Windows Analysis Report
TEKLIF 2002509.exe

Overview

General Information

Sample name: TEKLIF 2002509.exe
Analysis ID: 1520407
MD5: 7a3bfa8d0ab2a9b1258925a73a037393
SHA1: 5785960ead180d8709d2b4e182ada67cf751a85c
SHA256: 8924d6255fe634004cc46de0a9ee6b4d7c44c1612947d747ebea2a6c06d2a37e
Tags: exegeoTURuser-abuse_ch
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to resolve many domain names, but no domain seems valid
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.avada-casino-tlj.buzz/bc01/"], "decoy": ["epatitis-treatment-26155.bond", "52cy67sk.bond", "nline-degree-6987776.world", "ingxingdiandeng-2033.top", "mberbreeze.cyou", "48xc300mw.autos", "obs-for-seniors-39582.bond", "tpetersburg-3-tonn.online", "egafon-parser.online", "172jh.shop", "ltraman.pro", "bqfhnys.shop", "ntercash24-cad.homes", "uhtwister.cloud", "alk-in-tubs-27353.bond", "ucas-saaad.buzz", "oko.events", "8080713.xyz", "refabricated-homes-74404.bond", "inaa.boo", "nnevateknoloji.xyz", "ar-accident-lawyer-389.today", "ianju-fvqh092.vip", "ealthandwellnessly.digital", "qzxx.top", "q8189.top", "ecurity-service-22477.bond", "ractors-42621.bond", "astamadre.shop", "tonomushotel.xyz", "cowatt.fun", "olocaustaffirmer.net", "delphi.ltd", "mmwinni.buzz", "8009.top", "nline-gaming-ox-fr.xyz", "irtyeffingrancher.info", "omotech-dz.net", "akemoneyonline.bond", "ustbookin.online", "eals.lat", "irmag.online", "eddogbrands.website", "oifulcares.net", "aming-chair-83359.bond", "ewferg.top", "areless.net", "torygame168.online", "y-language-menu.net", "iring-cleaners-2507.xyz", "inancialenlightment.info", "ar-accident-lawyer-389.today", "sicologosportugueses.online", "ajabandot.website", "oidakings.net", "2ar1.shop", "comedia.lol", "kjbrosmm.shop", "ffpage.shop", "nfluencer-marketing-17923.bond", "ebshieldsrenew.live", "lkjuy.xyz", "lussalesapp.website", "hildrens-clothing.today"]}
Multi AV Scanner detection for submitted file
Source: TEKLIF 2002509.exe ReversingLabs: Detection: 73%
Yara detected FormBook
Source: Yara match File source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for sample
Source: TEKLIF 2002509.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: TEKLIF 2002509.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: TEKLIF 2002509.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: OBGu.pdbSHA2561h source: TEKLIF 2002509.exe
Source: Binary string: chkdsk.pdbGCTL source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001037000.00000004.00000020.00020000.00000000.sdmp, TEKLIF 2002509.exe, 00000005.00000002.2270779723.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4600399976.0000000000C40000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: OBGu.pdb source: TEKLIF 2002509.exe
Source: Binary string: chkdsk.pdb source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001037000.00000004.00000020.00020000.00000000.sdmp, TEKLIF 2002509.exe, 00000005.00000002.2270779723.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4600399976.0000000000C40000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: TEKLIF 2002509.exe, 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2272873820.0000000005572000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2270790993.00000000053C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: TEKLIF 2002509.exe, TEKLIF 2002509.exe, 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2272873820.0000000005572000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2270790993.00000000053C6000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 4x nop then pop edi 5_2_0040E461
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 4x nop then pop edi 7_2_04C6E461

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.avada-casino-tlj.buzz/bc01/
Tries to resolve many domain names, but no domain seems valid
Source: unknown DNS traffic detected: query: www.avada-casino-tlj.buzz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ffpage.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.nline-degree-6987776.world replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.mberbreeze.cyou replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.obs-for-seniors-39582.bond replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.sicologosportugueses.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.akemoneyonline.bond replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ewferg.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.8009.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.uhtwister.cloud replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.nfluencer-marketing-17923.bond replaycode: Name error (3)
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: www.avada-casino-tlj.buzz replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ffpage.shop replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.nline-degree-6987776.world replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.mberbreeze.cyou replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.obs-for-seniors-39582.bond replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.sicologosportugueses.online replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.akemoneyonline.bond replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.ewferg.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.8009.top replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.uhtwister.cloud replaycode: Name error (3)
Source: unknown DNS traffic detected: query: www.nfluencer-marketing-17923.bond replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: www.ffpage.shop
Source: global traffic DNS traffic detected: DNS query: www.mberbreeze.cyou
Source: global traffic DNS traffic detected: DNS query: www.obs-for-seniors-39582.bond
Source: global traffic DNS traffic detected: DNS query: www.uhtwister.cloud
Source: global traffic DNS traffic detected: DNS query: www.akemoneyonline.bond
Source: global traffic DNS traffic detected: DNS query: www.sicologosportugueses.online
Source: global traffic DNS traffic detected: DNS query: www.avada-casino-tlj.buzz
Source: global traffic DNS traffic detected: DNS query: www.nline-degree-6987776.world
Source: global traffic DNS traffic detected: DNS query: www.8009.top
Source: global traffic DNS traffic detected: DNS query: www.nfluencer-marketing-17923.bond
Source: global traffic DNS traffic detected: DNS query: www.ewferg.top
Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000006.00000002.4609091546.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2156332726.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000002.4613506646.0000000007B60000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: TEKLIF 2002509.exe, 00000000.00000002.2149822978.0000000002A41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.8009.top
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.8009.top/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.8009.top/bc01/www.nfluencer-marketing-17923.bond
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.8009.topReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.akemoneyonline.bond
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.akemoneyonline.bond/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.akemoneyonline.bond/bc01/www.lkjuy.xyz
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.akemoneyonline.bondReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.avada-casino-tlj.buzz
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.avada-casino-tlj.buzz/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.avada-casino-tlj.buzz/bc01/www.nline-degree-6987776.world
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.avada-casino-tlj.buzzReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealthandwellnessly.digital
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealthandwellnessly.digital/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealthandwellnessly.digital/bc01/www.ractors-42621.bond
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ealthandwellnessly.digitalReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epatitis-treatment-26155.bond
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epatitis-treatment-26155.bond/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epatitis-treatment-26155.bond/bc01/www.ealthandwellnessly.digital
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.epatitis-treatment-26155.bondReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ewferg.top
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ewferg.top/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ewferg.top/bc01/www.epatitis-treatment-26155.bond
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ewferg.topReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ffpage.shop
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ffpage.shop/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ffpage.shop/bc01/www.mberbreeze.cyou
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ffpage.shopReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lkjuy.xyz
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lkjuy.xyz/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lkjuy.xyz/bc01/www.sicologosportugueses.online
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.lkjuy.xyzReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mberbreeze.cyou
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mberbreeze.cyou/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mberbreeze.cyou/bc01/www.obs-for-seniors-39582.bond
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.mberbreeze.cyouReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nfluencer-marketing-17923.bond
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nfluencer-marketing-17923.bond/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nfluencer-marketing-17923.bond/bc01/www.ewferg.top
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nfluencer-marketing-17923.bondReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nline-degree-6987776.world
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nline-degree-6987776.world/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nline-degree-6987776.world/bc01/www.8009.top
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.nline-degree-6987776.worldReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.obs-for-seniors-39582.bond
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.obs-for-seniors-39582.bond/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.obs-for-seniors-39582.bond/bc01/www.uhtwister.cloud
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.obs-for-seniors-39582.bondReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ractors-42621.bond
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ractors-42621.bond/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ractors-42621.bond/bc01/www.torygame168.online
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.ractors-42621.bondReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sicologosportugueses.online
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sicologosportugueses.online/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sicologosportugueses.online/bc01/www.avada-casino-tlj.buzz
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.sicologosportugueses.onlineReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.torygame168.online
Source: explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.torygame168.online/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.torygame168.online/bc01/_
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.torygame168.onlineReferer:
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.uhtwister.cloud
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.uhtwister.cloud/bc01/
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.uhtwister.cloud/bc01/www.akemoneyonline.bond
Source: explorer.exe, 00000006.00000002.4620685422.000000000C4E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2983565236.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075073896.000000000C4EF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.uhtwister.cloudReferer:
Source: explorer.exe, 00000006.00000002.4614750288.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2161826176.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979331163.00000000099AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000006.00000002.4618097457.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000006.00000002.4618097457.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075352059.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2985609705.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000006.00000002.4618097457.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075352059.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2985609705.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000006.00000000.2165698590.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4618097457.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000006.00000002.4614750288.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2161826176.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2979331163.00000000099AB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000006.00000002.4618097457.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.3075352059.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000003.2985609705.000000000C071000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2165698590.000000000C048000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000006.00000002.4612185062.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.2270725098.000000000146F000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 Author: unknown
Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: TEKLIF 2002509.exe PID: 3184, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: TEKLIF 2002509.exe PID: 5068, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: chkdsk.exe PID: 1816, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041A330 NtCreateFile, 5_2_0041A330
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041A3E0 NtReadFile, 5_2_0041A3E0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041A460 NtClose, 5_2_0041A460
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041A510 NtAllocateVirtualMemory, 5_2_0041A510
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041A3DB NtReadFile, 5_2_0041A3DB
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041A50F NtAllocateVirtualMemory, 5_2_0041A50F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2B60 NtClose,LdrInitializeThunk, 5_2_015D2B60
