2cb4f2a 9933->9934 9935 2cb4ff6 9934->9935 9936 2cbc168 LdrInitializeThunk 9934->9936 9937 2cbc76c 2 API calls 9934->9937 9935->9925 9936->9935 9937->9935 9939 2cbc17a 9938->9939 9940 2cbc17f 9938->9940 9939->9930 9940->9939 9941 2cbc8a9 LdrInitializeThunk 9940->9941 9941->9939 9946 2cbc623 9942->9946 9943 2cbc764 LdrInitializeThunk 9945 2cbc8c1 9943->9945 9945->9930 9946->9943 9947 2cbc168 LdrInitializeThunk 9946->9947 9947->9946 9948 2cbca58 9949 2cbca5f 9948->9949 9951 2cbca65 9948->9951 9950 2cbc168 LdrInitializeThunk 9949->9950 9949->9951 9953 2cbcde6 9949->9953 9950->9953 9952 2cbc168 LdrInitializeThunk 9952->9953 9953->9951 9953->9952

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 879 2cbc168-2cbc178 880 2cbc17a 879->880 881 2cbc17f-2cbc18b 879->881 882 2cbc2ab-2cbc2b5 880->882 884 2cbc18d 881->884 885 2cbc192-2cbc1a7 881->885 884->882 888 2cbc2bb-2cbc2fb call 2cb5d08 885->888 889 2cbc1ad-2cbc1b8 885->889 905 2cbc302-2cbc378 call 2cb5d08 call 2cb5c00 888->905 892 2cbc1be-2cbc1c5 889->892 893 2cbc2b6 889->893 895 2cbc1f2-2cbc1fd 892->895 896 2cbc1c7-2cbc1de 892->896 893->888 900 2cbc20a-2cbc214 895->900 901 2cbc1ff-2cbc207 895->901 896->905 906 2cbc1e4-2cbc1e7 896->906 909 2cbc21a-2cbc224 900->909 910 2cbc29e-2cbc2a3 900->910 901->900 940 2cbc37a-2cbc3b7 905->940 941 2cbc3df-2cbc454 call 2cb5ca8 905->941 906->893 912 2cbc1ed-2cbc1f0 906->912 909->893 916 2cbc22a-2cbc246 909->916 910->882 912->895 912->896 922 2cbc24a-2cbc24d 916->922 923 2cbc248 916->923 925 2cbc24f-2cbc252 922->925 926 2cbc254-2cbc257 922->926 923->882 928 2cbc25a-2cbc268 925->928 926->928 928->893 933 2cbc26a-2cbc271 928->933 933->882 934 2cbc273-2cbc279 933->934 934->893 935 2cbc27b-2cbc280 934->935 935->893 937 2cbc282-2cbc295 935->937 937->893 943 2cbc297-2cbc29a 937->943 944 2cbc3b9 940->944 945 2cbc3be-2cbc3dc 940->945 948 2cbc4f3-2cbc4f9 941->948 943->934 947 2cbc29c 943->947 944->945 945->941 947->882 949 2cbc459-2cbc46c 948->949 950 2cbc4ff-2cbc517 948->950 951 2cbc46e 949->951 952 2cbc473-2cbc4c4 949->952 953 2cbc52b-2cbc53e 950->953 954 2cbc519-2cbc526 950->954 951->952 972 2cbc4d7-2cbc4e9 952->972 973 2cbc4c6-2cbc4d4 952->973 956 2cbc540 953->956 957 2cbc545-2cbc561 953->957 955 2cbc8c1-2cbc9bf 954->955 962 2cbc9c1-2cbc9c6 call 2cb5ca8 955->962 963 2cbc9c7-2cbc9d1 955->963 956->957 959 2cbc568-2cbc58c 957->959 960 2cbc563 957->960 967 2cbc58e 959->967 968 2cbc593-2cbc5c5 959->968 960->959 962->963 967->968 977 2cbc5cc-2cbc60e 968->977 978 2cbc5c7 968->978 974 2cbc4eb 972->974 975 2cbc4f0 972->975 973->950 974->975 975->948 980 2cbc610 977->980 981 2cbc615-2cbc61e 977->981 978->977 980->981 982 2cbc846-2cbc84c 981->982 983 2cbc623-2cbc648 982->983 984 2cbc852-2cbc865 982->984 987 2cbc64a 983->987 988 2cbc64f-2cbc686 983->988 985 2cbc86c-2cbc887 984->985 986 2cbc867 984->986 989 2cbc889 985->989 990 2cbc88e-2cbc8a2 985->990 986->985 987->988 996 2cbc688 988->996 997 2cbc68d-2cbc6bf 988->997 989->990 994 2cbc8a9-2cbc8bf LdrInitializeThunk 990->994 995 2cbc8a4 990->995 994->955 995->994 996->997 999 2cbc723-2cbc736 997->999 1000 2cbc6c1-2cbc6e6 997->1000 1001 2cbc738 999->1001 1002 2cbc73d-2cbc762 999->1002 1003 2cbc6e8 1000->1003 1004 2cbc6ed-2cbc71b 1000->1004 1001->1002 1007 2cbc771-2cbc7a9 1002->1007 1008 2cbc764-2cbc765 1002->1008 1003->1004 1004->999 1009 2cbc7ab 1007->1009 1010 2cbc7b0-2cbc811 call 2cbc168 1007->1010 1008->984 1009->1010 1016 2cbc818-2cbc83c 1010->1016 1017 2cbc813 1010->1017 1020 2cbc83e 1016->1020 1021 2cbc843 1016->1021 1017->1016 1020->1021 1021->982
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2646113626.0000000002CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2cb0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 940f004f01426f915bf61ff81f6b5f23993f11a6089f067a3857ee09328f4534
                                            • Instruction ID: 2f7c2d47903556995977ad3208670bc64d219ed12b92e5e0f838cc61890cf213