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_015D2BF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2AD0 NtReadFile,LdrInitializeThunk, 5_2_015D2AD0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2D10 NtMapViewOfSection,LdrInitializeThunk, 5_2_015D2D10
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2D30 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_015D2D30
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2DD0 NtDelayExecution,LdrInitializeThunk, 5_2_015D2DD0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_015D2DF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_015D2C70
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2CA0 NtQueryInformationToken,LdrInitializeThunk, 5_2_015D2CA0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2F30 NtCreateSection,LdrInitializeThunk, 5_2_015D2F30
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2FE0 NtCreateFile,LdrInitializeThunk, 5_2_015D2FE0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2F90 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_015D2F90
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2FB0 NtResumeThread,LdrInitializeThunk, 5_2_015D2FB0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2E80 NtReadVirtualMemory,LdrInitializeThunk, 5_2_015D2E80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_015D2EA0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D4340 NtSetContextThread, 5_2_015D4340
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D4650 NtSuspendThread, 5_2_015D4650
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2BE0 NtQueryValueKey, 5_2_015D2BE0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2B80 NtQueryInformationFile, 5_2_015D2B80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2BA0 NtEnumerateValueKey, 5_2_015D2BA0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2AF0 NtWriteFile, 5_2_015D2AF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2AB0 NtWaitForSingleObject, 5_2_015D2AB0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2D00 NtSetInformationFile, 5_2_015D2D00
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2DB0 NtEnumerateKey, 5_2_015D2DB0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2C60 NtCreateKey, 5_2_015D2C60
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2C00 NtQueryInformationProcess, 5_2_015D2C00
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2CC0 NtQueryVirtualMemory, 5_2_015D2CC0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2CF0 NtOpenProcess, 5_2_015D2CF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2F60 NtCreateProcessEx, 5_2_015D2F60
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2FA0 NtQuerySection, 5_2_015D2FA0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2E30 NtWriteVirtualMemory, 5_2_015D2E30
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2EE0 NtQueueApcThread, 5_2_015D2EE0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D3010 NtOpenDirectoryObject, 5_2_015D3010
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D3090 NtSetValueKey, 5_2_015D3090
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D35C0 NtCreateMutant, 5_2_015D35C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D39B0 NtGetContextThread, 5_2_015D39B0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D3D70 NtOpenThread, 5_2_015D3D70
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D3D10 NtOpenProcessToken, 5_2_015D3D10
Source: C:\Windows\explorer.exe Code function: 6_2_0E39F232 NtCreateFile, 6_2_0E39F232
Source: C:\Windows\explorer.exe Code function: 6_2_0E3A0E12 NtProtectVirtualMemory, 6_2_0E3A0E12
Source: C:\Windows\explorer.exe Code function: 6_2_0E3A0E0A NtProtectVirtualMemory, 6_2_0E3A0E0A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792D10 NtMapViewOfSection,LdrInitializeThunk, 7_2_05792D10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_05792DF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792DD0 NtDelayExecution,LdrInitializeThunk, 7_2_05792DD0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_05792C70
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792C60 NtCreateKey,LdrInitializeThunk, 7_2_05792C60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792CA0 NtQueryInformationToken,LdrInitializeThunk, 7_2_05792CA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792F30 NtCreateSection,LdrInitializeThunk, 7_2_05792F30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792FE0 NtCreateFile,LdrInitializeThunk, 7_2_05792FE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 7_2_05792EA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792B60 NtClose,LdrInitializeThunk, 7_2_05792B60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 7_2_05792BF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792BE0 NtQueryValueKey,LdrInitializeThunk, 7_2_05792BE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792AD0 NtReadFile,LdrInitializeThunk, 7_2_05792AD0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057935C0 NtCreateMutant,LdrInitializeThunk, 7_2_057935C0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05794650 NtSuspendThread, 7_2_05794650
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05794340 NtSetContextThread, 7_2_05794340
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792D30 NtUnmapViewOfSection, 7_2_05792D30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792D00 NtSetInformationFile, 7_2_05792D00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792DB0 NtEnumerateKey, 7_2_05792DB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792C00 NtQueryInformationProcess, 7_2_05792C00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792CF0 NtOpenProcess, 7_2_05792CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792CC0 NtQueryVirtualMemory, 7_2_05792CC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792F60 NtCreateProcessEx, 7_2_05792F60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792FB0 NtResumeThread, 7_2_05792FB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792FA0 NtQuerySection, 7_2_05792FA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792F90 NtProtectVirtualMemory, 7_2_05792F90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792E30 NtWriteVirtualMemory, 7_2_05792E30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792EE0 NtQueueApcThread, 7_2_05792EE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792E80 NtReadVirtualMemory, 7_2_05792E80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792BA0 NtEnumerateValueKey, 7_2_05792BA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792B80 NtQueryInformationFile, 7_2_05792B80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792AF0 NtWriteFile, 7_2_05792AF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05792AB0 NtWaitForSingleObject, 7_2_05792AB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05793010 NtOpenDirectoryObject, 7_2_05793010
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05793090 NtSetValueKey, 7_2_05793090
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05793D70 NtOpenThread, 7_2_05793D70
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05793D10 NtOpenProcessToken, 7_2_05793D10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057939B0 NtGetContextThread, 7_2_057939B0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7A460 NtClose, 7_2_04C7A460
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7A510 NtAllocateVirtualMemory, 7_2_04C7A510
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7A3E0 NtReadFile, 7_2_04C7A3E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7A330 NtCreateFile, 7_2_04C7A330
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7A50F NtAllocateVirtualMemory, 7_2_04C7A50F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7A3DB NtReadFile, 7_2_04C7A3DB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0550A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread, 7_2_0550A036
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05509BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 7_2_05509BAF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0550A042 NtQueryInformationProcess, 7_2_0550A042
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05509BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 7_2_05509BB2
Detected potential crypto function
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_00D4DEEC 0_2_00D4DEEC
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_07A047A8 0_2_07A047A8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_07A05FA8 0_2_07A05FA8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_07A04798 0_2_07A04798
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_07A06DE8 0_2_07A06DE8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_07A05D37 0_2_07A05D37
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_07A04370 0_2_07A04370
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_07A0B938 0_2_07A0B938
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_07A068D8 0_2_07A068D8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041E857 5_2_0041E857
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041DAED 5_2_0041DAED
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041DA9C 5_2_0041DA9C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041E4DB 5_2_0041E4DB
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041D573 5_2_0041D573
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_00402D89 5_2_00402D89
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041EE4C 5_2_0041EE4C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_00409E5B 5_2_00409E5B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_00409E60 5_2_00409E60
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01628158 5_2_01628158
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590100 5_2_01590100
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163A118 5_2_0163A118
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016581CC 5_2_016581CC
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016601AA 5_2_016601AA
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01632000 5_2_01632000
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165A352 5_2_0165A352
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016603E6 5_2_016603E6
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AE3F0 5_2_015AE3F0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016202C0 5_2_016202C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0535 5_2_015A0535
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01660591 5_2_01660591
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01652446 5_2_01652446
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0164E4F6 5_2_0164E4F6
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C4750 5_2_015C4750
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159C7C0 5_2_0159C7C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BC6E0 5_2_015BC6E0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B6962 5_2_015B6962
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0166A9A6 5_2_0166A9A6
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A2840 5_2_015A2840
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AA840 5_2_015AA840
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE8F0 5_2_015CE8F0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015868B8 5_2_015868B8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165AB40 5_2_0165AB40
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01656BD7 5_2_01656BD7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159EA80 5_2_0159EA80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AAD00 5_2_015AAD00
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159ADE0 5_2_0159ADE0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B8DBF 5_2_015B8DBF
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0C00 5_2_015A0C00
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590CF2 5_2_01590CF2
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640CB5 5_2_01640CB5
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01614F40 5_2_01614F40
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C0F30 5_2_015C0F30
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015E2F28 5_2_015E2F28
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01592FC8 5_2_01592FC8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015ACFE0 5_2_015ACFE0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161EFA0 5_2_0161EFA0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0E59 5_2_015A0E59
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165EE26 5_2_0165EE26
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165EEDB 5_2_0165EEDB
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B2E90 5_2_015B2E90
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165CE93 5_2_0165CE93
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0166B16B 5_2_0166B16B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158F172 5_2_0158F172
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D516C 5_2_015D516C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AB1B0 5_2_015AB1B0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165F0E0 5_2_0165F0E0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016570E9 5_2_016570E9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A70C0 5_2_015A70C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0164F0CC 5_2_0164F0CC
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158D34C 5_2_0158D34C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165132D 5_2_0165132D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015E739A 5_2_015E739A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016412ED 5_2_016412ED
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BB2C0 5_2_015BB2C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A52A0 5_2_015A52A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01657571 5_2_01657571
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163D5B0 5_2_0163D5B0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01591460 5_2_01591460
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165F43F 5_2_0165F43F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165F7B0 5_2_0165F7B0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016516CC 5_2_016516CC
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A9950 5_2_015A9950
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BB950 5_2_015BB950
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01635910 5_2_01635910
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160D800 5_2_0160D800
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A38E0 5_2_015A38E0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165FB76 5_2_0165FB76