                                            • Opcode Fuzzy Hash: 940f004f01426f915bf61ff81f6b5f23993f11a6089f067a3857ee09328f4534
                                            • Instruction Fuzzy Hash: 72222874E002198FDB15DFA9C884BDDBBB2BF88304F5081AAD409AB355DB359E86CF51

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1685 2cbc76c 1686 2cbc82b-2cbc83c 1685->1686 1687 2cbc83e 1686->1687 1688 2cbc843-2cbc84c 1686->1688 1687->1688 1690 2cbc623-2cbc648 1688->1690 1691 2cbc852-2cbc865 1688->1691 1694 2cbc64a 1690->1694 1695 2cbc64f-2cbc686 1690->1695 1692 2cbc86c-2cbc887 1691->1692 1693 2cbc867 1691->1693 1696 2cbc889 1692->1696 1697 2cbc88e-2cbc8a2 1692->1697 1693->1692 1694->1695 1703 2cbc688 1695->1703 1704 2cbc68d-2cbc6bf 1695->1704 1696->1697 1701 2cbc8a9-2cbc8bf LdrInitializeThunk 1697->1701 1702 2cbc8a4 1697->1702 1705 2cbc8c1-2cbc9bf 1701->1705 1702->1701 1703->1704 1710 2cbc723-2cbc736 1704->1710 1711 2cbc6c1-2cbc6e6 1704->1711 1708 2cbc9c1-2cbc9c6 call 2cb5ca8 1705->1708 1709 2cbc9c7-2cbc9d1 1705->1709 1708->1709 1713 2cbc738 1710->1713 1714 2cbc73d-2cbc762 1710->1714 1715 2cbc6e8 1711->1715 1716 2cbc6ed-2cbc71b 1711->1716 1713->1714 1720 2cbc771-2cbc7a9 1714->1720 1721 2cbc764-2cbc765 1714->1721 1715->1716 1716->1710 1722 2cbc7ab 1720->1722 1723 2cbc7b0-2cbc811 call 2cbc168 1720->1723 1721->1691 1722->1723 1729 2cbc818-2cbc82a 1723->1729 1730 2cbc813 1723->1730 1729->1686 1730->1729
                                            APIs
                                            • LdrInitializeThunk.NTDLL(00000000), ref: 02CBC8AE
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2646113626.0000000002CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2cb0000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID: InitializeThunk
                                            • String ID:
                                            • API String ID: 2994545307-0
                                            • Opcode ID: 67f8c6de416590941afb9c52b9f9477985b08d54d39356a7f94ef97e42fdc765
                                            • Instruction ID: 25bc0f854edc190dc664c7f62113f61fb6a0f508ced3681d079ae39205bd19ce
                                            • Opcode Fuzzy Hash: 67f8c6de416590941afb9c52b9f9477985b08d54d39356a7f94ef97e42fdc765
                                            • Instruction Fuzzy Hash: 73113A74E002099FEB15DBA9D484BEDBBB5FF88304F54816AE848E7345D7319E42CB60
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2645768281.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2c6d000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 88a4ade53c43c3e994a3f5cdca25073cd5113b40ca11a0c2f990bb5361563ad7
                                            • Instruction ID: a864b4e1d8c2d11f0c64b91a282258b0c34d2fa3dd2316484c87f0106c60d322
                                            • Opcode Fuzzy Hash: 88a4ade53c43c3e994a3f5cdca25073cd5113b40ca11a0c2f990bb5361563ad7
                                            • Instruction Fuzzy Hash: 97212271608304DFDB10DF10D9C8B26BBA5FBC8314F20C56DD80A4B282C37AD447CAA2
                                            Memory Dump Source
                                            • Source File: 00000012.00000002.2645768281.0000000002C6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C6D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_18_2_2c6d000_JIlApjvRxj.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: dae201bac61633d30dcbba5edab514b47e9121d97a1e5e621180d55dc1528518
                                            • Instruction ID: 196b418ca96c354e30edc62fea951a090c86a645c50201e426d1650b5ede82e3
                                            • Opcode Fuzzy Hash: dae201bac61633d30dcbba5edab514b47e9121d97a1e5e621180d55dc1528518
                                            • Instruction Fuzzy Hash: 95214B7550D3C49FC703CB24D994711BF71AB86214F2985EBD8898F2A7C33A980ACB62