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01615BF0 5_2_01615BF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015DDBF9 5_2_015DDBF9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BFB80 5_2_015BFB80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01613A6C 5_2_01613A6C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01657A46 5_2_01657A46
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165FA49 5_2_0165FA49
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0164DAC6 5_2_0164DAC6
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163DAAC 5_2_0163DAAC
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015E5AA0 5_2_015E5AA0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01657D73 5_2_01657D73
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A3D40 5_2_015A3D40
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01651D5A 5_2_01651D5A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BFDC0 5_2_015BFDC0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01619C32 5_2_01619C32
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165FCF2 5_2_0165FCF2
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165FF09 5_2_0165FF09
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A1F92 5_2_015A1F92
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165FFB1 5_2_0165FFB1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A9EB0 5_2_015A9EB0
Source: C:\Windows\explorer.exe Code function: 6_2_0E0CA232 6_2_0E0CA232
Source: C:\Windows\explorer.exe Code function: 6_2_0E0C4B30 6_2_0E0C4B30
Source: C:\Windows\explorer.exe Code function: 6_2_0E0C4B32 6_2_0E0C4B32
Source: C:\Windows\explorer.exe Code function: 6_2_0E0C9036 6_2_0E0C9036
Source: C:\Windows\explorer.exe Code function: 6_2_0E0C0082 6_2_0E0C0082
Source: C:\Windows\explorer.exe Code function: 6_2_0E0C1D02 6_2_0E0C1D02
Source: C:\Windows\explorer.exe Code function: 6_2_0E0C7912 6_2_0E0C7912
Source: C:\Windows\explorer.exe Code function: 6_2_0E0CD5CD 6_2_0E0CD5CD
Source: C:\Windows\explorer.exe Code function: 6_2_0E218232 6_2_0E218232
Source: C:\Windows\explorer.exe Code function: 6_2_0E212B30 6_2_0E212B30
Source: C:\Windows\explorer.exe Code function: 6_2_0E212B32 6_2_0E212B32
Source: C:\Windows\explorer.exe Code function: 6_2_0E217036 6_2_0E217036
Source: C:\Windows\explorer.exe Code function: 6_2_0E20E082 6_2_0E20E082
Source: C:\Windows\explorer.exe Code function: 6_2_0E20FD02 6_2_0E20FD02
Source: C:\Windows\explorer.exe Code function: 6_2_0E215912 6_2_0E215912
Source: C:\Windows\explorer.exe Code function: 6_2_0E21B5CD 6_2_0E21B5CD
Source: C:\Windows\explorer.exe Code function: 6_2_0E39F232 6_2_0E39F232
Source: C:\Windows\explorer.exe Code function: 6_2_0E39E036 6_2_0E39E036
Source: C:\Windows\explorer.exe Code function: 6_2_0E395082 6_2_0E395082
Source: C:\Windows\explorer.exe Code function: 6_2_0E399B30 6_2_0E399B30
Source: C:\Windows\explorer.exe Code function: 6_2_0E399B32 6_2_0E399B32
Source: C:\Windows\explorer.exe Code function: 6_2_0E39C912 6_2_0E39C912
Source: C:\Windows\explorer.exe Code function: 6_2_0E396D02 6_2_0E396D02
Source: C:\Windows\explorer.exe Code function: 6_2_0E3A25CD 6_2_0E3A25CD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05820591 7_2_05820591
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05760535 7_2_05760535
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0580E4F6 7_2_0580E4F6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05812446 7_2_05812446
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05760770 7_2_05760770
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05784750 7_2_05784750
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0575C7C0 7_2_0575C7C0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0577C6E0 7_2_0577C6E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057E8158 7_2_057E8158
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_058201AA 7_2_058201AA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_058181CC 7_2_058181CC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057FA118 7_2_057FA118
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05750100 7_2_05750100
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057F2000 7_2_057F2000
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_058203E6 7_2_058203E6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0576E3F0 7_2_0576E3F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581A352 7_2_0581A352
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057E02C0 7_2_057E02C0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05800274 7_2_05800274
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057FCD1F 7_2_057FCD1F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0576AD00 7_2_0576AD00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0575ADE0 7_2_0575ADE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05778DBF 7_2_05778DBF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05800CB5 7_2_05800CB5
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05760C00 7_2_05760C00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05750CF2 7_2_05750CF2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057D4F40 7_2_057D4F40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05780F30 7_2_05780F30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057A2F28 7_2_057A2F28
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0576CFE0 7_2_0576CFE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05752FC8 7_2_05752FC8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057DEFA0 7_2_057DEFA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581CE93 7_2_0581CE93
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05760E59 7_2_05760E59
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581EEDB 7_2_0581EEDB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581EE26 7_2_0581EE26
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05772E90 7_2_05772E90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05776962 7_2_05776962
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0582A9A6 7_2_0582A9A6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057629A0 7_2_057629A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05762840 7_2_05762840
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0576A840 7_2_0576A840
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0578E8F0 7_2_0578E8F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057468B8 7_2_057468B8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05816BD7 7_2_05816BD7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581AB40 7_2_0581AB40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0575EA80 7_2_0575EA80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057FD5B0 7_2_057FD5B0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05817571 7_2_05817571
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05751460 7_2_05751460
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581F43F 7_2_0581F43F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581F7B0 7_2_0581F7B0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_058116CC 7_2_058116CC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0574F172 7_2_0574F172
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0579516C 7_2_0579516C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0576B1B0 7_2_0576B1B0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0582B16B 7_2_0582B16B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0580F0CC 7_2_0580F0CC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581F0E0 7_2_0581F0E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_058170E9 7_2_058170E9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057670C0 7_2_057670C0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0574D34C 7_2_0574D34C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581132D 7_2_0581132D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057A739A 7_2_057A739A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_058012ED 7_2_058012ED
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0577B2C0 7_2_0577B2C0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057652A0 7_2_057652A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05763D40 7_2_05763D40
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0577FDC0 7_2_0577FDC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05811D5A 7_2_05811D5A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05817D73 7_2_05817D73
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057D9C32 7_2_057D9C32
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581FCF2 7_2_0581FCF2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581FFB1 7_2_0581FFB1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581FF09 7_2_0581FF09
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05761F92 7_2_05761F92
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05769EB0 7_2_05769EB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05769950 7_2_05769950
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0577B950 7_2_0577B950
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057F5910 7_2_057F5910
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057CD800 7_2_057CD800
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057638E0 7_2_057638E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0579DBF9 7_2_0579DBF9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057D5BF0 7_2_057D5BF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581FB76 7_2_0581FB76
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0577FB80 7_2_0577FB80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057D3A6C 7_2_057D3A6C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05801AA3 7_2_05801AA3
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0580DAC6 7_2_0580DAC6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05817A46 7_2_05817A46
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0581FA49 7_2_0581FA49
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057FDAAC 7_2_057FDAAC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057A5AA0 7_2_057A5AA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7E4CE 7_2_04C7E4CE
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C62D89 7_2_04C62D89
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C62D90 7_2_04C62D90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7D573 7_2_04C7D573
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7EE4C 7_2_04C7EE4C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C69E5B 7_2_04C69E5B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C69E60 7_2_04C69E60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C62FB0 7_2_04C62FB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7E857 7_2_04C7E857
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7DA9C 7_2_04C7DA9C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0550A036 7_2_0550A036
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05502D02 7_2_05502D02
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0550E5CD 7_2_0550E5CD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05508912 7_2_05508912
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05501082 7_2_05501082
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05505B30 7_2_05505B30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_05505B32 7_2_05505B32
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0550B232 7_2_0550B232
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 0574B970 appears 275 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 057A7E54 appears 101 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 057CEA12 appears 86 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 05795130 appears 58 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 057DF290 appears 105 times
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: String function: 0158B970 appears 275 times
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: String function: 015E7E54 appears 99 times
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: String function: 0161F290 appears 105 times
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: String function: 0160EA12 appears 86 times
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: String function: 015D5130 appears 48 times
Sample file is different than original file name gathered from version info
Source: TEKLIF 2002509.exe, 00000000.00000002.2156396568.0000000006B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs TEKLIF 2002509.exe
Source: TEKLIF 2002509.exe, 00000000.00000002.2156396568.0000000006B1B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamePowerShell.EXEj% vs TEKLIF 2002509.exe
Source: TEKLIF 2002509.exe, 00000000.00000002.2157593413.0000000007970000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKLIF 2002509.exe
Source: TEKLIF 2002509.exe, 00000000.00000000.2124193076.0000000000608000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameOBGu.exe> vs TEKLIF 2002509.exe
Source: TEKLIF 2002509.exe, 00000000.00000002.2146214464.0000000000BAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs TEKLIF 2002509.exe
Source: TEKLIF 2002509.exe, 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTyrone.dll8 vs TEKLIF 2002509.exe
Source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001037000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs TEKLIF 2002509.exe
Source: TEKLIF 2002509.exe, 00000005.00000002.2270779723.00000000014B6000.00000040.10000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs TEKLIF 2002509.exe
Source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001050000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCHKDSK.EXEj% vs TEKLIF 2002509.exe
Source: TEKLIF 2002509.exe, 00000005.00000002.2270946642.000000000168D000.00000040.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs TEKLIF 2002509.exe
Source: TEKLIF 2002509.exe Binary or memory string: OriginalFilenameOBGu.exe> vs TEKLIF 2002509.exe
Uses 32bit PE files
Source: TEKLIF 2002509.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.2270725098.000000000146F000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Diceloader_15eeb7b9 reference_sample = a1202df600d11ad2c61050e7ba33701c22c2771b676f54edd1846ef418bea746, os = windows, severity = x86, creation_date = 2021-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Diceloader, fingerprint = 4cc70bec5d241c6f84010fbfe2eafbc6ec6d753df2bb3f52d9498b54b11fc8cb, id = 15eeb7b9-311f-477b-8ae1-b8f689a154b7, last_modified = 2021-08-23
Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: TEKLIF 2002509.exe PID: 3184, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: TEKLIF 2002509.exe PID: 5068, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: chkdsk.exe PID: 1816, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: TEKLIF 2002509.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, wCU9vxKnwQhdQeKf63.cs Security API names: _0020.SetAccessControl
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, wCU9vxKnwQhdQeKf63.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, wCU9vxKnwQhdQeKf63.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, wCU9vxKnwQhdQeKf63.cs Security API names: _0020.SetAccessControl
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, wCU9vxKnwQhdQeKf63.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, wCU9vxKnwQhdQeKf63.cs Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, JM7O18raLdCsp0TT2f.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, JM7O18raLdCsp0TT2f.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, JM7O18raLdCsp0TT2f.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, JM7O18raLdCsp0TT2f.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.evad.winEXE@523/6@11/0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TEKLIF 2002509.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2848:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jglyexfm.d5r.ps1 Jump to behavior
Source: TEKLIF 2002509.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: TEKLIF 2002509.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: TEKLIF 2002509.exe ReversingLabs: Detection: 73%
Source: unknown Process created: C:\Users\user\Desktop\TEKLIF 2002509.exe "C:\Users\user\Desktop\TEKLIF 2002509.exe"
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process created: C:\Users\user\Desktop\TEKLIF 2002509.exe "C:\Users\user\Desktop\TEKLIF 2002509.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe"
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TEKLIF 2002509.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process created: C:\Users\user\Desktop\TEKLIF 2002509.exe "C:\Users\user\Desktop\TEKLIF 2002509.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\chkdsk.exe "C:\Windows\SysWOW64\chkdsk.exe" Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TEKLIF 2002509.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.cloudstore.schema.shell.dll Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: TEKLIF 2002509.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: TEKLIF 2002509.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: TEKLIF 2002509.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: OBGu.pdbSHA2561h source: TEKLIF 2002509.exe
Source: Binary string: chkdsk.pdbGCTL source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001037000.00000004.00000020.00020000.00000000.sdmp, TEKLIF 2002509.exe, 00000005.00000002.2270779723.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4600399976.0000000000C40000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: OBGu.pdb source: TEKLIF 2002509.exe
Source: Binary string: chkdsk.pdb source: TEKLIF 2002509.exe, 00000005.00000002.2270562283.0000000001037000.00000004.00000020.00020000.00000000.sdmp, TEKLIF 2002509.exe, 00000005.00000002.2270779723.00000000014B0000.00000040.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4600399976.0000000000C40000.00000040.80000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: TEKLIF 2002509.exe, 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2272873820.0000000005572000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2270790993.00000000053C6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: TEKLIF 2002509.exe, TEKLIF 2002509.exe, 00000005.00000002.2270946642.0000000001560000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000007.00000002.4609117298.0000000005720000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000002.4609117298.00000000058BE000.00000040.00001000.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2272873820.0000000005572000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000007.00000003.2270790993.00000000053C6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: TEKLIF 2002509.exe, MainForm.cs .Net Code: InitializeComponent
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, wCU9vxKnwQhdQeKf63.cs .Net Code: kYVAevGp7n System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKLIF 2002509.exe.2ad99b0.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKLIF 2002509.exe.2acc800.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, wCU9vxKnwQhdQeKf63.cs .Net Code: kYVAevGp7n System.Reflection.Assembly.Load(byte[])
Source: 0.2.TEKLIF 2002509.exe.5410000.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs .Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
Source: 6.2.explorer.exe.105af840.0.raw.unpack, MainForm.cs .Net Code: InitializeComponent
Source: 7.2.chkdsk.exe.5c6f840.3.raw.unpack, MainForm.cs .Net Code: InitializeComponent
Binary contains a suspicious time stamp
Source: TEKLIF 2002509.exe Static PE information: 0x90BE7A2C [Fri Dec 14 12:10:20 2046 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_07A00F38 push FC05428Bh; iretd 0_2_07A00F45
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 0_2_07A004EB push ecx; ret 0_2_07A004EC
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041B863 push esi; iretd 5_2_0041B866
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_00416B15 push 560BADFBh; retf 5_2_00416B1A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0040E44C push fs; iretd 5_2_0040E453
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041D4D2 push eax; ret 5_2_0041D4D8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041D4DB push eax; ret 5_2_0041D542
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041D485 push eax; ret 5_2_0041D4D8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0041D53C push eax; ret 5_2_0041D542
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015909AD push ecx; mov dword ptr [esp], ecx 5_2_015909B6
Source: C:\Windows\explorer.exe Code function: 6_2_0E0CDB02 push esp; retn 0000h 6_2_0E0CDB03
Source: C:\Windows\explorer.exe Code function: 6_2_0E0CDB1E push esp; retn 0000h 6_2_0E0CDB1F
Source: C:\Windows\explorer.exe Code function: 6_2_0E0CD9B5 push esp; retn 0000h 6_2_0E0CDAE7
Source: C:\Windows\explorer.exe Code function: 6_2_0E21BB02 push esp; retn 0000h 6_2_0E21BB03
Source: C:\Windows\explorer.exe Code function: 6_2_0E21BB1E push esp; retn 0000h 6_2_0E21BB1F
Source: C:\Windows\explorer.exe Code function: 6_2_0E21B9B5 push esp; retn 0000h 6_2_0E21BAE7
Source: C:\Windows\explorer.exe Code function: 6_2_0E3A2B1E push esp; retn 0000h 6_2_0E3A2B1F
Source: C:\Windows\explorer.exe Code function: 6_2_0E3A2B02 push esp; retn 0000h 6_2_0E3A2B03
Source: C:\Windows\explorer.exe Code function: 6_2_0E3A29B5 push esp; retn 0000h 6_2_0E3A2AE7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_057509AD push ecx; mov dword ptr [esp], ecx 7_2_057509B6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7D4D2 push eax; ret 7_2_04C7D4D8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7D4DB push eax; ret 7_2_04C7D542
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7D485 push eax; ret 7_2_04C7D4D8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C6E44C push fs; iretd 7_2_04C6E453
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7D53C push eax; ret 7_2_04C7D542
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C7B863 push esi; iretd 7_2_04C7B866
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_04C76B15 push 560BADFBh; retf 7_2_04C76B1A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0550E9B5 push esp; retn 0000h 7_2_0550EAE7
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0550EB1E push esp; retn 0000h 7_2_0550EB1F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 7_2_0550EB02 push esp; retn 0000h 7_2_0550EB03
Source: TEKLIF 2002509.exe Static PE information: section name: .text entropy: 7.8074983869733705
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, heQCqOCOAbT2gUwU8T.cs High entropy of concatenated method names: 'BrE6CXyFYW', 'QJN6R4TwBL', 'Hvj6egGNIV', 'nd16YJSPHY', 'E9n6O0ZDJ2', 'w6b6KkD5Aj', 'Oms6g0XGiG', 'Jch6GRQIxn', 'dxw6FUWB9S', 'fCh6DSOZ0P'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, TDtukO6GfaUXhl2KOo.cs High entropy of concatenated method names: 'Sr07XDI55B', 'QtU7jEUc8t', 'B1S7AGXXFF', 'XIu78AqWqq', 'Sh572uHCc6', 'M857SbiVNS', 'lwl7cA94mf', 'FYT090W2Is', 'iKZ0NVb8Yq', 'y0l0hdvoY9'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, ypRME2DH0KH6NXESPt.cs High entropy of concatenated method names: 'BQT0TwqcX5', 'CAK0tSvT0b', 'vvL0dUaGm7', 'bCa03TqHHP', 'HQW0yAJyoD', 'cH60Mx6te4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, QeDj08uv5Gyt8HZAr2q.cs High entropy of concatenated method names: 'xp77CnW8lN', 'kyV7RadaYb', 'tGB7eFkuVy', 'z7I7YIUuYk', 'H1i7O7rsjg', 'n587KBbyen', 'kL97grEFaa', 'Lto7GJPX6n', 'm047FnEyii', 'IZK7DUx7q1'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, UXnH0fbaR81yZxE9m6.cs High entropy of concatenated method names: 'Y6tej7BLG', 'GdrY93CYX', 'i7cKUYclH', 'DnQgtYgsa', 'qBOFgokEX', 'FXNDQ9aKy', 'd7YIe8ehyCgRUTpYfX', 'hiPvK05gq0jvJKVv0m', 'Tt60rplEb', 'AwlmnH5dR'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, Qy9rUWPyo7qf6AWgkP.cs High entropy of concatenated method names: 'ikFvoswQLB', 'cXcvnXj6tm', 'ToString', 'iIfv8AVOEB', 'fnCv2fGtLi', 'NufvZYLXgQ', 'tJHvSxc8ny', 'SRovcy1J80', 'doLv6Kgna2', 'eljvEMB2X1'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, ywlHyox3VgNfgD8hfG.cs High entropy of concatenated method names: 'YmrQGngwiC', 'hK2QFN8QUQ', 'M65QTB7BlH', 'nIEQtfgTJ4', 'hJCQ3WSEkG', 'iL1QMHg9UJ', 'qkLQxrZ9wb', 'bnjQ1LnsSx', 'd1KQUaqaVo', 'rjbQr9UpM3'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, VGRc9N4PfOyfPQ8fBe.cs High entropy of concatenated method names: 'U37vNgGJO2', 'QElvaV5mBU', 'MDv04wddx4', 'lMI0XYDCD8', 'FfvvrQL0Ar', 'NBnvWX0kOX', 'xnBvw5N5qb', 'r2QvyjwA91', 'GkUvVpt9SE', 'jE3vByxJK3'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, qNgdCMuJtVgkUgx1iYT.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MEHmyk3ydF', 'T5DmVKeXQU', 'Fw3mBDROZ4', 'b6xmbF87dS', 'I4YmijDe77', 'LeFmParLDi', 'dddm91xjHq'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, nXDjhnc6rpeKmEPU6W.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wF0Lhwx0xs', 'v3SLaE6txj', 'rW6LzW0m6q', 'qasj4qNcMT', 'GPbjX4qRJU', 'DRBjLHq36a', 'HkTjjANg83', 'ufowXSwKDB9GvrIXy2u'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, XO1rwv9tMAukoct4Me.cs High entropy of concatenated method names: 'ToString', 'YUWkra1qHb', 'uRuktJcQTq', 'IcxkdQWvyQ', 'hTyk3Yw77B', 'DbckMq7EAp', 'DWFks6oXkt', 'R6Hkx2BdLs', 'm5bk17Bq6G', 'yVYku4Le5u'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, wCU9vxKnwQhdQeKf63.cs High entropy of concatenated method names: 'ci4jqFa4tg', 'vXgj876sEA', 'cY7j2Ge4hR', 'xnLjZRprUv', 'JFXjS9b4Rq', 'w0sjcxBVqP', 'vD1j6121vR', 'GZSjETtD78', 'VaSjlfaSB9', 'XlnjoLJ0OH'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, FMRpxsMUdTJr0QpsDa.cs High entropy of concatenated method names: 'aPF68fZDxo', 'T986ZKiT2A', 'soe6cTwkk2', 'jl3cakGEPO', 'RsDczMiZ2h', 'IcZ64x1bKF', 'k9C6XdpSyA', 'u226LwTTTQ', 'IAS6jCK1RA', 'nKC6AFY1eN'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, lfySkRXcXOQywbZCfq.cs High entropy of concatenated method names: 'GDb08KCApM', 'GaK02TTsvg', 'VPR0ZRGkWt', 'fKK0SFY7c3', 'mZh0clex8x', 'zSl06oJjxk', 'jmp0E9OoiH', 'vZt0lTgKZA', 'knL0o8IIRA', 'zW30nq4QK2'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, IV6JtV2LRtdxPmJqYT.cs High entropy of concatenated method names: 'MLnZYs97QX', 'C3lZKfrMdR', 'vy9ZG54Goa', 'EZPZFAxmjs', 't4ZZIHSQ86', 'gM2Zk2yWaj', 'cCWZvny3Hu', 'XAOZ02CdDD', 'fyNZ7AMvHn', 'XXXZm0sVJY'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, bE3eCyUm6riB2iwlt7.cs High entropy of concatenated method names: 'cp8cqk947G', 'rApc2BrhEp', 'YGacSBWT4t', 'RB7c6PVrfi', 'PuccEgTgtY', 'qa2Si10oPP', 'bxMSP6WatX', 'IVuS9fHinS', 'tb7SNF3eY4', 'zZJShtEFny'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, dQ8buBsFPhIFtUaRGF.cs High entropy of concatenated method names: 'Dispose', 'I3tXhhGGhP', 'rtiLtTy8q5', 'RVFffGYOwy', 'kcxXaB3cd7', 'xyAXzIfNlX', 'ProcessDialogKey', 'JH6L4ykyBa', 'z4ALXBdCCo', 'DcrLL3JsY5'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, JM7O18raLdCsp0TT2f.cs High entropy of concatenated method names: 'vXS2yR0RLq', 'c2Q2VObuwS', 'A2g2BHiZUX', 'dqX2bIPiqe', 'J8U2iQAglH', 'XOV2PBhIJN', 'zh429vXtPK', 'wOw2N6DqyP', 'NNx2hCyR3R', 'xnU2aaWjfQ'
Source: 0.2.TEKLIF 2002509.exe.3c8ac90.2.raw.unpack, bYZGVsGsEIjObcNWh3.cs High entropy of concatenated method names: 'l9YX6eutdN', 'E3vXEXMfKP', 'tSoXoX2jP2', 'EtRXn9Nmbi', 'qHnXI5nhrF', 'SCmXkLhpeR', 'wL8GYrsxZ29qqDDnVg', 'PDBMEoTSiJKjy11OVA', 'FVKbDEWqqa3d8flRxQ', 'KO7XXLXsqg'
Source: 0.2.TEKLIF 2002509.exe.2ad99b0.0.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.TEKLIF 2002509.exe.2ad99b0.0.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.TEKLIF 2002509.exe.2acc800.1.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.TEKLIF 2002509.exe.2acc800.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, heQCqOCOAbT2gUwU8T.cs High entropy of concatenated method names: 'BrE6CXyFYW', 'QJN6R4TwBL', 'Hvj6egGNIV', 'nd16YJSPHY', 'E9n6O0ZDJ2', 'w6b6KkD5Aj', 'Oms6g0XGiG', 'Jch6GRQIxn', 'dxw6FUWB9S', 'fCh6DSOZ0P'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, TDtukO6GfaUXhl2KOo.cs High entropy of concatenated method names: 'Sr07XDI55B', 'QtU7jEUc8t', 'B1S7AGXXFF', 'XIu78AqWqq', 'Sh572uHCc6', 'M857SbiVNS', 'lwl7cA94mf', 'FYT090W2Is', 'iKZ0NVb8Yq', 'y0l0hdvoY9'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, ypRME2DH0KH6NXESPt.cs High entropy of concatenated method names: 'BQT0TwqcX5', 'CAK0tSvT0b', 'vvL0dUaGm7', 'bCa03TqHHP', 'HQW0yAJyoD', 'cH60Mx6te4', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, QeDj08uv5Gyt8HZAr2q.cs High entropy of concatenated method names: 'xp77CnW8lN', 'kyV7RadaYb', 'tGB7eFkuVy', 'z7I7YIUuYk', 'H1i7O7rsjg', 'n587KBbyen', 'kL97grEFaa', 'Lto7GJPX6n', 'm047FnEyii', 'IZK7DUx7q1'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, UXnH0fbaR81yZxE9m6.cs High entropy of concatenated method names: 'Y6tej7BLG', 'GdrY93CYX', 'i7cKUYclH', 'DnQgtYgsa', 'qBOFgokEX', 'FXNDQ9aKy', 'd7YIe8ehyCgRUTpYfX', 'hiPvK05gq0jvJKVv0m', 'Tt60rplEb', 'AwlmnH5dR'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, Qy9rUWPyo7qf6AWgkP.cs High entropy of concatenated method names: 'ikFvoswQLB', 'cXcvnXj6tm', 'ToString', 'iIfv8AVOEB', 'fnCv2fGtLi', 'NufvZYLXgQ', 'tJHvSxc8ny', 'SRovcy1J80', 'doLv6Kgna2', 'eljvEMB2X1'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, ywlHyox3VgNfgD8hfG.cs High entropy of concatenated method names: 'YmrQGngwiC', 'hK2QFN8QUQ', 'M65QTB7BlH', 'nIEQtfgTJ4', 'hJCQ3WSEkG', 'iL1QMHg9UJ', 'qkLQxrZ9wb', 'bnjQ1LnsSx', 'd1KQUaqaVo', 'rjbQr9UpM3'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, VGRc9N4PfOyfPQ8fBe.cs High entropy of concatenated method names: 'U37vNgGJO2', 'QElvaV5mBU', 'MDv04wddx4', 'lMI0XYDCD8', 'FfvvrQL0Ar', 'NBnvWX0kOX', 'xnBvw5N5qb', 'r2QvyjwA91', 'GkUvVpt9SE', 'jE3vByxJK3'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, qNgdCMuJtVgkUgx1iYT.cs High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'MEHmyk3ydF', 'T5DmVKeXQU', 'Fw3mBDROZ4', 'b6xmbF87dS', 'I4YmijDe77', 'LeFmParLDi', 'dddm91xjHq'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, nXDjhnc6rpeKmEPU6W.cs High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wF0Lhwx0xs', 'v3SLaE6txj', 'rW6LzW0m6q', 'qasj4qNcMT', 'GPbjX4qRJU', 'DRBjLHq36a', 'HkTjjANg83', 'ufowXSwKDB9GvrIXy2u'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, XO1rwv9tMAukoct4Me.cs High entropy of concatenated method names: 'ToString', 'YUWkra1qHb', 'uRuktJcQTq', 'IcxkdQWvyQ', 'hTyk3Yw77B', 'DbckMq7EAp', 'DWFks6oXkt', 'R6Hkx2BdLs', 'm5bk17Bq6G', 'yVYku4Le5u'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, wCU9vxKnwQhdQeKf63.cs High entropy of concatenated method names: 'ci4jqFa4tg', 'vXgj876sEA', 'cY7j2Ge4hR', 'xnLjZRprUv', 'JFXjS9b4Rq', 'w0sjcxBVqP', 'vD1j6121vR', 'GZSjETtD78', 'VaSjlfaSB9', 'XlnjoLJ0OH'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, FMRpxsMUdTJr0QpsDa.cs High entropy of concatenated method names: 'aPF68fZDxo', 'T986ZKiT2A', 'soe6cTwkk2', 'jl3cakGEPO', 'RsDczMiZ2h', 'IcZ64x1bKF', 'k9C6XdpSyA', 'u226LwTTTQ', 'IAS6jCK1RA', 'nKC6AFY1eN'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, lfySkRXcXOQywbZCfq.cs High entropy of concatenated method names: 'GDb08KCApM', 'GaK02TTsvg', 'VPR0ZRGkWt', 'fKK0SFY7c3', 'mZh0clex8x', 'zSl06oJjxk', 'jmp0E9OoiH', 'vZt0lTgKZA', 'knL0o8IIRA', 'zW30nq4QK2'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, IV6JtV2LRtdxPmJqYT.cs High entropy of concatenated method names: 'MLnZYs97QX', 'C3lZKfrMdR', 'vy9ZG54Goa', 'EZPZFAxmjs', 't4ZZIHSQ86', 'gM2Zk2yWaj', 'cCWZvny3Hu', 'XAOZ02CdDD', 'fyNZ7AMvHn', 'XXXZm0sVJY'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, bE3eCyUm6riB2iwlt7.cs High entropy of concatenated method names: 'cp8cqk947G', 'rApc2BrhEp', 'YGacSBWT4t', 'RB7c6PVrfi', 'PuccEgTgtY', 'qa2Si10oPP', 'bxMSP6WatX', 'IVuS9fHinS', 'tb7SNF3eY4', 'zZJShtEFny'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, dQ8buBsFPhIFtUaRGF.cs High entropy of concatenated method names: 'Dispose', 'I3tXhhGGhP', 'rtiLtTy8q5', 'RVFffGYOwy', 'kcxXaB3cd7', 'xyAXzIfNlX', 'ProcessDialogKey', 'JH6L4ykyBa', 'z4ALXBdCCo', 'DcrLL3JsY5'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, JM7O18raLdCsp0TT2f.cs High entropy of concatenated method names: 'vXS2yR0RLq', 'c2Q2VObuwS', 'A2g2BHiZUX', 'dqX2bIPiqe', 'J8U2iQAglH', 'XOV2PBhIJN', 'zh429vXtPK', 'wOw2N6DqyP', 'NNx2hCyR3R', 'xnU2aaWjfQ'
Source: 0.2.TEKLIF 2002509.exe.7970000.4.raw.unpack, bYZGVsGsEIjObcNWh3.cs High entropy of concatenated method names: 'l9YX6eutdN', 'E3vXEXMfKP', 'tSoXoX2jP2', 'EtRXn9Nmbi', 'qHnXI5nhrF', 'SCmXkLhpeR', 'wL8GYrsxZ29qqDDnVg', 'PDBMEoTSiJKjy11OVA', 'FVKbDEWqqa3d8flRxQ', 'KO7XXLXsqg'
Source: 0.2.TEKLIF 2002509.exe.5410000.3.raw.unpack, kD0JNdgNBriBGn5egS.cs High entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
Source: 0.2.TEKLIF 2002509.exe.5410000.3.raw.unpack, QBy45BY4uMbUQs88Qq.cs High entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'

Hooking and other Techniques for Hiding and Protection
barindex
Loading BitLocker PowerShell Module
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1 Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: TEKLIF 2002509.exe PID: 3184, type: MEMORYSTR
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe API/Special instruction interceptor: Address: 7FFDB442DA44
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\chkdsk.exe API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\chkdsk.exe API/Special instruction interceptor: Address: 7FFDB4430774
Source: C:\Windows\SysWOW64\chkdsk.exe API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\chkdsk.exe API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\chkdsk.exe API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\chkdsk.exe API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\chkdsk.exe API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\chkdsk.exe API/Special instruction interceptor: Address: 7FFDB442D8A4
Source: C:\Windows\SysWOW64\chkdsk.exe API/Special instruction interceptor: Address: 7FFDB442DA44
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 4C69904 second address: 4C6990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exe RDTSC instruction interceptor: First address: 4C69B7E second address: 4C69B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Memory allocated: D40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Memory allocated: 2A40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Memory allocated: FE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Memory allocated: 7B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Memory allocated: 8B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Memory allocated: 8D10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Memory allocated: 9D10000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_00409AB0 rdtsc 5_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6326 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3381 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 9468 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 473 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 896 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Window / User API: threadDelayed 9798 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe API coverage: 1.7 %
Source: C:\Windows\SysWOW64\chkdsk.exe API coverage: 2.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe TID: 1668 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5964 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1492 Thread sleep count: 9468 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1492 Thread sleep time: -18936000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 1492 Thread sleep count: 473 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 1492 Thread sleep time: -946000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 5972 Thread sleep count: 172 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 5972 Thread sleep time: -344000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 5972 Thread sleep count: 9798 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 5972 Thread sleep time: -19596000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\chkdsk.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000000.2160221869.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.000000000962B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000006.00000002.4614750288.00000000097F3000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000006.00000002.4614750288.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000973C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000006.00000000.2161826176.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000006.00000002.4614750288.0000000009605000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTVMWare
Source: explorer.exe, 00000006.00000002.4603783392.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000002.4614750288.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2160221869.000000000978C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000006.00000002.4603783392.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000006.00000002.4620500167.000000000C474000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 'me#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
Source: explorer.exe, 00000006.00000000.2153091637.00000000073E5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000006.00000000.2161826176.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: explorer.exe, 00000006.00000002.4603783392.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000006.00000000.2161826176.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000006.00000002.4603783392.0000000000D99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_00409AB0 rdtsc 5_2_00409AB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0040ACF0 LdrLoadDll, 5_2_0040ACF0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01596154 mov eax, dword ptr fs:[00000030h] 5_2_01596154
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01596154 mov eax, dword ptr fs:[00000030h] 5_2_01596154
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158C156 mov eax, dword ptr fs:[00000030h] 5_2_0158C156
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01624144 mov eax, dword ptr fs:[00000030h] 5_2_01624144
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01624144 mov eax, dword ptr fs:[00000030h] 5_2_01624144
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01624144 mov ecx, dword ptr fs:[00000030h] 5_2_01624144
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01624144 mov eax, dword ptr fs:[00000030h] 5_2_01624144
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01624144 mov eax, dword ptr fs:[00000030h] 5_2_01624144
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01628158 mov eax, dword ptr fs:[00000030h] 5_2_01628158
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01650115 mov eax, dword ptr fs:[00000030h] 5_2_01650115
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C0124 mov eax, dword ptr fs:[00000030h] 5_2_015C0124
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163A118 mov ecx, dword ptr fs:[00000030h] 5_2_0163A118
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163A118 mov eax, dword ptr fs:[00000030h] 5_2_0163A118
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163A118 mov eax, dword ptr fs:[00000030h] 5_2_0163A118
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163A118 mov eax, dword ptr fs:[00000030h] 5_2_0163A118
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016661E5 mov eax, dword ptr fs:[00000030h] 5_2_016661E5
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C01F8 mov eax, dword ptr fs:[00000030h] 5_2_015C01F8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016561C3 mov eax, dword ptr fs:[00000030h] 5_2_016561C3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016561C3 mov eax, dword ptr fs:[00000030h] 5_2_016561C3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0160E1D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0160E1D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E1D0 mov ecx, dword ptr fs:[00000030h] 5_2_0160E1D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0160E1D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E1D0 mov eax, dword ptr fs:[00000030h] 5_2_0160E1D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158A197 mov eax, dword ptr fs:[00000030h] 5_2_0158A197
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158A197 mov eax, dword ptr fs:[00000030h] 5_2_0158A197
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158A197 mov eax, dword ptr fs:[00000030h] 5_2_0158A197
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D0185 mov eax, dword ptr fs:[00000030h] 5_2_015D0185
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01634180 mov eax, dword ptr fs:[00000030h] 5_2_01634180
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01634180 mov eax, dword ptr fs:[00000030h] 5_2_01634180
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0164C188 mov eax, dword ptr fs:[00000030h] 5_2_0164C188
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0164C188 mov eax, dword ptr fs:[00000030h] 5_2_0164C188
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161019F mov eax, dword ptr fs:[00000030h] 5_2_0161019F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161019F mov eax, dword ptr fs:[00000030h] 5_2_0161019F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161019F mov eax, dword ptr fs:[00000030h] 5_2_0161019F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161019F mov eax, dword ptr fs:[00000030h] 5_2_0161019F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01592050 mov eax, dword ptr fs:[00000030h] 5_2_01592050
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BC073 mov eax, dword ptr fs:[00000030h] 5_2_015BC073
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01616050 mov eax, dword ptr fs:[00000030h] 5_2_01616050
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AE016 mov eax, dword ptr fs:[00000030h] 5_2_015AE016
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AE016 mov eax, dword ptr fs:[00000030h] 5_2_015AE016
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AE016 mov eax, dword ptr fs:[00000030h] 5_2_015AE016
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AE016 mov eax, dword ptr fs:[00000030h] 5_2_015AE016
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01626030 mov eax, dword ptr fs:[00000030h] 5_2_01626030
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01614000 mov ecx, dword ptr fs:[00000030h] 5_2_01614000
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01632000 mov eax, dword ptr fs:[00000030h] 5_2_01632000
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01632000 mov eax, dword ptr fs:[00000030h] 5_2_01632000
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01632000 mov eax, dword ptr fs:[00000030h] 5_2_01632000
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01632000 mov eax, dword ptr fs:[00000030h] 5_2_01632000
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01632000 mov eax, dword ptr fs:[00000030h] 5_2_01632000
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01632000 mov eax, dword ptr fs:[00000030h] 5_2_01632000
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01632000 mov eax, dword ptr fs:[00000030h] 5_2_01632000
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01632000 mov eax, dword ptr fs:[00000030h] 5_2_01632000
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158A020 mov eax, dword ptr fs:[00000030h] 5_2_0158A020
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158C020 mov eax, dword ptr fs:[00000030h] 5_2_0158C020
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016160E0 mov eax, dword ptr fs:[00000030h] 5_2_016160E0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158C0F0 mov eax, dword ptr fs:[00000030h] 5_2_0158C0F0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D20F0 mov ecx, dword ptr fs:[00000030h] 5_2_015D20F0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015980E9 mov eax, dword ptr fs:[00000030h] 5_2_015980E9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158A0E3 mov ecx, dword ptr fs:[00000030h] 5_2_0158A0E3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016120DE mov eax, dword ptr fs:[00000030h] 5_2_016120DE
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016280A8 mov eax, dword ptr fs:[00000030h] 5_2_016280A8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159208A mov eax, dword ptr fs:[00000030h] 5_2_0159208A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016560B8 mov eax, dword ptr fs:[00000030h] 5_2_016560B8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016560B8 mov ecx, dword ptr fs:[00000030h] 5_2_016560B8
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163437C mov eax, dword ptr fs:[00000030h] 5_2_0163437C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01612349 mov eax, dword ptr fs:[00000030h] 5_2_01612349
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165A352 mov eax, dword ptr fs:[00000030h] 5_2_0165A352
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161035C mov eax, dword ptr fs:[00000030h] 5_2_0161035C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161035C mov eax, dword ptr fs:[00000030h] 5_2_0161035C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161035C mov eax, dword ptr fs:[00000030h] 5_2_0161035C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161035C mov ecx, dword ptr fs:[00000030h] 5_2_0161035C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161035C mov eax, dword ptr fs:[00000030h] 5_2_0161035C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161035C mov eax, dword ptr fs:[00000030h] 5_2_0161035C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158C310 mov ecx, dword ptr fs:[00000030h] 5_2_0158C310
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B0310 mov ecx, dword ptr fs:[00000030h] 5_2_015B0310
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA30B mov eax, dword ptr fs:[00000030h] 5_2_015CA30B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA30B mov eax, dword ptr fs:[00000030h] 5_2_015CA30B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA30B mov eax, dword ptr fs:[00000030h] 5_2_015CA30B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0159A3C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0159A3C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0159A3C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0159A3C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0159A3C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0159A3C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015983C0 mov eax, dword ptr fs:[00000030h] 5_2_015983C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015983C0 mov eax, dword ptr fs:[00000030h] 5_2_015983C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015983C0 mov eax, dword ptr fs:[00000030h] 5_2_015983C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015983C0 mov eax, dword ptr fs:[00000030h] 5_2_015983C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016163C0 mov eax, dword ptr fs:[00000030h] 5_2_016163C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C63FF mov eax, dword ptr fs:[00000030h] 5_2_015C63FF
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0164C3CD mov eax, dword ptr fs:[00000030h] 5_2_0164C3CD
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AE3F0 mov eax, dword ptr fs:[00000030h] 5_2_015AE3F0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AE3F0 mov eax, dword ptr fs:[00000030h] 5_2_015AE3F0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AE3F0 mov eax, dword ptr fs:[00000030h] 5_2_015AE3F0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h] 5_2_015A03E9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h] 5_2_015A03E9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h] 5_2_015A03E9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h] 5_2_015A03E9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h] 5_2_015A03E9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h] 5_2_015A03E9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h] 5_2_015A03E9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A03E9 mov eax, dword ptr fs:[00000030h] 5_2_015A03E9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016343D4 mov eax, dword ptr fs:[00000030h] 5_2_016343D4
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016343D4 mov eax, dword ptr fs:[00000030h] 5_2_016343D4
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01588397 mov eax, dword ptr fs:[00000030h] 5_2_01588397
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01588397 mov eax, dword ptr fs:[00000030h] 5_2_01588397
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01588397 mov eax, dword ptr fs:[00000030h] 5_2_01588397
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158E388 mov eax, dword ptr fs:[00000030h] 5_2_0158E388
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158E388 mov eax, dword ptr fs:[00000030h] 5_2_0158E388
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158E388 mov eax, dword ptr fs:[00000030h] 5_2_0158E388
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B438F mov eax, dword ptr fs:[00000030h] 5_2_015B438F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B438F mov eax, dword ptr fs:[00000030h] 5_2_015B438F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01596259 mov eax, dword ptr fs:[00000030h] 5_2_01596259
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158A250 mov eax, dword ptr fs:[00000030h] 5_2_0158A250
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01640274 mov eax, dword ptr fs:[00000030h] 5_2_01640274
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01618243 mov eax, dword ptr fs:[00000030h] 5_2_01618243
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01618243 mov ecx, dword ptr fs:[00000030h] 5_2_01618243
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158826B mov eax, dword ptr fs:[00000030h] 5_2_0158826B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01594260 mov eax, dword ptr fs:[00000030h] 5_2_01594260
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01594260 mov eax, dword ptr fs:[00000030h] 5_2_01594260
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01594260 mov eax, dword ptr fs:[00000030h] 5_2_01594260
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158823B mov eax, dword ptr fs:[00000030h] 5_2_0158823B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0159A2C3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0159A2C3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0159A2C3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0159A2C3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0159A2C3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A02E1 mov eax, dword ptr fs:[00000030h] 5_2_015A02E1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A02E1 mov eax, dword ptr fs:[00000030h] 5_2_015A02E1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A02E1 mov eax, dword ptr fs:[00000030h] 5_2_015A02E1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016262A0 mov eax, dword ptr fs:[00000030h] 5_2_016262A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016262A0 mov ecx, dword ptr fs:[00000030h] 5_2_016262A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016262A0 mov eax, dword ptr fs:[00000030h] 5_2_016262A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016262A0 mov eax, dword ptr fs:[00000030h] 5_2_016262A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016262A0 mov eax, dword ptr fs:[00000030h] 5_2_016262A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016262A0 mov eax, dword ptr fs:[00000030h] 5_2_016262A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE284 mov eax, dword ptr fs:[00000030h] 5_2_015CE284
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE284 mov eax, dword ptr fs:[00000030h] 5_2_015CE284
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01610283 mov eax, dword ptr fs:[00000030h] 5_2_01610283
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01610283 mov eax, dword ptr fs:[00000030h] 5_2_01610283
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01610283 mov eax, dword ptr fs:[00000030h] 5_2_01610283
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598550 mov eax, dword ptr fs:[00000030h] 5_2_01598550
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598550 mov eax, dword ptr fs:[00000030h] 5_2_01598550
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C656A mov eax, dword ptr fs:[00000030h] 5_2_015C656A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C656A mov eax, dword ptr fs:[00000030h] 5_2_015C656A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C656A mov eax, dword ptr fs:[00000030h] 5_2_015C656A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01626500 mov eax, dword ptr fs:[00000030h] 5_2_01626500
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE53E mov eax, dword ptr fs:[00000030h] 5_2_015BE53E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE53E mov eax, dword ptr fs:[00000030h] 5_2_015BE53E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE53E mov eax, dword ptr fs:[00000030h] 5_2_015BE53E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE53E mov eax, dword ptr fs:[00000030h] 5_2_015BE53E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE53E mov eax, dword ptr fs:[00000030h] 5_2_015BE53E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01664500 mov eax, dword ptr fs:[00000030h] 5_2_01664500
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01664500 mov eax, dword ptr fs:[00000030h] 5_2_01664500
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01664500 mov eax, dword ptr fs:[00000030h] 5_2_01664500
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01664500 mov eax, dword ptr fs:[00000030h] 5_2_01664500
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01664500 mov eax, dword ptr fs:[00000030h] 5_2_01664500
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01664500 mov eax, dword ptr fs:[00000030h] 5_2_01664500
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01664500 mov eax, dword ptr fs:[00000030h] 5_2_01664500
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h] 5_2_015A0535
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h] 5_2_015A0535
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h] 5_2_015A0535
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h] 5_2_015A0535
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h] 5_2_015A0535
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0535 mov eax, dword ptr fs:[00000030h] 5_2_015A0535
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015965D0 mov eax, dword ptr fs:[00000030h] 5_2_015965D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA5D0 mov eax, dword ptr fs:[00000030h] 5_2_015CA5D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA5D0 mov eax, dword ptr fs:[00000030h] 5_2_015CA5D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE5CF mov eax, dword ptr fs:[00000030h] 5_2_015CE5CF
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE5CF mov eax, dword ptr fs:[00000030h] 5_2_015CE5CF
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CC5ED mov eax, dword ptr fs:[00000030h] 5_2_015CC5ED
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CC5ED mov eax, dword ptr fs:[00000030h] 5_2_015CC5ED
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015925E0 mov eax, dword ptr fs:[00000030h] 5_2_015925E0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 5_2_015BE5E7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 5_2_015BE5E7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 5_2_015BE5E7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 5_2_015BE5E7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 5_2_015BE5E7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 5_2_015BE5E7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 5_2_015BE5E7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE5E7 mov eax, dword ptr fs:[00000030h] 5_2_015BE5E7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE59C mov eax, dword ptr fs:[00000030h] 5_2_015CE59C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016105A7 mov eax, dword ptr fs:[00000030h] 5_2_016105A7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016105A7 mov eax, dword ptr fs:[00000030h] 5_2_016105A7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016105A7 mov eax, dword ptr fs:[00000030h] 5_2_016105A7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C4588 mov eax, dword ptr fs:[00000030h] 5_2_015C4588
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01592582 mov eax, dword ptr fs:[00000030h] 5_2_01592582
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01592582 mov ecx, dword ptr fs:[00000030h] 5_2_01592582
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B45B1 mov eax, dword ptr fs:[00000030h] 5_2_015B45B1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B45B1 mov eax, dword ptr fs:[00000030h] 5_2_015B45B1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B245A mov eax, dword ptr fs:[00000030h] 5_2_015B245A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161C460 mov ecx, dword ptr fs:[00000030h] 5_2_0161C460
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158645D mov eax, dword ptr fs:[00000030h] 5_2_0158645D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h] 5_2_015CE443
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h] 5_2_015CE443
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h] 5_2_015CE443
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h] 5_2_015CE443
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h] 5_2_015CE443
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h] 5_2_015CE443
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h] 5_2_015CE443
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CE443 mov eax, dword ptr fs:[00000030h] 5_2_015CE443
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BA470 mov eax, dword ptr fs:[00000030h] 5_2_015BA470
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BA470 mov eax, dword ptr fs:[00000030h] 5_2_015BA470
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BA470 mov eax, dword ptr fs:[00000030h] 5_2_015BA470
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01616420 mov eax, dword ptr fs:[00000030h] 5_2_01616420
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01616420 mov eax, dword ptr fs:[00000030h] 5_2_01616420
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01616420 mov eax, dword ptr fs:[00000030h] 5_2_01616420
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01616420 mov eax, dword ptr fs:[00000030h] 5_2_01616420
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01616420 mov eax, dword ptr fs:[00000030h] 5_2_01616420
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01616420 mov eax, dword ptr fs:[00000030h] 5_2_01616420
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01616420 mov eax, dword ptr fs:[00000030h] 5_2_01616420
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C8402 mov eax, dword ptr fs:[00000030h] 5_2_015C8402
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C8402 mov eax, dword ptr fs:[00000030h] 5_2_015C8402
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C8402 mov eax, dword ptr fs:[00000030h] 5_2_015C8402
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA430 mov eax, dword ptr fs:[00000030h] 5_2_015CA430
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158E420 mov eax, dword ptr fs:[00000030h] 5_2_0158E420
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158E420 mov eax, dword ptr fs:[00000030h] 5_2_0158E420
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158E420 mov eax, dword ptr fs:[00000030h] 5_2_0158E420
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158C427 mov eax, dword ptr fs:[00000030h] 5_2_0158C427
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015904E5 mov ecx, dword ptr fs:[00000030h] 5_2_015904E5
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161A4B0 mov eax, dword ptr fs:[00000030h] 5_2_0161A4B0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C44B0 mov ecx, dword ptr fs:[00000030h] 5_2_015C44B0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015964AB mov eax, dword ptr fs:[00000030h] 5_2_015964AB
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590750 mov eax, dword ptr fs:[00000030h] 5_2_01590750
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2750 mov eax, dword ptr fs:[00000030h] 5_2_015D2750
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2750 mov eax, dword ptr fs:[00000030h] 5_2_015D2750
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C674D mov esi, dword ptr fs:[00000030h] 5_2_015C674D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C674D mov eax, dword ptr fs:[00000030h] 5_2_015C674D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C674D mov eax, dword ptr fs:[00000030h] 5_2_015C674D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598770 mov eax, dword ptr fs:[00000030h] 5_2_01598770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0770 mov eax, dword ptr fs:[00000030h] 5_2_015A0770
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01614755 mov eax, dword ptr fs:[00000030h] 5_2_01614755
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161E75D mov eax, dword ptr fs:[00000030h] 5_2_0161E75D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590710 mov eax, dword ptr fs:[00000030h] 5_2_01590710
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C0710 mov eax, dword ptr fs:[00000030h] 5_2_015C0710
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160C730 mov eax, dword ptr fs:[00000030h] 5_2_0160C730
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CC700 mov eax, dword ptr fs:[00000030h] 5_2_015CC700
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C273C mov eax, dword ptr fs:[00000030h] 5_2_015C273C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C273C mov ecx, dword ptr fs:[00000030h] 5_2_015C273C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C273C mov eax, dword ptr fs:[00000030h] 5_2_015C273C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CC720 mov eax, dword ptr fs:[00000030h] 5_2_015CC720
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CC720 mov eax, dword ptr fs:[00000030h] 5_2_015CC720
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161E7E1 mov eax, dword ptr fs:[00000030h] 5_2_0161E7E1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159C7C0 mov eax, dword ptr fs:[00000030h] 5_2_0159C7C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016107C3 mov eax, dword ptr fs:[00000030h] 5_2_016107C3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015947FB mov eax, dword ptr fs:[00000030h] 5_2_015947FB
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015947FB mov eax, dword ptr fs:[00000030h] 5_2_015947FB
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B27ED mov eax, dword ptr fs:[00000030h] 5_2_015B27ED
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B27ED mov eax, dword ptr fs:[00000030h] 5_2_015B27ED
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B27ED mov eax, dword ptr fs:[00000030h] 5_2_015B27ED
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163678E mov eax, dword ptr fs:[00000030h] 5_2_0163678E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015907AF mov eax, dword ptr fs:[00000030h] 5_2_015907AF
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165866E mov eax, dword ptr fs:[00000030h] 5_2_0165866E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165866E mov eax, dword ptr fs:[00000030h] 5_2_0165866E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AC640 mov eax, dword ptr fs:[00000030h] 5_2_015AC640
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C2674 mov eax, dword ptr fs:[00000030h] 5_2_015C2674
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA660 mov eax, dword ptr fs:[00000030h] 5_2_015CA660
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA660 mov eax, dword ptr fs:[00000030h] 5_2_015CA660
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D2619 mov eax, dword ptr fs:[00000030h] 5_2_015D2619
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A260B mov eax, dword ptr fs:[00000030h] 5_2_015A260B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A260B mov eax, dword ptr fs:[00000030h] 5_2_015A260B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A260B mov eax, dword ptr fs:[00000030h] 5_2_015A260B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A260B mov eax, dword ptr fs:[00000030h] 5_2_015A260B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A260B mov eax, dword ptr fs:[00000030h] 5_2_015A260B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A260B mov eax, dword ptr fs:[00000030h] 5_2_015A260B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A260B mov eax, dword ptr fs:[00000030h] 5_2_015A260B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E609 mov eax, dword ptr fs:[00000030h] 5_2_0160E609
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159262C mov eax, dword ptr fs:[00000030h] 5_2_0159262C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C6620 mov eax, dword ptr fs:[00000030h] 5_2_015C6620
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C8620 mov eax, dword ptr fs:[00000030h] 5_2_015C8620
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AE627 mov eax, dword ptr fs:[00000030h] 5_2_015AE627
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016106F1 mov eax, dword ptr fs:[00000030h] 5_2_016106F1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016106F1 mov eax, dword ptr fs:[00000030h] 5_2_016106F1
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0160E6F2
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0160E6F2
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0160E6F2
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E6F2 mov eax, dword ptr fs:[00000030h] 5_2_0160E6F2
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA6C7 mov ebx, dword ptr fs:[00000030h] 5_2_015CA6C7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA6C7 mov eax, dword ptr fs:[00000030h] 5_2_015CA6C7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01594690 mov eax, dword ptr fs:[00000030h] 5_2_01594690
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01594690 mov eax, dword ptr fs:[00000030h] 5_2_01594690
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C66B0 mov eax, dword ptr fs:[00000030h] 5_2_015C66B0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CC6A6 mov eax, dword ptr fs:[00000030h] 5_2_015CC6A6
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01634978 mov eax, dword ptr fs:[00000030h] 5_2_01634978
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01634978 mov eax, dword ptr fs:[00000030h] 5_2_01634978
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161C97C mov eax, dword ptr fs:[00000030h] 5_2_0161C97C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01610946 mov eax, dword ptr fs:[00000030h] 5_2_01610946
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D096E mov eax, dword ptr fs:[00000030h] 5_2_015D096E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D096E mov edx, dword ptr fs:[00000030h] 5_2_015D096E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015D096E mov eax, dword ptr fs:[00000030h] 5_2_015D096E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B6962 mov eax, dword ptr fs:[00000030h] 5_2_015B6962
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B6962 mov eax, dword ptr fs:[00000030h] 5_2_015B6962
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B6962 mov eax, dword ptr fs:[00000030h] 5_2_015B6962
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01588918 mov eax, dword ptr fs:[00000030h] 5_2_01588918
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01588918 mov eax, dword ptr fs:[00000030h] 5_2_01588918
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0162892B mov eax, dword ptr fs:[00000030h] 5_2_0162892B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161892A mov eax, dword ptr fs:[00000030h] 5_2_0161892A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E908 mov eax, dword ptr fs:[00000030h] 5_2_0160E908
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160E908 mov eax, dword ptr fs:[00000030h] 5_2_0160E908
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161C912 mov eax, dword ptr fs:[00000030h] 5_2_0161C912
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161E9E0 mov eax, dword ptr fs:[00000030h] 5_2_0161E9E0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0159A9D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0159A9D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0159A9D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0159A9D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0159A9D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159A9D0 mov eax, dword ptr fs:[00000030h] 5_2_0159A9D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C49D0 mov eax, dword ptr fs:[00000030h] 5_2_015C49D0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016269C0 mov eax, dword ptr fs:[00000030h] 5_2_016269C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C29F9 mov eax, dword ptr fs:[00000030h] 5_2_015C29F9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C29F9 mov eax, dword ptr fs:[00000030h] 5_2_015C29F9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165A9D3 mov eax, dword ptr fs:[00000030h] 5_2_0165A9D3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016189B3 mov esi, dword ptr fs:[00000030h] 5_2_016189B3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016189B3 mov eax, dword ptr fs:[00000030h] 5_2_016189B3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_016189B3 mov eax, dword ptr fs:[00000030h] 5_2_016189B3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015909AD mov eax, dword ptr fs:[00000030h] 5_2_015909AD
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015909AD mov eax, dword ptr fs:[00000030h] 5_2_015909AD
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A29A0 mov eax, dword ptr fs:[00000030h] 5_2_015A29A0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01594859 mov eax, dword ptr fs:[00000030h] 5_2_01594859
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01594859 mov eax, dword ptr fs:[00000030h] 5_2_01594859
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C0854 mov eax, dword ptr fs:[00000030h] 5_2_015C0854
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01626870 mov eax, dword ptr fs:[00000030h] 5_2_01626870
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01626870 mov eax, dword ptr fs:[00000030h] 5_2_01626870
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161E872 mov eax, dword ptr fs:[00000030h] 5_2_0161E872
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161E872 mov eax, dword ptr fs:[00000030h] 5_2_0161E872
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A2840 mov ecx, dword ptr fs:[00000030h] 5_2_015A2840
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163483A mov eax, dword ptr fs:[00000030h] 5_2_0163483A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163483A mov eax, dword ptr fs:[00000030h] 5_2_0163483A
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CA830 mov eax, dword ptr fs:[00000030h] 5_2_015CA830
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B2835 mov eax, dword ptr fs:[00000030h] 5_2_015B2835
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B2835 mov eax, dword ptr fs:[00000030h] 5_2_015B2835
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B2835 mov eax, dword ptr fs:[00000030h] 5_2_015B2835
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B2835 mov ecx, dword ptr fs:[00000030h] 5_2_015B2835
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B2835 mov eax, dword ptr fs:[00000030h] 5_2_015B2835
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B2835 mov eax, dword ptr fs:[00000030h] 5_2_015B2835
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161C810 mov eax, dword ptr fs:[00000030h] 5_2_0161C810
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165A8E4 mov eax, dword ptr fs:[00000030h] 5_2_0165A8E4
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BE8C0 mov eax, dword ptr fs:[00000030h] 5_2_015BE8C0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CC8F9 mov eax, dword ptr fs:[00000030h] 5_2_015CC8F9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CC8F9 mov eax, dword ptr fs:[00000030h] 5_2_015CC8F9
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590887 mov eax, dword ptr fs:[00000030h] 5_2_01590887
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161C89D mov eax, dword ptr fs:[00000030h] 5_2_0161C89D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01638B42 mov eax, dword ptr fs:[00000030h] 5_2_01638B42
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01626B40 mov eax, dword ptr fs:[00000030h] 5_2_01626B40
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01626B40 mov eax, dword ptr fs:[00000030h] 5_2_01626B40
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0165AB40 mov eax, dword ptr fs:[00000030h] 5_2_0165AB40
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158CB7E mov eax, dword ptr fs:[00000030h] 5_2_0158CB7E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01658B28 mov eax, dword ptr fs:[00000030h] 5_2_01658B28
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01658B28 mov eax, dword ptr fs:[00000030h] 5_2_01658B28
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BEB20 mov eax, dword ptr fs:[00000030h] 5_2_015BEB20
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BEB20 mov eax, dword ptr fs:[00000030h] 5_2_015BEB20
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h] 5_2_0160EB1D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h] 5_2_0160EB1D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h] 5_2_0160EB1D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h] 5_2_0160EB1D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h] 5_2_0160EB1D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h] 5_2_0160EB1D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h] 5_2_0160EB1D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h] 5_2_0160EB1D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160EB1D mov eax, dword ptr fs:[00000030h] 5_2_0160EB1D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B0BCB mov eax, dword ptr fs:[00000030h] 5_2_015B0BCB
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B0BCB mov eax, dword ptr fs:[00000030h] 5_2_015B0BCB
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B0BCB mov eax, dword ptr fs:[00000030h] 5_2_015B0BCB
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161CBF0 mov eax, dword ptr fs:[00000030h] 5_2_0161CBF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590BCD mov eax, dword ptr fs:[00000030h] 5_2_01590BCD
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590BCD mov eax, dword ptr fs:[00000030h] 5_2_01590BCD
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590BCD mov eax, dword ptr fs:[00000030h] 5_2_01590BCD
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BEBFC mov eax, dword ptr fs:[00000030h] 5_2_015BEBFC
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598BF0 mov eax, dword ptr fs:[00000030h] 5_2_01598BF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598BF0 mov eax, dword ptr fs:[00000030h] 5_2_01598BF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598BF0 mov eax, dword ptr fs:[00000030h] 5_2_01598BF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0163EBD0 mov eax, dword ptr fs:[00000030h] 5_2_0163EBD0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0BBE mov eax, dword ptr fs:[00000030h] 5_2_015A0BBE
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0BBE mov eax, dword ptr fs:[00000030h] 5_2_015A0BBE
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0A5B mov eax, dword ptr fs:[00000030h] 5_2_015A0A5B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015A0A5B mov eax, dword ptr fs:[00000030h] 5_2_015A0A5B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h] 5_2_01596A50
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h] 5_2_01596A50
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h] 5_2_01596A50
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h] 5_2_01596A50
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h] 5_2_01596A50
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h] 5_2_01596A50
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01596A50 mov eax, dword ptr fs:[00000030h] 5_2_01596A50
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160CA72 mov eax, dword ptr fs:[00000030h] 5_2_0160CA72
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0160CA72 mov eax, dword ptr fs:[00000030h] 5_2_0160CA72
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CCA6F mov eax, dword ptr fs:[00000030h] 5_2_015CCA6F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CCA6F mov eax, dword ptr fs:[00000030h] 5_2_015CCA6F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CCA6F mov eax, dword ptr fs:[00000030h] 5_2_015CCA6F
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CCA38 mov eax, dword ptr fs:[00000030h] 5_2_015CCA38
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B4A35 mov eax, dword ptr fs:[00000030h] 5_2_015B4A35
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015B4A35 mov eax, dword ptr fs:[00000030h] 5_2_015B4A35
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0161CA11 mov eax, dword ptr fs:[00000030h] 5_2_0161CA11
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BEA2E mov eax, dword ptr fs:[00000030h] 5_2_015BEA2E
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CCA24 mov eax, dword ptr fs:[00000030h] 5_2_015CCA24
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590AD0 mov eax, dword ptr fs:[00000030h] 5_2_01590AD0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C4AD0 mov eax, dword ptr fs:[00000030h] 5_2_015C4AD0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C4AD0 mov eax, dword ptr fs:[00000030h] 5_2_015C4AD0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015E6ACC mov eax, dword ptr fs:[00000030h] 5_2_015E6ACC
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015E6ACC mov eax, dword ptr fs:[00000030h] 5_2_015E6ACC
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015E6ACC mov eax, dword ptr fs:[00000030h] 5_2_015E6ACC
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CAAEE mov eax, dword ptr fs:[00000030h] 5_2_015CAAEE
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015CAAEE mov eax, dword ptr fs:[00000030h] 5_2_015CAAEE
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C8A90 mov edx, dword ptr fs:[00000030h] 5_2_015C8A90
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h] 5_2_0159EA80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h] 5_2_0159EA80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h] 5_2_0159EA80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h] 5_2_0159EA80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h] 5_2_0159EA80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h] 5_2_0159EA80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h] 5_2_0159EA80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h] 5_2_0159EA80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159EA80 mov eax, dword ptr fs:[00000030h] 5_2_0159EA80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01664A80 mov eax, dword ptr fs:[00000030h] 5_2_01664A80
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598AA0 mov eax, dword ptr fs:[00000030h] 5_2_01598AA0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598AA0 mov eax, dword ptr fs:[00000030h] 5_2_01598AA0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015E6AA4 mov eax, dword ptr fs:[00000030h] 5_2_015E6AA4
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590D59 mov eax, dword ptr fs:[00000030h] 5_2_01590D59
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590D59 mov eax, dword ptr fs:[00000030h] 5_2_01590D59
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01590D59 mov eax, dword ptr fs:[00000030h] 5_2_01590D59
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598D59 mov eax, dword ptr fs:[00000030h] 5_2_01598D59
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598D59 mov eax, dword ptr fs:[00000030h] 5_2_01598D59
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598D59 mov eax, dword ptr fs:[00000030h] 5_2_01598D59
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598D59 mov eax, dword ptr fs:[00000030h] 5_2_01598D59
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01598D59 mov eax, dword ptr fs:[00000030h] 5_2_01598D59
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01628D6B mov eax, dword ptr fs:[00000030h] 5_2_01628D6B
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015C4D1D mov eax, dword ptr fs:[00000030h] 5_2_015C4D1D
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01618D20 mov eax, dword ptr fs:[00000030h] 5_2_01618D20
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01586D10 mov eax, dword ptr fs:[00000030h] 5_2_01586D10
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01586D10 mov eax, dword ptr fs:[00000030h] 5_2_01586D10
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01586D10 mov eax, dword ptr fs:[00000030h] 5_2_01586D10
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AAD00 mov eax, dword ptr fs:[00000030h] 5_2_015AAD00
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AAD00 mov eax, dword ptr fs:[00000030h] 5_2_015AAD00
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015AAD00 mov eax, dword ptr fs:[00000030h] 5_2_015AAD00
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01648D10 mov eax, dword ptr fs:[00000030h] 5_2_01648D10
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01648D10 mov eax, dword ptr fs:[00000030h] 5_2_01648D10
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BEDD3 mov eax, dword ptr fs:[00000030h] 5_2_015BEDD3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BEDD3 mov eax, dword ptr fs:[00000030h] 5_2_015BEDD3
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01630DF0 mov eax, dword ptr fs:[00000030h] 5_2_01630DF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01630DF0 mov eax, dword ptr fs:[00000030h] 5_2_01630DF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BCDF0 mov eax, dword ptr fs:[00000030h] 5_2_015BCDF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_015BCDF0 mov ecx, dword ptr fs:[00000030h] 5_2_015BCDF0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01586DF6 mov eax, dword ptr fs:[00000030h] 5_2_01586DF6
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158CDEA mov eax, dword ptr fs:[00000030h] 5_2_0158CDEA
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0158CDEA mov eax, dword ptr fs:[00000030h] 5_2_0158CDEA
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01614DD7 mov eax, dword ptr fs:[00000030h] 5_2_01614DD7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_01614DD7 mov eax, dword ptr fs:[00000030h] 5_2_01614DD7
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159ADE0 mov eax, dword ptr fs:[00000030h] 5_2_0159ADE0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159ADE0 mov eax, dword ptr fs:[00000030h] 5_2_0159ADE0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159ADE0 mov eax, dword ptr fs:[00000030h] 5_2_0159ADE0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159ADE0 mov eax, dword ptr fs:[00000030h] 5_2_0159ADE0
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Code function: 5_2_0159ADE0 mov eax, dword ptr fs:[00000030h] 5_2_0159ADE0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe"
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe" Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe NtClose: Indirect: 0x150A56C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe NtClose: Indirect: 0x154A56C
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe NtQueueApcThread: Indirect: 0x150A4F2 Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe NtQueueApcThread: Indirect: 0x154A4F2 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Memory written: C:\Users\user\Desktop\TEKLIF 2002509.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section loaded: NULL target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Thread register set: target process: 4004 Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Thread register set: target process: 4004 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Thread register set: target process: 4004 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: C40000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\TEKLIF 2002509.exe" Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Process created: C:\Users\user\Desktop\TEKLIF 2002509.exe "C:\Users\user\Desktop\TEKLIF 2002509.exe" Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\TEKLIF 2002509.exe" Jump to behavior
Source: explorer.exe, 00000006.00000002.4608698873.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2148805570.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: explorer.exe, 00000006.00000000.2151899758.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4608698873.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2148805570.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000002.4608698873.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2148805570.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000002.4603783392.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2148161605.0000000000D69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: +Progman
Source: explorer.exe, 00000006.00000002.4608698873.00000000013A1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.2148805570.00000000013A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000003.2979331163.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000002.4614750288.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.2161826176.00000000098AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd31A
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Queries volume information: C:\Users\user\Desktop\TEKLIF 2002509.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\TEKLIF 2002509.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.TEKLIF 2002509.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.TEKLIF 2002509.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2270351243.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4603507582.0000000004C60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4607228112.0000000005350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4607400279.0000000005380000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2150736016.0000000003A49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520407 Sample: TEKLIF 2002509.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 33 www.uhtwister.cloud 2->33 35 www.sicologosportugueses.online 2->35 37 9 other IPs or domains 2->37 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 11 other signatures 2->45 11 TEKLIF 2002509.exe 4 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\TEKLIF 2002509.exe.log, ASCII 11->31 dropped 55 Adds a directory exclusion to Windows Defender 11->55 57 Injects a PE file into a foreign processes 11->57 15 TEKLIF 2002509.exe 11->15         started        18 powershell.exe 23 11->18         started        signatures6 process7 signatures8 59 Modifies the context of a thread in another process (thread injection) 15->59 61 Maps a DLL or memory area into another process 15->61 63 Sample uses process hollowing technique 15->63 67 2 other signatures 15->67 20 explorer.exe 62 1 15->20 injected 65 Loading BitLocker PowerShell Module 18->65 22 conhost.exe 18->22         started        process9 process10 24 chkdsk.exe 20->24         started        signatures11 47 Modifies the context of a thread in another process (thread injection) 24->47 49 Maps a DLL or memory area into another process 24->49 51 Tries to detect virtualization through RDTSC time measurements 24->51 53 Switches to a custom stack to bypass stack traces 24->53 27 cmd.exe 1 24->27         started        process12 process13 29 conhost.exe 27->29         started       
No contacted IP infos

Contacted Domains

Name IP Active
www.uhtwister.cloud unknown unknown
www.avada-casino-tlj.buzz unknown unknown
www.sicologosportugueses.online unknown unknown
www.akemoneyonline.bond unknown unknown
www.mberbreeze.cyou unknown unknown
www.ffpage.shop unknown unknown
www.ewferg.top unknown unknown
www.nline-degree-6987776.world unknown unknown
www.nfluencer-marketing-17923.bond unknown unknown
www.obs-for-seniors-39582.bond unknown unknown
www.8009.top unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.avada-casino-tlj.buzz/bc01/ true
    		unknown